On May 12, 2017 a new ransomware virus called WannaCry was unleashed and it wreaked havoc on Microsoft Windows systems. Infected computers had their important files encrypted and the user was prompted to pay a ransom to the authors of the virus in order to recover their files.
As is common, the ransom for malware removal was demanded to be paid in Bitcoin. The amount to pay increases over time to encourage prompt transfer of funds.
In this instance the ransomware spread over a vulnerability in Microsoft Windows. The operating system security patch for this vulnerability had been released in March 2017 so if your systems were up to date you shouldn't have been impacted.
The sour truth is that if you're already infected it's too late. You can either pay the ransom or restore from backup.
To pay or not to pay?
This is always a tough call and depends on the value of your data. If you don't have a current backup it's your only choice. The malicious code writers don't have to send you a decryption key but they DO have a vested interest in doing so - word gets around pretty fast when your money just disappears.
You do have a backup, right?
A good backup system is a cheap insurance policy. The cost of your business being closed for an hour, a day or a week is usually far higher than the annual cost of a good backup. It can also mean the difference between business survival and closure.
The two main approaches to backups are file-based and snapshot-based. File-based backups can only recover your data and not the operating system. Snapshot-based backups are the most thorough and can restore an image of an entire server to a particular point in time.
The best solution is the snapshot method with individual file restore capability that also includes both on-site and cloud backups as we'll detail below.
It's best to approach IT security with a layered method. There is no magic bullet that will protect you from everything - the goal is to minimize your risk as much as possible by using multiple layers of defense.
Update, update, update
If you're not manually controlling Windows updates on your network with Windows Server Update Services (WSUS), at least turn on automatic updates for your workstations. WannaCry infections could have been completely prevented with this method.
The oft-forgotten threat vector is third-party software running on top of Windows. Simply visiting an infected web page or opening a malicious file can compromise your machine and your network.
The primary applications to stay on top of are Adobe Acrobat, Adobe Flash and Oracle Java. The importance of this can't be overstated - it can reduce your workstation infections by 80%. The new versions of these can be set to auto-update but will sometimes require a click by the end user if you're not centrally managing it.
Anti-spam and blocking attachments
Modern anti-virus suites have attachment scanning and detection of links to malicious sites. Often your email provider will scan for bad things also - Microsoft's Office 365 does this and they had WannaCry blocked very quickly. In many cases Microsoft has a speed advantage because of the huge number of installed users on Exchange Online and an even greater number of machines running Windows Defender anti-virus software.
Educate your employees
Most employees know by now not to open suspicious attachments or click on suspicious links but it's a good idea to remind them occasionally.
Additionally, advise them that if they see anything threatening or suspicious on their screen to turn off their PC in order to minimize the damage until someone can look at it. A quick picture with a cell phone before turning it off can help you here too.
We had one case when Cryptolocker first hit where an employee decided just to "deal with it on Monday" so it had the whole weekend to chew through the network shares and encrypt the data as fast as the hardware and network would allow.
Backup, backup, backup
This is your last line of defense and the most important one. Review your current backup plan and do a test restore on a periodic schedule. There is little worse than thinking you're secure and then realizing you've lost everything. It literally can be life or death for your business.
We like Datto's world-class backup solution which takes complete server snapshots and allows you to go back to any point in time in seconds. Datto backup is a hybrid model of on-premise (in your office) and cloud-based backups that also includes the ability to run the snapshots as a virtual machine in case of complete disaster. You can restore either individual files or entire servers from "bare metal."
We also recommend backing up the portions of your IT infrastructure that are in the cloud. This includes Office 365's Exchange Online, OneDrive for Business/Sharepoint and Azure file services.
While you've never going to be safe from everything, the basics of protection are still the same as they always have been - update everything, educate your end users and BACK UP OBSESSIVELY.