Ransomeware: how to defend?

[Spreadsheet Accountant]

Backups, offline, seems to be the only sure defence.

Some cloud storage providers offer roll back, which is (looks) perfect.

What do "we" think?

Regards

Anthony

Interesting:
https://secure2.sophos.com/en-us/me...rewall-best-practices-to-block-ransomware.pdf
interesting because it says only 30% are from phishing links; so 70% are not.

 

[fisicx]

Backups are no use if the ransomware has been dormant for a while and all your backups are now encrypted.

Or the ransomware has infected the whole network and backing up only restores data.

The developers who write the code cover all their bases. There is no easy fix.

 

[forevergroup]

Your question is a bit confusing because you’ve mentioned defending against ransomware but then talked about recovering from a successful attack.

For defending against ransomware you really want enterprise-class endpoint protection, and effective web/email filtering. Use a defence-in-depth strategy by layering multiple vendors that use different databases and engines.

Patch your endpoints and applications religiously.

Evaluate intrusion prevention and breach detection mechanisms both at network edge and elsewhere.

And if you’re really serious about it, revoke local admin and use something like Threatlocker.

Unless you’re Fireeye then the vast majority of attacks use well-known vectors and mechanisms.

It’s just a case of knowledge and investment.

 

[Spreadsheet Accountant]

Sure. Though I disagree there are no defences and it has to be assumed backups are not online/local.
So how does the small business defend itself? That's what we need to know, since enterprise security is not available to us.

Your question is a bit confusing because you’ve mentioned defending against ransomware but then talked about recovering from a successful attack.

My subject asks about how to defend and I include recovery in the realm of defence.
Lost me as regards thinking I talk about recovery from a successful attack. Very happy to say I have not yet suffered this, though it is my greatest tech fear. Hence my question.

Backups are no use if the ransomware has been dormant for a while and all your backups are now encrypted.

My op says "offline" - no hacker can get at those short of physical premises access.
"Offline" means disconnected, indeed switched off.
This is why backup in depth is required, meaning daily (14 days?), weekly, 8 weeks? monthly and so on, and all offline except the current one; also preferably offsite.

There is a massive amount of scare mongering, quite possibly rightly so and we need defences and not being told when it's too late "of course that did not work" - whatever it was.

So, same question: what do we do? That can work without being an enterprise or cyber security specialists.

Hopelessness is not an option.

Anthony

p.s. I suppose I could list my ideas and actual methods for you to critique

 

[Nico Albrecht]

The question was "Ransomeware: how to defend?"

The simple answer is hire and pay a professional in that field. Like with any other question in accounts and legal the answer is: ask your account or a solicitor.

Same goes for IT If you have to ask the question, pay for the advise is my best advise. A forum wont help much.

since enterprise security is not available to us.

Yes it is available to any business these days at reasonable costs per machine. That argument is not valid!

Ransomware, Malware and Viruses are a very real threat to any business but plenty just ignore it or don't take professional help and pay for it.

 

[Spreadsheet Accountant]

Your average one man band is not in a position to pay professionals.
Your "pay for advice" thesis goes for all the accounting and business advice asked for on here, so that would be me you pay for it.

Yes it is available to any business these days at reasonable costs per machine. That argument is not valid!

Yes it is. Your idea of reasonable is highly unlikely to be mine - first clue is you mention "per machine". However, try to be realistic, most are simply not going to pay, but telling them to separate their work network from their family network might be good advice.

So this thread seems to be saying (a) not possible and (b) pay us and we will tell you.

Really?

Anthony

 

[forevergroup]

So, same question: what do we do?

The simple answer here is to ask a Managed Services Provider to do you a favour.

‘MSPs typically don’t have to enforce minimum order quantities for enterprise-class products, because they are aggregated across their customer base.

