Fool me once, shame on you. Fool me twiceâŠ
A service I subscribe to confirmed a recent problem was ransomware. Theyâre back, but it raised some questions in my mind.
If the ransomware authors were able to âinfectâ the system, then there must be a weakness somewhere that allowed them to access and take control of the system. Even if they had very recent full image backups and restored them within a few hours, it seems to me that whatever the weakness was would still be in place and the ransomware folks could simply attack again.
Are there any other things they could / should be doing to prevent a repeat of the attack?
Without knowing the specifics, itâs difficult for me to say what more they should be doing.
However, I can say this: itâs very likely that the most common cause for ransomware infections will remain present no matter what you do.
And it applies to you as well as the service(s) you might use.
Become a Patron of Ask Leo! and go ad-free!
Preventing a repeat of ransomware
There is no silver bullet. If youâve fallen victim to ransomware (or any malware), itâs important to learn from the experience and improve your defenses. Keep software up to date, run up-to-date security software, stay educated, consider physical security, and back up. While thereâs no way to completely eliminate the threat, take steps to become more secure and reduce the probability of a repeat.
You are the weakest link
I say this in the kindest way possible: you are the weakest link when it comes to security.
As am I.
As are all the people working at the service you use that fell victim to ransomware.
The single most common vector for malware â including ransomware â is people. No amount of security software, updates, or restrictive policies will prevent a determined individual from opening an attachment they shouldnât, clicking a link they shouldnât, or doing something else that ultimately allows malicious software to enter their computer or network.
Almost every ransomware story you read in the news is likely to trace its origin back to an employee fooled by a hacker.
Backups are critical, but not everything
Donât get me wrong; backups remain absolutely critical to recovering from malware. Theyâre either a (relatively) quick way to restore entire systems and infrastructure, or a safety net that ensures data is not lost should everything need to be rebuilt from scratch.
Whatâs depressing to me is how often companies find out too late that backups are important, or that the backup system they thought was in place failed when needed.
Nonetheless, the bottom line is simple: restoring from backups doesnât change peopleâs behavior. Itâs important, but it wonât prevent the same thing from happening again.
Updates are critical, but not everything
The same applies to system updates and patches.
I would expect a corporate response to a ransomware attack to look something like this:1
- Panic.
- Disconnect machines from the network.
- Restore machine(s) from backups taken prior to the ransomwareâs arrival or rebuild them from scratch as needed.
- Update all software on those machines to patch whatever vulnerability might have been exploited.
- Resume operations.
None of that âfixesâ the root cause: someone accidentally doing something they shouldnât. The bottom line remains the same: updating software doesnât change peopleâs behavior.
Education is critical, but not enough
At this point, itâs easy to think that just educating everyone, particularly in the aftermath of an attack, would be the solution.
Even thatâs not enough.
Education is critical, but itâll never be perfect because people are never perfect. Mistakes will be made. Itâs inevitable. I know Iâve come close to doing the wrong thing myself once or twice.
Hackers are crafty and getting craftier.
Yes, make sure that everyone knows what to look for, what to do, and what not to do. Just donât assume youâre done. Even education may not change peopleâs behavior.
So whatâs the solution? All of the above
As much as we want there to be a single solution that says, âNow we are safeâ, there is no such thing.
There are only matters of degree.
Learn from the experience and get safer as a result. To the extent that you can, determine how the attack happened and then make sure youâre protected from that happening again.
In the case of user error, itâs often a case of âdonât do that againâ2 education.
Do this
If you fall victim, the best way to prevent a repeat of ransomware is to learn from the experience. Once youâve recovered, it all comes back to the usual litany of steps we keep reminding you of:
- Keep all software up to date.
- Run up-to-date security software.
- Stay educated.
- Consider physical security.
- Back up.
After a company suffers an attack, I would expect there to be renewed focus on that entire list.
Perhaps they should also subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips â including avoiding ransomware â in your inbox every week.
Podcast audio
Related Video
A while back one of my backup servers (NAS) was hit with a ransomware attack. [Buffalo Linkstation]
Fortunately, I lost virtually nothing and restored the server from a separate NAS. However, to this day I have no idea HOW they managed to do it. Behind a firewall and NAT. Well password protected. Obvious guess would be a computer networked to the NAS, but after extensive testing no malware was ever found.
So, while it was all rebuilt, and some changes have been made (password, port, etc.), I have limited confidence that it canât happen again. Frankly, I suspect a flaw in the NAS software, but Buffalo has never responded to my email queries, and their software has not been updated in years.
Note: I am NOT affiliated with Ask-Leo in any way other than as a newsletter subscriber.
