How to protect yourself and your company network from Ransomeware.
…or how I laugh in the face of scrip kiddies!
I’ve been building, and managing networks of 75 – 150 user, multi-site, primarily Windows based corporate networks for about twenty years, plus my work with Kibosh.
I keep a tight reign over the data under my care, but even so I’ve been hit with a few malware / ransomeware attacks over the years. I think that no matter how tight you keep the firewall / local antivirus / snort / Internet content filter (i.e., Kibosh) you’ll still get hit eventually. Someone always clicks on something they shouldn’t at some point, and I mean, don’t we all?
As more and more high profile ransomeware infections are making the news:
- La Porte County Pays $130,000 Ransom To Ryuk Ransomware
- Attackers Earn Over $1 Million in Florida Ransomware Attacks
I continue to hear, on podcasts mostly, that good backups are not a full-proof solution to ransomeware. I disagree, and this is how I do it.
The key is offline backups.
As the Director of IT I’m responsible for a number of high-profile production servers: Exchange, SharePoint, Project Web Access, GoldMine, File Server, Domain Controllers, and a few others with some Linux here and there like Bugzilla.
Each server has critical data, most of it SQL based, except Exchange which has complicated real-time jet engine transaction logs.
I use Image for Windows by Terrabyte. This takes a live, scheduled nightly, OFFLINE, snapshot of the server. By ‘offline’ I mean you will be left with a .tib file of the server, and you can then put this .tib file anywhere you want.
Each nigh for SharePoint, PWA, GoldMine:
- Around 1130 PM a scheduled SQL backup of critical DBs to a local directory runs.
- You’ll need to keep an eye on this local directory so it doesn’t fill up. This is good because it forces you to touch the server at least once a week.
- (optional) Around 0005 shut down SQL svc using .bat file + scheduler.
- Around 0030 the scheduled Image for Windows backup starts – the live server image deposited on an external H/D.
- (optional) Around 0500 SQL svc started.
At this point you have a full SQL server offline backup.
File Server
Each night for File Server I use Acronis 11, and each company share that contains critical data has it’s own backup schedule to an external H/D (so each night one or two shares get backed up – note that these are offline, external backups). Plus I use MirrorFolder to keep File Server data replicated to a 10TB NAS in real-time.
Domain Controllers
I use Image for Windows live backup each night to an external H/D.
Each night for Exchange:
- Around 0005 shut down the information store via .bat & scheduler.
- Around 0030 Image for Windows executes schedule backup to external backup H/D.
- Around 0500 information store restarted via .bat & scheduler.
Bam! At this point you have a full, offline Exchange backup which is easy to restore (download guide) <– a .docx.
So you get the idea. These are all live server, offline backups, with only one server going down which is Exchange. And all for a very reasonable price.
If you cannot take exchange information store down then you’ll need to spend some money on a real Exchange backup tool, which is fine. The Image for Windows live backup of the server will still be usable, but the Information Store data will not work (unless it’s taken offline before the backup).
Rotate the external backup H/Ds
Another thing I do is rotate the external backup H/Ds each day which I keep in external drive bays so it’s easy to swap them out. So each critical server has five external H/Ds for daily backups. Worse case scenario and the external backup is encrypted, I lose one day at the most.
Can ransomware encrypt offline backups? At some point probably, I guess maybe it’s already possible, but you (the Net Admin) would have to be dead to not catch the ransomware attack before that happened because it’s (the ransomware) main focus is on critical local data, file server (UNC drive) data, etc and this all takes time. When I got hit about 1.5 years ago as of this writing, the ransomeware attack started at a users workstation (surprise!), and then jumped onto our file server. Someone caught it and alerted me before it had encrypted a little over 1/3 of the data, but even if it had encrypted 100% we still would not have lost the data as I have good offline backups.
Anyway, using the above, you will be impervious to ransomeware, and sleep well at night…just like me.
Scott