A contractor working for one of our clients asked me to help him out and now has:

- SentinelOne Complete (used by 4 of the Fortune 10) with SOC monitoring
- Huntress Breach Detection
- Cisco Umbrella Insights Web Security
- Proofpoint Advanced Email Security
- M365 with Conditional Access, MFA, and a tweaked secure score
- Windows 10 Business with all of the attack surface reduction features turned on
- Kaseya with patch management for Windows and third party apps
- Local encryption (Bitlocker)
- Encrypted cloud backups with Acronis

He may not know it but from a cyber security perspective the level he is at, most midmarket-enterprise sub-1000 employees would be proud of.

He was perfectly happy with the pricing, too.

 

[Spreadsheet Accountant]

I really cannot see my wife and her sowing business doing that.

and Proofpoint .. no thanks. (feel it better I deleted my original response).

So this is all aimed at large businesses and not one man bands. Contractors making many hundreds a day excluded.

It's like you have no idea what a small business is. ("for example "sub-1000 employees")
Should I be saying "micro" is that the language problem?

and, thank you for that list to explore.

Ransomewear Canaries - now THAT is clever. thanks
Could we do that with this I wonder:
https://fsmonitor.com/

hopefully our polite hacker (their messages always look polite and helpful) doesn't cripple FS Monitor on sight. A backup Canary method looks wise.

Anthony

 

[cjd]

I really cannot see my wife and her sowing business doing that.
Anthony

Obviously up-to-date anti-virus software but it seems that the major entry point these days is through phishing and social engineering.

Some of the phishing attempts are pretty much indistinguishable from the real thing now and the only way to protect yourself from them in the long run is to never click on any link in an email or website, something that is very hard to do.

Training is a protection, understanding what a bad email looks like (click on the senders email address) separating permissions (ie limiting the user's access to critical systems) and maybe using a separate computer just for email. Some guidance here

https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

 

[Chris Ashdown]

A simple but inconvenient method is to take the Email and internet search side of your business out of the inhouse network so most problems never get onto the ecommerce and accounts side of the business. use the separate computer to print out relevant info and pass onto the network for data input. slow and inconvenient but just leaves the ecommerce side to run on its own with relative safety just grabbing orders. Ok for very small outfits but totally unrealistic for bigger firms, but email and google are dangerous bed fellows

Nothing stopping company employees having to separate systems, one for ecommerce etc and the second non networked

 

[Nico Albrecht]

Your average one man band is not in a position to pay professionals.

Most are for sure. They rather don't know and need education or they are stingy. Per device makes the most sense as it gets cheaper with volume.

Realistically a cloud based, managed security solution ( less it admin, plenty out there ) would already decrease the attack vectors dramatically and could come in at less than £50 / device per year for enterprise tech.

Throw in some training and a proper backup strategy and we are not looking at serious money here anymore.

If a business can't afford to spend £120 / year per device it is not a business it is a hobby consumer at best.

 

[Spreadsheet Accountant]

yes agreed. We don't have any 'net shops here.

I reckon she is better at not clicking on email links than I am, we "just don't do it" even if it's a "good link". I was surprised to see (in the pdf in my op) that phishing emails represent only 30% - so 70% are other methods (also listed).

something that is very hard to do.

Dead right.

Must say I am hooked on that Canary idea, that's a chance to actually catch the expletive deleted perpetrators in the act.

I am slowly slowly moving everything to being in the cloud, so as long it's not mounted at my end I reckon that content should be ok, unless the cloud system gets hacked.

To date I rely on multiple sorts of on and offline and cloud backups some with date based roll backs up to a 12 months.

Gotta go feed my new canary.

Anthony

 

[forevergroup]

I really cannot see my wife and her sowing business doing that.

and Proofpoint .. no thanks. (feel it better I deleted my original response).

So this is all aimed at large businesses and not one man bands. Contractors making many hundreds a day excluded.

It's like you have no idea what a small business is. ("for example "sub-1000 employees")
Should I be saying "micro" is that the language problem?

and, thank you for that list to explore.

Ransomewear Canaries - now THAT is clever. thanks
Could we do that with this I wonder:
https://fsmonitor.com/

hopefully our polite hacker (their messages always look polite and helpful) doesn't cripple FS Monitor on sight. A backup Canary method looks wise.

