Many of you will have heard the news regarding the Colonial Pipeline cyber-attack which took place on May 7th. The pipeline was shut down for several days causing widespread fuel shortages and price hikes. In the end, due to the critical situation, Colonial agreed to pay a $4.4 million ransom to decrypt the affected systems. That’s a lot of money. I’m assuming that system backups were created automatically per a schedule, or in real-time, which means the destination drives where the backups were stored must have been permanently connected via a local network and therefore equally vulnerable to the Ransomware attack.
It is a fairly common misconception that Ransomware only attacks drives connected internally but that is far from the case. Ransomware will more often than not hunt down and encrypt any data stored on any connected drive(s), whether they be connected internally, network-connected, or connected via USB. That’s why I have always manually created my backups, which means the storage device (in my case a dedicated external USB hard drive) is connected to the system only during the backup process. As soon as the process has completed, the drive is disconnected again.
How To Protect Against Ransomware Attacks
In response to the Colonial Pipeline cyberattack, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the FBI issued an advisory for large companies to help keep them safe from ransomware. Suggested steps include:
- Using strong passwords and a password manager
- Avoid malicious websites
- Keep software always up-to-date
- Learn how to identify phishing email
- Blah, blah, blah
Nothing more than the exact same advice tech sites, such as Daves Computer Tips, has been preaching for years. What needs to be understood first is that the vast majority of Ransomware infections, if not all, are self-inflicted. That is, a user has clicked on something they shouldn’t have clicked on — maybe a malicious email attachment, malicious link, or perhaps they have inadvertently visited a malicious website. However, as individuals, we home PC users have a couple of distinct advantages over enterprise situations:
- We are, in many cases, a single user whereas enterprise situations involve multiple users, often numbering in the dozens to hundreds. This raises the level of risk exponentially
- Because the quantity of data we are working with is far less than in a corporate climate and is changing much less frequently, we do not need to leave our backup drive(s) connected at all times
Implement A Comprehensive Backup Strategy
All of the usual advice, including the suggestions within the CISA advisory, can help protect against all types of malware and can be summed up thus: “treat everything with a good dose of caution and skepticism“. That said, there is one sure-fire way to protect against the ravages caused by Ransomware and that is to implement a comprehensive backup strategy.
I have two internal drives connected to my main machine, a 250GB Samsung SSD that acts as my system drive plus a 1TB HDD where I store all my personal data. Every week I manually create a full system image backup plus an image backup of the data on the HDD. I maintain four images of each, deleting the oldest image each time I create a new one. Now, this is not going to prevent Ransomware from infecting my system and encrypting all my data but the backups provide me with an instant cure. All I need do is restore the latest full system image backup (that will take care of the Ransomware infection) and then restore all my data from the image back to its original unencrypted state. Restoration takes about 10 minutes total and I am back in business — job done.
As I mentioned earlier, it is important to remember to leave the backup drive disconnected and only connect it when going through the backup process. For that very reason, I do not store any other data on that drive, it is specifically used only to store my backups. Of course, this type of backup strategy will not only rescue you from a Ransomware attack but from any sort of malware infection. It can also fix a broken/misbehaving system and even rescue you from a failing or failed SSD/HDD.
It’s one of those “it will never happen to me” scenarios… until it does. If you are not implementing a backup plan, I implore you to do so. It takes very little time and effort in exchange for a whole lot of peace of mind. I can highly recommend Aomei Backupper Standard. It is completely free, includes every required feature, is intuitive, and very simple to use. And, if you need any help getting started, you can always contact us via the contact link included in the main menu across the top of the page:
—
Yeah having an offline backup is a great idea. Cloud storage can be good but if its designed to automatically backup any changes that will also include ransomware. Some may allow you to rollback but not sure.
I think malware in general tends to be self infected home user wise. People often think having an AV protects them from everything and so may take more risks.
My advise is the usual. Avoid unknown sites and avoid links from emails claiming to be from your bank. If you get an email that seems genuine, login but not via the link. I’ve noticed people now adding text to emails claiming it’s virus free but that is so easy to add so never open attachments. Remember email addresses can be spoofed and links made to appear genuine.
I’m a regular user on the Eset AV Forum and I’ve seen that RDP is often used for ransomware attacks. If you don’t use it, make sure it’s disabled. If you do, secure it with a good password. I don’t know a lot about RDP but you can apparently set polices and the recommendation is to set a policy to only allow a few attempts. What can happen is if its a bad or no password the hacker can get access and simply disables the AV and infects. If your AV allows, make sure it’s settings are password protected to avoid something like this.
One other thing I’ve seen is people using older versions of AVs. A few complained while back of being targeted by Ransomware but they used a very old version without the Ransomware protection. I know people often don’t like changes software makes, feature wise and design, but especially in regards to AVs they often contain new or improved protection mechanisms and bug fixes.
It’s the same for Windows. When a hotfix is released you should try to install it ASAP. I know this can be tricky if your not a home user and have multiple computers to deal with. The WannaCry ransomware used the stolen NSA exploit EternalBlue but I’m sure a fix had been previously released just many people where slow to patch
Glad you mentioned keeping the backup drive disconnected, as the nastier strains of ransomware will encrypt all system drives, including external ones.