Recently I have encountered a couple of instances where people had inadvertently clicked a link in an email claiming to be from “The Federal Police“. This has resulted in any hard drive connected to the infected PC being encrypted. The ransomware pirates demand payment for the unique code to decrypt files. Obviously paying isn’t an option.
Drives infected by the ransomware include cloud drives such as Dropbox. In both ransomware incidents the network drives infected were backed up and as a result all encrypted files could be restored from backup. Unfortunately the cloud drives which stored personal and shared professional folders weren’t backed up. I was surprised to learn that the standard Dropbox account only enables restoration of previous versions going back about thirty days. Anything older than that is irretrievable. Paid versions of Dropbox may enable files to be restored from any earlier time. Learn more here: https://www.dropbox.com/help/113
I wanted to learn how we might protect ourselves against such attacks. Firstly it is possible to backup local files including Dropbox on a PC or Mac and to be able to restore to a previous version. In our own case we have applied additional backup drives, in addition to tape, on our network as a fail safe and instituted backup on various individual devices. The other thing that can be done is to restrict user permissions within the network so that users can’t install programs directly themselves. If a device doesn’t have rights to install the ransomware can’t install.
We also wanted to know whether we could prevent the ransomware emails from arriving in our Exchange inboxes in the first place. Yes it is possible to screen for ransomware. Our own Symantec email protection won’t do it. This is a bit disappointing because that’s what we are expecting it to do. Apparently there is a corporate grade “Symantec Cloud” (used by banks and large corporations) which will screen out everything even ransomware. A Palo Alto firewall teamed with Wildfire will screen out any threat too and I am sure there are a range of others. These options appear relatively expensive when compared with standard email screening, but I am left wondering about the value of standard email screening. What are we paying for?
We have also been considering migrating our Exchange to Office 365. I felt certain that Microsoft would offer high end filtering to protect their valued customers and that this could be the answer. Not so, Microsoft apparently only apply standard Exchange filtering. Customers need to apply any additional filtering themselves.
It is interesting how widely spread the effects of ransomware have been and how easily it can penetrate and disable. In investigating I found that there was little thought being provided to the backup of cloud services. Users, myself included, naively expected better protection (by cloud providers) against loss of data in the cloud.