Anthony

You may be overestimating what we actually charged him.

You asked how to defend against Ransomware, and I told you.

Unwise to hate on Proofpoint. Very clever people there and just got bought for $12bn

If decent protection on a shoestring is the main objective then you could do a lot worse than Bitdefender.

You can get a premium consumer subscription to OpenDNS fairly cheaply, too.

 

[Spreadsheet Accountant]

thanks - still exploring the Canary idea. Just brilliant.

My proofpoint comment is a result of experience of them, I regret to say. The sale price just illustrates how they have no interest in collateral damage to small businesses.
No hate involved, a word I disapprove of in general parlance as being unnecessary hyperbole.

You asked how to defend against Ransomware, and I told you.

I disagree. To explain: your no doubt excellent response is way outside anything a one man band can or is even willing to do. Sure there may be outliers. Dare I venture that as an M.D. it is an occupational hazard to always believe there are others to direct and still others to do things. However, I do value your even trying to assist, thank you.
AND: your list of things you implemented for your contractor client is in itself very interesting as a list of things to try to emulate. Especially the Canary, I love that.


For DNS I use DNS over HTTPS
but again thanks for the suggestion.

Yes I use Bitdefender.
and again thanks for the suggestion.

You may be overestimating what we actually charged him.
Anything is possible.

You are underestimating me - perhaps the "spreadsheet" moniker is misleading.

Regards

Anthony

 

[Ozzy]

So how does the small business defend itself?

The answer to this is... ^^^

Training is a protection

This... ^^^
That can cost nothing more than spending time on YouTube and reading blogs and articles. However having said that...

That's what we need to know, since enterprise security is not available to us.

Your average one man band is not in a position to pay professionals.

This I feel is a false economy that so many small businesses (and large) fall foul of;

• Don't pay an accountant because it's too expensive, but spend hours trying to do your own books rather than using your time to grow your business.
• Don't pay a solicitor for legal advice, but lose thousands over flawed terms and contracts.
• Don't pay a website developer, but have a poor quality website that makes your business look amateur and unprofessional.
• Don't pay for the correct security for your business IT, and lose it all when you get hacked or invected by ransomware.

 

[Spreadsheet Accountant]

This I feel is a false economy that so many small businesses (and large) fall foul of;

I quite agree, but it doesn't change the reality, especially after over a year of pandemic

and this is very moot:
correct security for your business IT
Same size and finances assumptions.
Sometimes we just have to do things ourselves, like the vast number of people asking questions on here. I am surprised you would admonish them. As a practising accountant what you say suits me down to the ground, but these forums don't seem to be the place for paid services etc and certainly not in any first instance. You deleted my first attempt to help someone saying it was self serving.

Anthony

 

[forevergroup]

You asked about defending against ransomware, and as far as I can see you’ve received some fairly astute responses from several people.

What you probably should have asked is how do I defend against ransomware… if I want to DIY it with limited knowledge and no cyber security budget.

The answer is you can’t, otherwise the world’s businesses would all use free webmail, backup local files to a £100 NAS, use their free ISP router, and ask John in Finance to manage their InfoSec policy on the side.

[NB: some companies DO do this of course. Until they get hacked]

The best you can really do is use a reasonable AV, keep some decent cloud backups, and prey you don’t click anything nasty.

Also consider that ransomware defence is only one piece of the cyber security puzzle. You should be equally concerned about credential compromise.

In the absence of other systems and controls, MFA is going to be your best friend here - and consider a decent password manager.

