Removal & recovery of ransomware can be laborious & often (depending on the encryption type) impossible to recover the data. Recent events with the NHS have highlighted how easy it is for a cyber-attack to bring down whole networks. However, you can take steps to protect yourself from the malicious software & recovering your data.
Firstly, and we can’t say this enough times ‘Make a backup of your data’. Regardless of whether it’s family photos or your entire business portfolio, without a backup your data is practically useless. But a decent backup is not the only step you need to be sure you can restore from your backups so proper recovery tests are important.
OK, so we have a copy of all your critical data. Worst case, you suffer from an encrypted disk. You wipe & restore all your data from backup & don’t pay a penny to the cyber-criminals. But you can go further & make sure you don’t even get encrypted.
An easy step to start with is have two accounts on your machine, Macs already have this setup as you are prompted to run as ‘root’ if you want to install something. The same can be done with Windows. Create a local admin account from User Management & also a non admin account. Use the non-admin account day to day, if you need to install something when the application runs it will prompt for you to login as the admin account. In doing this, you are always aware of what is installing. Malicious Ransomware cannot run unless you log in as admin. Not fool proof but avoids accidental installation.
Turning off AutoRun can also help in avoiding accidental infection from malicious software. This stops installers auto installing when you click a link. I have added a link to a great page explaining how to turn off or on the autorun function
For business & home users would we recommend changing some default settings. Firstly, by default most malicious software will need to download to your machine then execute. Windows has a default setting to download to a folder in your profile called Downloads. We would recommend keeping this setting as you can then lock down this folder to ensure no software can auto execute from it. This can be done with the use of whitelists, if you click Start > Run type gpedit.msc when the window appears you need to browse to Computer Configuration. From here go to > Policies > Windows Settings > Security Settings > Software Restriction Policies. Set Security level to ‘disallow’. This will lock down all applications. You will need to add some exceptions. To do this, click Start & Run, type ‘regedit’ & make the following amendments to the registry (backup registry keys before making any changes to the registry):
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersions\ProgramFilesDir (x86)%
This will allow installed applications to run & update. The *.lnk will allow desktop shortcuts to execute also.
Finally, make sure your machine is patched & AV up to date. Out of date patches & AV definitions have exposed vulnerabilities. These are exactly what the cyber criminals are aiming to exploit. Simple steps to make sure your AV & patching is up to date can save you time & money in trying to restore lost data or cash due to a cyber attack.
Burwell IT are an authorised Sophos Partner, with complete solutions for protecting your data from cyber attack. Talk to our consultants on 0333 121 4827 or emails firstname.lastname@example.org