Ransomware advice

[Wobblers]

That's frightening. My backups involve 6 USB s for daily backup, one of which is alternated weekly and kept off site. Also a monthly backup. I hoped that this would keep my backups up to date but a timer on those, depending on the length, would be nasty.

If your backups fit on a USB, why not get another six and use them exclusively for your monthly or (better) weekly backups? That way, you'll have a rolling copy that's offsite and offline that'll never be more than a month or week out of date.

Thinking further, most backup software can do what is called an "incremental backup". This only backups files which have changed since the last backup. If any ransomware encrypts your data, the incremental backup will see that everything's changed (as it's been encrypted), and you'll get a very large spike in the size of your backup. That would give you some warning that something's not right. It'll give you some time to investigate and take what steps to mitigate you can, if worst comes to worst: take the machines of the network, see if you can salvage yesterday's work - whether by printing it or even copy and pasting the text (not formatting or anything else!) to a text email to an offsite email account you have. Then go for the full reformat/ reinstall routine. (This why IT professionals or ex-sys admins like myself constantly bang on about backups to the point of tedium. Oh yes, make sure your backups actually work! There's nothing worse than finding they're all corrupted when you come to need them!)

Lastly, keeping your systems fully patched and up to date will help immensely. As does training your staff not to click on email attachments especially from unknown, unusual or unexpected senders.

 

[jonny jeez]

Ok, so a computer gets infected.What do I tell my staff as first thing to do? Switch off computer? Unplug nas? Switch off hub? Don't do anything?

Id suggest unplugging the network cable.

Then hard shutdown (hold the button)

If the pc is frozen you wont be able to disable WiFi so laptops are still at risk of spreading.

Thing is though, id suspect that this particular virus will have spread across yours...and all your contacts networks before it unmasks its intentions. So attempts to isolate the nas may already be futile, I assume it can install a locking malware on the nas regardless of connection

 

[Kajjal]

The main thing to protect against ransomeware impacts are to stop it happening in the first place and have a strategy that assumes everything is infected and locked out but you can still recover.

The first part is keep Antivirus and security patching up to date automatically even if people complain. Then if possible control users web access via a managed proxy server, that way most risky websites are automatically blocked. Also make sure all EMails are fully scanned. Again if possible do regular backups to devices that are not left attached to or accessible from your machines. Simplest is a usb drive more complex is a file and print server backing up to tapes which are removed each morning after the nightly backup and stored in a safe. Do not leave you backups accessible to the machines or they will just be encrypted as well.

If you are unlucky at some point one or more machines will be infected. First power off machines instantly and remove them from the network. Then destroy their hard drives and fit brand new ones on which you can reinstall windows and any apps. This means there is no risk the virus still exists on the machine.Helps if you have a standard windows image and standard application install packages to keep everything the same. Then you can restore your data from the relevant backup. Also you need to find out where it came from and why to stop it happening again. Sometimes anti virus vendors can provide tools to remove virus's which is helpful but again don't take any risks

All of this depends on cost and risk to the business.

 

[Nigel-YZ1]

All our email goes via SpamStopsHere which has been astounding in its performance. Then it hits Office 365 which scans it again. Also in Office 365 I have rejection of several countries. Rules then send everything with an executable/archive attachment to my postmaster account for approval.
My users are first class at spotting and questioning anything remotely iffy.
If it gets past that lot there's Webroot SecureAnywhere on every machine.
If anything tries to call home, all Web page requests go via OpenDNS.

So far that combination has kept the nasties and spam down to 10 emails last year that got to the user level out of 25,000.
All 10 were 'click this link' phishes.

I need to tweak things a bit. I'm also considering application whitelisting.