Best of luck…

 

[Spreadsheet Accountant]

I never said my knowledge was limited, you are assuming that and much else.
Far as I know there isn't any AV that can defend against ransomeware. If there was they would be making an absolute killing.

only one piece of the cyber security puzzle
Yes of course it is.

consider a decent password manager.
I consider Lastpass to be good.

local files to a £100 NAS
My NAS drives come in at ten times that and more, plus Acronis.
Offsite backups of course; to like minded operators.

ask John in Finance to manage their InfoSec policy
And there ye go: there is no "John in Finance" in a single person business.
Likewise using jargon like "InfoSec".

prey you don’t click anything nasty.
I don't really think prayer is an adequate defence as such deities tend to help those who help themselves.

equally concerned about credential compromise.
Indeed, starting with haveIbeenpwned.com
and in addition to that I use a unique login email address in EVERY instance where such is required. I also use unique and long passwords for every such occasion.
And
I never disclose my date of birth on the internet.
and... and much more.

However, ransomeware is the one against which the average user has no defences and given them/us at least the principles of strategies to engage would offer at least the beginnings of defences. For example exactly what forms of backup cannot be accessed by ransomeware?
Item one is a disconnected hard disk. One a day for 14 days, rolling. Or maybe one every two days given they usually wait at least three days.
Item two is several terabytes of cloud storage with history roll back which is not accessible to the malware.
Item three is local NAS drive backups also with roll back, but this is more vulnerable and def must NOT be "mounted".
Item four is dropbox snapshots frozen in time, stored remotely offline.

It is a given that all updates and patches are installed as appropriate..

Bear in mind that paying someone is basically also a ransomeware cost, before ever being attacked.

Inspired by the various responses in here, none of which really achieve what I had hoped, I think because there is of course no profit in my area of the market, or lack of one: I have found and implemented this:
Fleetsmith and Santa
Open source always like.
And Fleetsmith is up to 10 devices forever free; I don't have ten.

So, thank you all for the inspiration. Priceless! To my ultimate pleasant surprise.

Best of luck…
Likewise.

Regards

Anthony

 

[Spreadsheet Accountant]

This explains more about Santa:
https://wethegeek.com/santa-little-flocker-upcoming-ransomware-preventive-apps-for-mac/

and research:
https://link.springer.com/article/10.1007/s11416-019-00338-7

 

[Mr D]

LastPass is good. Until they get hacked. Again.

What you appear to want is not what other people are suggesting you get. Perhaps a forum isn't that much use to you, instead sit down with an IT professional who knows about Ransomware and see what they suggest based on your full needs.

 

[Deleted member 59730]

A simple but inconvenient method is to take the Email and internet search side of your business out of the inhouse network so most problems never get onto the ecommerce and accounts side of the business.

I have followed this for years. I used to pay £450 per annum for a "cleaned up" system to stop all junk. I employed women and didn't want them to have to delete obscene emails every morning. This was then taken over by supplier, Haven't had an unwanted email in years.

We follow Chris's system of having the accounts separate from the email machines. To link between the two we used a "Trainer" network. *

*You put on a pair of trainers and carry a data disk to the other machine. Only ever go one way.

 

[Spreadsheet Accountant]

Everyone gets hacked.
Like I have said already, not willing to follow your suggestion.
Bet you don't sit down with your accountant when you should.
No one "knows about ransomeware", that's most of the problem.
And again like I have said, I have found a solution that is a pleasant surprise
Following your advice no one would use this forum because there are professionals in everything.
People come here for help to avoid those costs, not to be lectured.

Anthony

 

[Spreadsheet Accountant]

I have followed this for years. I used to pay £450 per annum for a "cleaned up" system to stop all junk. I employed women and didn't want them to have to delete obscene emails every morning. This was then taken over by supplier, Haven't had an unwanted email in years.

We follow Chris's system of having the accounts separate from the email machines. To link between the two we used a "Trainer" network. *

*You put on a pair of trainers and carry a data disk to the other machine. Only ever go one way.

Sure, good strategy, but not for me.
We used to call that "sneakernet".

Anthony

 

[gpietersz]

Backups are crtiical. No system security failsafe and they let you recover from other failures too.

Prevention is particularly specific to ransomware. You need to stop malware in general.

My own first like of defence is using Linux. Its safer to start with and makes a lot of other things (line ensuring everything is updated) easier. I am sure any OpenBSD or Qubes users will tell me their OSes are a lot better....

