This post provides details on how to prevent and manage ransomware attacks and provides suggestions regarding implementing Arcserve UDP to protect your backups and enable fast, reliable, and simple recovery.
Implementing Arcserve UDP for Maximum Ransomware Protection
Ransomware protection strategies should be designed in line with the industry best practices. One such best practice is following the 3-2-1 backup strategy, in which you keep at least three total copies of data: two local copies, one of which must be offline, and one off-site copy.
With Arcserve UDP, this is done by replicating the primary recovery point server (RPS) to a secondary RPS using the option of replicating to a remotely managed RPS, which creates an air gap between the systems. This process forms a solution consisting of two autonomous systems with separate consoles.
The air gap is achieved via a secure connection being established over ports 8014-8015 to the secondary RPS using a regular, non-administrative user account and a data transfer via a block-based replication. If the RPS server is compromised, our block-based replication technology prevents any affected files from reaching the secondary RPS.
The secondary RPS should be secured by:
- Using a separate password to its administrative account.
- Not making the RPS a part of the domain.
- Configuring the firewall to only accept traffic from the primary RPS.
- Limiting RDP access (preferably only allowing physical console access).
A third copy of the backup could be placed on tape or in a cloud instance.
In addition to the above, it is possible to harden the console and agent service ports.
The procedure is outlined in one of our KBs, available here.
Graphical illustration of a setup
General Guidelines
The following is a condensed list of items that you should consider as part of your ransomware protection strategy.
Implement a good backup and disaster recovery (DR) strategy.
- Follow 3-2-1 best practices.
- Use dedicated backup service accounts.
- Avoid using domain admin accounts for daily user tasks (e.g., reading mail).
- If your environment allows, disable SMBv1.
- Implement more-than-daily backup schedules for critical systems.
- Document DR procedures.
- Schedule regular DR drills.
Take immediate steps after a ransomware attack.
- Disconnect infected machines from the network and the internet so ransomware does not spread to other machines.
- Run a virus scanner from a bootable disc or USB drive (i.e., an offline virus scan) to try to remove the virus from the machine.
- Do a bare metal recovery (BMR) to take your machine back to a previous state.
- Report the incident to the authorities.
Work to prevent future ransomware attacks.
- Review, update, and/or maintain a network security policy.
- Always have Windows Firewall enabled if you run Windows.
- Install an antivirus program that automatically updates and has a real-time virus scanner.
- Keep your browser and plug-ins up to date, including Adobe Flash Player, Java, and so on.
- Maintain up-to-date inventory of all your digital assets, so hackers do not have easy access to systems you have forgotten or don’t closely monitor.
- Segment your file access so only authorized users have permission to make changes.
- Install pop-up blockers because pop-ups are another way for ransomware viruses to enter your system.
Ensure data and hardware are adequately protected.
- Keep your OS and applications up to date.
- Back up critical data on a regular basis so if you are a victim of a ransomware attack, you can recover important data without being forced to pay up.
- Always have a copy of your data off-site whether on an external hard drive or tape, in a secure cloud, or, in a best-case scenario, all three.
Change online behaviors and practices.
- Never download attachments from unknown senders or sources you do not know.
- Do not download and execute unauthorized applications from the internet unless they are from a trusted source and have been scanned for malware.
