Backups as a way to avoid extra costs during infection with cryptographer

Of all the cyber threats that exist today, ransomware can be called the most destructive. This type of software quickly spreads over the network (private or corporate), blocking access to data that could be invaluable for a person or a company. It is possible to remove the cryptogener from the PC, but only with all the data that is on the hard drives. Some members of this class of software are not too dangerous, and a key or other means of neutralization can be found on the net. But others are much more dangerous, if they are already in the system, the victim sees no other way out than to pay.

Bitcoins are most often used for payment, although in some cases cybercriminals choose other payment methods. Pay very many. According to the FBI, in 2016 alone, various companies paid about $ 1 billion to ransomware developers. This is 40 times more than the figure in 2015. All because ransomware is becoming more sophisticated, new cybercriminal developments are emerging much faster than before. But still - it is not always worth paying. More precisely, it would be better not to pay at all.

You just have to think about how to reduce the likelihood of this kind of software entering the system. Here, as always, we can recommend several familiar options that will be useful for both companies and ordinary users:
')

• Teach users in your company the basics of cybersecurity. The main thing is not to click on unfamiliar links in e-mail messages, which happens very often. In addition, users should explain the danger of visiting resources, the banners of which are often caught in the network. We all know about these free antiviruses and other things, now we need to explain this to our own employees.
• Regularly update the software in the company, it is also worth updating the firmware of network devices, to monitor the relevance of the software on servers and other key elements of the network.
• Work with firewalls by installing the latest updates. Some versions of this software already have a resource database with ransomware, so that a user, even clicking on a malicious link, will not get to such a site.
• Use the sandbox for PDF documents or other types of documents. Many exploits are embedded just in the complex structure of files created using office software.
• Develop a system of privileges for users in the company;
• If not required, always remove the Remote Desktop Protocol feature.

Actually, the vast majority of Habr's readers already know this (many even write their own books or textbooks on this topic), but still it will not hurt to re-check your security system in a company or at home.

Safety role

Anyway, the problem is not always to add security measures. A weak link can always be found. Measures such as auditing, checking file integrity, using fingerprints, serial numbers, and self-healing do not always help.

An equally important element of protecting your company's data or personal data is the development of measures to eliminate the consequences of hacking. Very few companies present what they will do after the trouble has occurred. Run, clutching his head? Not an option. Pay intruders? Yes, this method is used much more often. But this is also not an option.



Each company should have a DRP-plan (disaster-recovery plan), which will help to quickly reach the previous working level of the accident. We have already written about this. When developing such a plan, the main thing is to conduct training alerts using the information received to eliminate possible gaps both in the security system and in the plan itself.

And here it is worth mentioning another point, which we did not discuss in the last article. What's this? That's right, backups. Be sure to need copies of files, with the sorting of versions according to the time of archiving. It’s just that the backup doesn’t fit - it can be done at the time of the attack and it’s not a good idea to roll such a version of the archive files.

Therefore, if the data for the company is really important, you need a reliable archiving system. Moreover, the archiving system must be reliable — preferably so that clients, even with an administrator level of access, cannot delete anything from the archive copy. Therefore, even if malicious software manages to get into the network, then this archive can not do anything in the archive system.

After infection, a healthy copy can be restored in a few minutes (or hours, depending on the scale) and a healthy system can be obtained again. Overwhelmingly, the affected companies, whose data cost hundreds of thousands or even hundreds of millions of dollars, did not have a normal archiving system, and if it was, then its work was checked only from time to time, and not on a regular basis.

Thus, one of the possible ways to protect files is to close your backups in a safe place and not let anyone do anything with them. They should be stored as long as necessary. Of course, such funds can be quite expensive, but here it is worth counting the possible losses in case of penetration into the network of the ransomware enterprise and calculate the “game” and “dressing”.

Reliable all backups!