What you can do (regardless of the system):

1. Keep everything updated. Not just your anti-virus, but all your software. Yes, there are unfixed vulernabilities in a lot of software, but runnig software with known vulenrabilities is asking for trouble
2. Incremental backups. Preferably pull backups. So if a file is silently corrupted you can go back and get and get an older copy of just that file. I also suggest using more than one backup meachanism.
   
3. Intrusion detection. A pain to set up, but will give you an early warning of files being alterered by malware. Deals with the issue of not knowing until its too late the @fisicx brought up.
   
4. Training and awareness. As people have said, most of it happens through phishing and social engineering. The problems are that most people start of with a poor understanding of technology (as someone said in aother thread, its voodoo) so they are easy to fool, and even those who are well informed only need to make one mistake.
   
5. Secure web browsers. I use a whole bunch of security and privacy extensions. Some (like Noscript) are inconvenient, but inconvenience is usually the price of security. In an age when every website you visit runs software inside your web browser, its the only way to follow the old advice not to run software from untrusted source.
6. Have unnessary features (externally loaded images, for example) turned off by default in emails.
   
7. Physically isolate ctirical systems as the sneakernet fans do. Its even more inconvenient, but its very effective.

 

[Mr D]

Everyone gets hacked.
Like I have said already, not willing to follow your suggestion.
Bet you don't sit down with your accountant when you should.
No one "knows about ransomeware", that's most of the problem.
And again like I have said, I have found a solution that is a pleasant surprise
Following your advice no one would use this forum because there are professionals in everything.
People come here for help to avoid those costs, not to be lectured.

Anthony

Personally I've never sat down with my accountant. No need, we have email and phone, sitting down with her would not add anything.

Pretty sure some people are experts on ransomware. Besides the ones creating it for sale.
However you can find a lot more people who know about ransomware but aren't going to be experts in it.

Great that you have found a solution. However do you know enough about ransomware to realistically assess it? Or are you using someone else's expertise?

 

[Chris Ashdown]

Using Cloud services is a obvious risk just look at Office 365 what a fantastic target for ransomware or zoom both great tools but high risk in the long run, and then there are plenty of small software which have potential entry into your system. lots to be said about owning your own version of the software with it all running from your computer rather than SAAS

 

[Hooble]

We tend to recommend the three-layer protection -
Spam Filtering to prevent such attacks from coming in via E-Mail and unwittingly been ran by Someone.
Antivirus on Server and Client PC's
A shadow backup of the shared file service on a network behind the cloud server (Cannot be accessed by the Ransomware).

 

[Financial-Modeller]

Strange thread.

Ransomewear Canaries - now THAT is clever. thanks

Out of curiousity, who were you thanking, OP?

 

[MARMARLADE]

Very strange thread indeed. If I had read this thread before registering, I probably wouldn't have bothered.

In my personal opinion, one must, within reason, simply do everything you can to protect themselves from IT security threats of all kinds.

After working in large organisations for years the weakest link by far, in my personal opinion, is education and awareness. And if anyone in my organisation insisted on using an iPhone or Mac because of reasons like "but macs are more secure", I would make their education the top priority.

 

[fisicx]

Everyone gets hacked.

No they don't.

Some people and organisations under certain conditions will be hacked. Most won't

 

[RightGlobalGroup]

If ransomware is already on the system thats a different story.

But defending to prevent the best defence firstly is educating staff to not just click on any old email attachment or link.

Then ensuring your firewall is locked down to ports that are needed and not having ports like RDP wide open to the internet.

Ensure all devices and software are regular patched

Decent EDR (crowdstrike offer there own overwatch service which is very good), EDR should react if ransomware is detected and fight it) Darktrace also another brilliant product but pricey.

offsite backups with a recovery plan

MFA for users and LAPS for administrator accounts.

Decent lockout Group policies

cyber security insurance to pay for any recoveries should you ever need it.

 

[Alan]

So how does the small business defend itself? That's what we need to know, since enterprise security is not available to us.