Now, Iâm no expert and I donât know anything about your Buffalo Linkstation, but after reading your post, my first reaction was: Why donât you look for a different solution, either by replacing the software on the affected NAS device, or by replacing the affected device itself with a newer one from a different provider that is known to issue security updates?
It also occurs to me that if the software (OS) on the affected NAS device is not proprietary, it may be based on some version of GNU/Linux. Perhaps you (or your IT team) should check the NAS Serverâs OS out to see what it is (if this has not been done yet), and if the deviceâs OS is a GNU/Linux distribution, go get the latest release from the distributionâs website.
How you proceed is your decision, but if I were in your shoes, the facts that Buffalo has not responded to your inquiries, and that they have not updated/upgraded their software/firmware in years strongly suggests to me that a change of course is indicated.
I hope this helps (My2Cents),
Ernie
I see the answer to ransom wear is government involvement. The government has the resources to identify the culprit. There needs to be a law that these hackers will be hanged. I know this will upset the snowflakes. If they are in a foreign country the âspyâ network has the means of seeing these people will never see another sunrise. I think this would solve over 99% of ransom ware problems. All this could be done to protect National Security.
Weâd be having a few hundred hangings a day. And ransomware wonât stop.
I fell victim to ransomware twice over the years. It was pretty crude so I managed to outsmart it both times though I never figured out how it got in. Unfortunately Iâve also been a victim of Microsoft Update crashing my Surface twice. Unfortunately, I didnât recover completely from Microsoft Update. Re-install lost files not backed up. âUpdate security and backupâ begs the question, how to defend against Update crashes?
FWIW, I back up my computer two ways here. My desktop is my primary/production machine. I sync it with OneDrive, so all my files are stored offsite (away from my home). I also use Macrium Reflect to back up my computer. I do a monthly full system backup, and a daily differential backup, stored locally on a BitLocker encrypted drive. When I encrypted the drive, one of the options I chose was a fairly long password I can use to access the drive from within the Macrium Recovery environment. Even though I will never forget the password (It is a phrase I created), I have it written down and stored in my home office safe, just in case. With this setup, even if I have to perform a fresh install of Windows, all my files will become available to me after the installation completes, assuming I use the same Microsoft Account I used prior to the fresh installation to log in.
My backup regimen guards me from Microsoft Backup crashes (although I have never suffered one as far as I know) as well as any other malady that may come my way, and even if I have/decide to replace my computer, after I log into a new one (using my same Microsoft Account), because I sync with OneDrive, all my files will be available on it.
I donât know of any way to guard against Microsoft Update related crashes, but at least, with a good backup regimen, you can recover completely with no data loss.
What you do with this is up to you, but I hope it helps,
Ernie
Iâm a senior citizen in my lower seventies. I have no affiliation with any business or government entity. I use my personal computer for my own reasons (entertainment, learning, etc.). With that said, I scrupulously maintain my computerâs security by keeping it up to date and using Microsoft Defender (I think thatâs the correct name today:)) antimalware (because it is rated as being one of the best antimalware solutions, it comes preinstalled with Windows, and it doesnât hurt that it is free). I enable BitLocker encryption on all my drives, I enable Controlled Folder Access (Ransomware Protection) even though Microsoft Defender > Virus & Threat Protection told me that there was no action needed before I enabled it, and Microsoft Defender Application Guard to harden my systemâs security posture, so I am confident that my PC is about as secure as it can be while remaining connected to the Internet, but these steps are only the smaller half of what I do to remain safe while connected to the Internet.
I call the largest half of my security regimen âCognitive Securityâ.
These are my Cognitive Security rules:
Rule number One: âBe Skeptical! â be VERY skeptical!â
Rule number Two: âTrust nothing you view, read, or hear that originates from the Internetâ (AKA: Zero Trust).
Rule number Three: âNever trust strangers. A stranger is anyone you have not met or do not know and trust in person (real life)â
Rule number Four: âNever click ANY link without knowing where itâs taking you.â
Four rules may seem simple but adhering to them may require a significant change in thinking AND behavior. Letâs dig into them a bit, and perhaps you can develop a few of your own.
Rule number One: A skeptical attitude is foreign to most people. It requires you to question EVERYTHING. That can entail a lot of work, but with a skeptical attitude, you are much less likely to get into trouble.
Rule number Two (Zero Trust): This rule builds on Rule number One and is enhanced by Rule number Three. Interpret EVERYTHING you see, read, or hear on the Internet as if it may be a potential attack vector (an attack vector is essentially a path into your computer).
