Fool me once, shame on you. Fool me twice…
A service I subscribe to confirmed a recent problem was ransomware. They’re back, but it raised some questions in my mind.
If the ransomware authors were able to “infect” the system, then there must be a weakness somewhere that allowed them to access and take control of the system. Even if they had very recent full image backups and restored them within a few hours, it seems to me that whatever the weakness was would still be in place and the ransomware folks could simply attack again.
Are there any other things they could / should be doing to prevent a repeat of the attack?
Without knowing the specifics, it’s difficult for me to say what more they should be doing.
However, I can say this: it’s very likely that the most common cause for ransomware infections will remain present no matter what you do.
And it applies to you as well as the service(s) you might use.
Become a Patron of Ask Leo! and go ad-free!
Preventing a repeat of ransomware
There is no silver bullet. If you’ve fallen victim to ransomware (or any malware), it’s important to learn from the experience and improve your defenses. Keep software up to date, run up-to-date security software, stay educated, consider physical security, and back up. While there’s no way to completely eliminate the threat, take steps to become more secure and reduce the probability of a repeat.
You are the weakest link
I say this in the kindest way possible: you are the weakest link when it comes to security.
As am I.
As are all the people working at the service you use that fell victim to ransomware.
The single most common vector for malware — including ransomware — is people. No amount of security software, updates, or restrictive policies will prevent a determined individual from opening an attachment they shouldn’t, clicking a link they shouldn’t, or doing something else that ultimately allows malicious software to enter their computer or network.
Almost every ransomware story you read in the news is likely to trace its origin back to an employee fooled by a hacker.
Backups are critical, but not everything
Don’t get me wrong; backups remain absolutely critical to recovering from malware. They’re either a (relatively) quick way to restore entire systems and infrastructure, or a safety net that ensures data is not lost should everything need to be rebuilt from scratch.
What’s depressing to me is how often companies find out too late that backups are important, or that the backup system they thought was in place failed when needed.
Nonetheless, the bottom line is simple: restoring from backups doesn’t change people’s behavior. It’s important, but it won’t prevent the same thing from happening again.
Updates are critical, but not everything
The same applies to system updates and patches.
I would expect a corporate response to a ransomware attack to look something like this:1
- Disconnect machines from the network.
- Restore machine(s) from backups taken prior to the ransomware’s arrival or rebuild them from scratch as needed.
- Update all software on those machines to patch whatever vulnerability might have been exploited.
- Resume operations.
None of that “fixes” the root cause: someone accidentally doing something they shouldn’t. The bottom line remains the same: updating software doesn’t change people’s behavior.
Education is critical, but not enough
At this point, it’s easy to think that just educating everyone, particularly in the aftermath of an attack, would be the solution.
Even that’s not enough.
Education is critical, but it’ll never be perfect because people are never perfect. Mistakes will be made. It’s inevitable. I know I’ve come close to doing the wrong thing myself once or twice.
Hackers are crafty and getting craftier.
Yes, make sure that everyone knows what to look for, what to do, and what not to do. Just don’t assume you’re done. Even education may not change people’s behavior.
So what’s the solution? All of the above
As much as we want there to be a single solution that says, “Now we are safe”, there is no such thing.
There are only matters of degree.
Learn from the experience and get safer as a result. To the extent that you can, determine how the attack happened and then make sure you’re protected from that happening again.
In the case of user error, it’s often a case of “don’t do that again”2 education.
If you fall victim, the best way to prevent a repeat of ransomware is to learn from the experience. Once you’ve recovered, it all comes back to the usual litany of steps we keep reminding you of:
- Keep all software up to date.
- Run up-to-date security software.
- Stay educated.
- Consider physical security.
- Back up.
After a company suffers an attack, I would expect there to be renewed focus on that entire list.
Perhaps they should also subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips — including avoiding ransomware — in your inbox every week.