I think part of this thread scale definition is needed

Freelancer - 1 person
Micro < 10
Small < 50
Medium < 250

So how can a freelancer (your missues' sewing business ) have enterprise security - use an Enterprise level SASS system such as Google Workspace or MS O365 rather than consumer / free products.

So how can a micro business afford enterprise security - use an enterprise SASS product provided with a MSP that provides endpoint security.

So how can a small business afford enterprise security - use an enterprise SASS product provided with a MSP that provides endpoint security.

No one in these categories ( unless they are an IT firm ) should be running their own servers in my opinion.

Medium - well big enough to pay professionals...

 

[ekm]

I work FT but do have a small weekend business and it really is small, a couple of computers a NAS device and a network printer in a single office

All devices have a paid for antivirus product on them, with the ability to scan network shares as well which runs on a scheduled basis (when the host is online), this in theory gives us some protection from getting infected but I think for me is the importance of having backups - you can use RAID etc to protect against the impact of hard drive failure but I periodically image the NAS disk and keep them offsite in encrypted form. It's not actually that big a job to do.

I do think for like my setup above getting a consultant in would be overkill, my data isn't worth much to anyone who isn't me, I can take a loss of the last few weeks most recent data without flinching and I have offsite backups.

Don't get me wrong, every piece of cheese has holes if you're prepared to go to atomic extremes

 

[japancool]

I just use my free ISP router.

But then again, my ISP is the company I work for, who provide enterprise level security to multinational organisations, and the router is centrally managed by our engineers. I don't even have the password to access it.

 

[The Byre]

There is almost no such thing as a cheap solution to a complex problem - I say almost because there are one or two software packages that are unbelievably good and sophisticated, yet cost very little.

Unfortunately, AFAIK, none are in the virus/ransomware sector, though Avast seems to do a basic job reasonably well. But if someone wants to target your company for whatever reason, it only takes one person to fall for some silly trick and they're in and rooting about in your systems.

 

[Ozzy]

But if someone wants to target your company for whatever reason, it only takes one person to fall for some silly trick and they're in and rooting about in your systems.

This, sadly, is the most likely method where a business does get compromised. The movies would have you believe that most hacking and system compromises are done by super hackers in front of complex computers with umpteen screens frantically typing code into the screen. The reality it's usually script kiddies with something downloaded of the web and some blanket emails sent out, a wide net to catch a few.
The reality is that someone within the company received an email they thought was from someone they know, or indeed the boss, with a link they click and boom - it's done. The link will take them to something that will either trigger a download (less common) or trick them into verifying their office login details or such likes (more common)

Phishing, CEO fraud, and similar the largest cause of ransomeware/virus/security breaches both domestically and in business (source: a presentation I watched in for a cyber security forum which did back up the claim). My finance colleague usually received one or two emails a month pretending to be from me asking for an urgent supplier payment.

A little plug for the forum sponsor here, they have written quite a comprehensive guide on watching out for phishing and being aware of it for those wanting a read up on the subject; What is phishing?

 

[fisicx]

They don’t even need to download anything onto your network. There is now fileless malware that use legitimate software to infect a machine/network making it far more difficult to detect and eradicate.

 

[estwig]

Why hasn't the whole security, malware, good guys industry, woken up to.........Man in the middle attacks and how incredibly easy they are to carry out?

Once you're connected to someone else's device, it's very so easy for them to replace Chrome, Whatsapp, Bitdefender and various other apps with their own versions. Then if you're syncing Chrome, or Edge, or Firefox, or whatever to your PC and other devices, they are in there too. Bitdefender is a bitch, it syncs to everything and has a lot of permissions, as I suspect does a lot of security software.

It's taken me far too long to work out, this is something any script-kiddy can do.

Don't auto-connect to wifi, apart from your own, and don't sync your browser!

 

[Avast Business]

Indeed this is a problem. One of my best friends is Portuguese - last month was hectic in ransomware attacks in Portugal - two major publishing houses, Vodafone Portugal a huge laboratory... And I think in Spain there were a couple of ransomware attacks also....