Rule number Three: Always remember that everyone you âmeetâ on the Internet is a stranger, even if they represent themselves as someone you know in real life, until you can confirm that they are really who they say they are. Remember when you were little, and your mom told you âDonât trust strangers!â (Stranger Danger)? That was good advice then, and it is even better advice today. Everyone, including you, including me, has some sort of agenda, and what we say/do is influenced by it, so consider who the author of what you see/hear/read is as you evaluate the content (oh, and evaluate everything for yourself).
Rule number Four: All links, either on a web page, or in an email, consist of two fundamental parts, the label that you see, and the URI (Internet address) the link takes you to. Most email clients and web browsers display the URI of a link when you hover your mouse over it (I donât surf the Internet on my phone, so I donât know how to display the URI of a link there yet) in Windows, either in a Win-tip pop-up or on the Status Bar (bottom of the window).
For example, when I hover my mouse over the link to this article in my Ask Leo newsletter, I see:
âhttps://askleo.com/142924?awt_a=7qbL&awt_l=Pdu59&awt_m=J3dixvtgMZdfbL&utm_source=newsletter&utm_campaign=20220222&utm_medium=emailâ
in a pop-up Win-tip. For my purposes, the important part is âhttps://askleo.com/â. It tells me that the link is taking me to the Ask Leo website with a secure (encrypted) connection (https). Part of what follows directs my web browser to the destination page on the Ask Leo website (this article). The remainder informs the website that the link comes from an email newsletter dated today, 2022-02-22 (yyyy-mm-dd), but I cannot decipher the part between the article identifier (142924?) and the source data (&utm_source=). The components I have not deciphered are âawt_a, awt_l, and awt_mâ so I donât know what they reference, but after performing an Internet search, I learned that âawtâ stands for the Java âAbstract Window Toolkitâ, and that awt_m may refer to the layout manager being used, and that awt_l may refer to the label being displayed. As for awt_a, I did not find anything about it in the very short AWT tutorial I looked at âhttps://www.javatpoint.com/java-awtâ. You can go and read it for yourself if you want to.
For me, the bottom line is that since I trust Leo (I have read his newsletter for longer than I care to divulge here), and the link directs my web browser to the Ask Leo website, I can trust that this link is safe for me to click. I check every link before I click it because you can never know that some miscreant has not intercepted the email and altered its content. Even though I have learned to trust Leo over the years, nothing has taught me to trust the email transport system that gets the newsletter from Leoâs website to my email Inbox. Iâm sorry for rambling on a bit (perhaps) too much.
Ernie
awt are items added by my email service provider: AWeber. Theyâre what allow me to see which links are actively clicked on, and from which newsletter they came.
Excellent advice Ernie. Perhaps we septuagenarians have turned skepticism into a way of life. It got us here safely to our seventies so it has merit and has served us well. I agree with everything you suggested and now follow the same rules. In my younger day (well relatively anyway â I was 55, I got hit with a rootkit, and that really woke me up.
The other thing I do, which I imagine you also do, is clone my hard drive (SSD) weekly and store it offline. I do a second SSD now too, because in the old days I used spinning HHDs and discovered to my dread that HDDs donât store well, so even though Iâm 100% SSD now, the habit has stuck. Canât be too careful. The sharks are getting bigger.
After my brother lost his computer due to ransomware, I convinced him to duel boot Windows and Linux Mint so that he could use Linux for Internet activity. The Internet is where most people spend most of their time. Windows malware cannot see Linux. Its a different file system. He uses the same browser that he used in Windows so no learning curve. That doesnât mean my brother is bullet proof. He still has to practice safe computing; but Linux is relatively safer than windows. It might sound like a clunky solution, but with practice it works well. Add Macrium full system backups for good protection.
I recently changed credit card and was updating credit card data on several shopping sites. After entering new credit card on first site, my computer offered to auto-enter credit card data on next sites. This worries me!!! It means my computer has stored my credit card data without asking for permission, and someone may be able to get it. WHAT CAN I DO TO PREVENT MY COMPUTER FROM STORING SUCH INFO, AND HOW I CLEAN THE INFO ALREADY STORED?
Which browser are you using? Itâs best to block your browser from saving passwords, credit card numbers, or any financial information. Itâs safer to us a password manager for that. LastPass can save encrypted credit card information.
Is It Safe to Let Your Browser Remember Passwords?
This article from Major Geeks explains how to remove saved passwords from popular browsers.
How to Remove or Edit Saved Credit Card Information in Chrome, Firefox, IE, and Edge
Firefox, Windows 10.
The Major Geeks article I linked to explains how to block and remove stored passwords and credit card data from Firefox.
Check the settings for whatever web browser youâre using. Itâs the browser that does this, and they all have options ot turn off and clear the information.