An IT pro seeks guidance on hardening Windows systems after overcoming a ransomware attack.
[Root] Access is an advice column for questions about IT issues, career moves, and workplace concerns.
Our company got hit with a ransomware attack that targeted our NAS drives. Even though we had backups, restoring the data was a stressful, drawn-out ordeal. The attackers encrypted a decent chunk of our data and demanded payment for the decryption key. Fortunately, we had backups, so we didn't have to pay the ransom. But restoring everything was slow and complicated.
While backups are non-negotiable as a safety net, they're not enough. I want to take a more proactive approach to harden our systems and minimize the impact of future ransomware attacks. How can we make our Windows environments and storage systems more resilient without relying solely on backups?
-- Striving for Ransomware Resilience
Recovering from a ransomware attack is no small feat, even when backups are in place. I am glad you avoided paying the ransom, but I understand that the ordeal was complex and time-consuming. Although restoring a backup is the best way to recover from a ransomware attack, many people are surprised by how tedious and time-consuming the process can be.
Related:BCDR Basics: A Quick Reference Guide for Business Continuity & Disaster Recovery
The good news is there are proactive measures you can take to harden your system and make things easier in the future. Here are some tips on making your Windows environments and storage systems more ransomware resilient.
Recovery is undeniably important, but preventing ransomware attacks is even better. While no solution is foolproof, implementing various security tools can make an attack far less likely.
I recommend focusing most of your efforts on endpoint protection. In my experience, most ransomware attacks begin with users doing something they shouldn't, such as clicking on malicious links or opening infected email attachments.
Email filtering tools can reduce these risks. If your organization uses Microsoft 365, look at using its Safe Links and Safe Attachments features. These tools neutralize malicious links and block harmful email attachments.
If your users work on company-issued devices, consider implementing an application whitelisting system. These tools allow only approved code to run on devices. As a result, unauthorized programs -- like ransomware -- are blocked from executing and rendered harmless.
While email filtering tools are essential, it's unrealistic to expect them to block every malicious message. As such, another important step is educating your end users on identifying phishing emails and other suspicious content that make it through the filters.
Related:6 Essential Steps Before Setting up NAS Appliances
User education is one of those things that should be an ongoing effort, not a one-time initiative. Regular training sessions help reinforce best practices and keep security in focus.
To complement training, consider using phishing attack simulators. Several vendors offer tools that generate harmless, realistic-looking phishing messages and send them to your users. Microsoft 365 even includes a phishing simulation tool.
These tools track which users click on simulated phishing links or open attachments. Some tools also provide automated follow-ups, such as mandatory security training for those who fall for the simulations. In theory, the added accountability can motivate users to be more cautious -- few people want to sit through security training again.
If ransomware gets in, limiting its reach can save you some headaches.
Limiting user permissions is vital because ransomware operates with the permissions of the user who triggers the attack. As such, users should only have access to the resources they need to perform their jobs -- no more, no less. If a user doesn't have access to a specific resource, the ransomware won't be able to encrypt it.
Related:Guide To Navigating the Legal Perils After a Cyber Incident
Moreover, consider isolating high-value data on storage systems that require additional authentication. Doing so reduces exposure if ransomware spreads.
To hedge your bets against ransomware, you should develop a well-thought-out recovery strategy. Yes, you can restore a backup to recover from a ransomware attack, but there are steps you can take to make the restoration process faster and more efficient.
For example, you might perform parallel restorations to recover multiple systems simultaneously to reduce overall downtime. You might also use caching and staging techniques to speed up data transfer and system recovery.
If you have not already, ensure a backup is located near your primary data. For example, if your SQL Server database is hosted in your data center, restoring it from a local, disk-based backup will be a lot faster than retrieving it from a cloud backup.
In IT, resilience is largely about preparation. You will reduce the likelihood of ransomware attacks and accelerate recovery by combining the efforts I've listed above.