What MSPs Need to Know to Protect Their Customers from Ransomware
We are talking about ransomware.
Ransomware is a big and growing problem in the United States. In fact, CNN recently reported that we are in the midst of a troubling spike in this type of cybercrime. According to this report, the FBI received 2,453 reports of ransomware-based holdups, which in total cost the victims more than $24 million. It is likely that many, many more cases go unreported, since often organizations are unwilling to even admit that they have been attacked, fearing customer blowback or legal repercussions.
As a managed service provider, ransomware is a trend you need to understand so that you can help protect your customers from it now and in the future. Here is a primer on what ransomware is, how it works and how you can keep your customers’ data protected and their businesses unharmed.
What is Ransomware and How Does it Affect Small and Midsize Businesses?
In a nutshell, ransomware is a type of malware that is able to freeze digital files, like documents and images, and demand money in exchange for unlocking them.
When ransomware strikes, many businesses are caught between a rock and a hard place: suffer the consequences of not being able to access their data (halting business operations and potentially losing some of their customers) or ante up. There are serious costs on both sides. Unfortunately, many businesses feel they have no choice but to pay up, which we believe in part, is due to the lack of a solution that will defeat ransomware at scale.
Although attacks can target businesses of all sizes, often SMBs are the hardest hit, because they can’t afford the types of security solutions enterprises have access to, and they often lack in-house IT resources to defeat these sophisticated attacks.
Because ransomware is a particularly vicious species of malware, and because SMBs are commonly vulnerable to it, it has never been more important that managed service providers who serve SMBs develop a plan and implement solutions that can help protect their customers from harm, decreasing the chances that they will have to pay up.
How Ransomware Works
Let’s dissect how ransomware gets onto your customers’ machines in the first place. Some of the common ways attackers deliver ransomware include email, ads, and web links. These vehicles may allow attackers to get through firewalls and other security protections to deliver ransomware.
The most successful attacks are against employees who are not well-educated about the malware landscape. All it takes is one click on an ill-intentioned link for malicious code to enter your customer’s system. Even worse, attackers are beginning to serve up malicious ads with exploits that don’t even require a click. Ransomware will spread like wildfire when that technique is perfected.
Regardless of how it enters, once the ransomware gets inside, its next move is to “phone home” to the criminals who sent it. This communication fetches keys for encryption and notifies the attackers that they were successful. The ransomware then moves on to encrypting every file it can find on the local system and any network shares it is authorized to change. At this point, the infected system will display a banner on the local device, requesting ransom from the infected user.
How to Protect Your Customers
The good news: These attacks can be defeated with the right tools. Here are some best practices to protect your customers’ systems from ransomware:
1. Offer Email Safety Training
Since email is one of the most common ways that ransomware is spread, we recommend educating yourself and your customers about the basics of email safety. The old adage, “An ounce of prevention is worth a pound of cure,” definitely applies here. Here is a great video by the Canadian government that will take you through the key information you should talk with your customers (and staff!) about when it comes to phishing attacks via email.
2. Perform Regular Back-Ups and Restorals
Next, to protect your customers against all kinds of malware (not to mention hardware malfunctions and plain old human error), you should make sure that your customers are regularly backing up all important files. This includes both local data and anything stored in the cloud.
Nothing should live in only one place, but especially not sensitive information like customer data, payment details, financials, or any type of personally identifiable information (PII). You have lots of options for backup solutions, but the important thing is to make sure that it’s done regularly (ideally daily) and follow the Rule of Three as described by Scott Hanselman, a web developer and blogger:
Three copies of all important data Copies in two formats (for example, local hard drive + Dropbox) At least one copy offsite (yes, in the cloud counts)
If ransomware does strike one of your customers and their data is properly backed up, instead of paying up, you will have the ability to simply restore the system from backup (and then continue to steps 4 to 6 to fully remove the malware.)
Bottom line: the best protection from lost information is regular backups of all important data.
3. Protect the Endpoints
Most ransomware is targeted at Windows users. To combat it, application whitelisting coupled with group or local policies can be very effective. These policies help prevent the ransomware from installing itself and doing damage.
Third Tier has made it easy for MSPs to deploy ransomware defeating group policy out through their Ransomware Prevention Kit. Based upon our experiences and the Bleeping Computer Ransomware Information Guide, the most important rules we’ve seen are:
Rule: Do not allow files to be executed out of the “c:\temp” directory or the User AppData directories Why: Malware needs a consistent place to land and execute from. For years, authors have used c:\temp as this location. Setting a group policy that files cannot be executed out of user writeable directories will put a halt to many strains of ransomware.
Rule: Generate ransomware-specific registry keys Why: The Locky ransomware, for example, contains checks for HKCU/Software/locky, and if the key exists, it will not install itself. Use the ransomware against itself by setting this registry key across your customers’ endpoints. Beware that some antivirus programs will set off alarms when you do this, so be prepared for that. You’re also going to need to update this as new ransomware families are found.
If you perform the Windows installations for your customers PCs, consider using AppLocker (it’s Microsoft’s application whitelisting software, not a new strain of ransomware) to provide protection against all types of malware. It may seem like a large investment, but its paltry compared to a potential $3.5m cost of a single data breach.
4. Stop Ransomware Communication To Known Bad Places
There are many databases out there that keep track of where criminals are setting up their infrastructure. These databases contain IP addresses, domains, and other sources that have perpetrated malware in the past. To prevent attacks, you should use a DNS blackhole to block as many known attackers as possible and prevent them from doing damage to your customers’ systems.
5. Locate and Remove Infections Quickly
Much of the security industry today focuses on either keeping malware out altogether (not realistic) or just getting rid of it (not enough). Reality check: At some point, ransomware will get in. Once this happens, it becomes important to find out exactly how the malware entered and where its victims lie. Otherwise, even after you remediate, you won’t be able to be certain that it’s gone and will not do further damage.
Now that you know what the malware was, where it came from, what it wants, and what parts of the system it is able to infect, it is time to get rid of it. In most cases, you are stuck with the costly “nuke and pave” approach of sending techs in to the field to find, format, reinstall, restore.
MSPs Have the Power to Stop Ransomware
Ransomware is bad news, but fortunately we are not helpless in the fight against it. Learning about its origins and how it works, as well as having a solid defense plan, will put the ball back in your court. It is time to start turning the tables on the criminals who are having so much success extorting people and organizations with ransomware today.
Ready to protect your customers from the growing ransomware trend? With Strongarm, you can do it quickly, easily, and cost-effectively.