At the law firm I work for, we’ve been hit with ransomware three times. Each time that happened, we had a massive amount of files on a shared network drive encrypted and held completely inaccessible. As the systems administrator, charged with the integrity of our data, it only took me about 10 minutes to solve the problem and get back to business as usual.
Where our virus protection failed (and we have great virus protection) our backup system was extremely valuable in recovering from each ransomware hit.
Particularly for small to mid-sized law firms, I would argue that continuous, encrypted, cloud-based backup solutions are the most effective way to handle ransomware.
Why Ransomware is Different
Ransomware is not like other computer viruses. Frankly, it’s not really a computer virus at all (more properly categorized as malware) which is why using traditional virus protection to defend against it can be so tricky. When we got “infected” with ransomware, there were no pop-ups, no shady programs running in the background, and no clicking (that I know of) on questionable website links.
Instead, it was a simple script that encrypted our files and left a small notepad.txt file describing how we could pay to have our files unencrypted.
Now, it’s not to say that virus protection is not helpful or that many attacks are not stopped by strong anti-virus programs. They certainly are. However, I’ve found that—unlike many other computer issues—my best play was not preventative. Instead, it was in the aftermath that I was able to most effectively deal with the problem by restoring from a backup copy of our data.
Best Practices for Setting Up Backups to Deal with Ransomware
Ransomware or not, the best backup systems need to have certain qualities. First, a good backup configuration should have three “layers” of data. By layers, I mean multiple copies of each file. For example, your firm might store documents on a shared network drive, which would be your first layer of data.
A good backup set would give you three total layers, perhaps something like this:
- Original copy
- Local backup (media server, external hard drive)
- Offsite copy (cloud-based backup)
In my experience, the offsite backup is the most critical, because it’s completely autonomous from your network and can’t be impacted by a ransomware infection. Additionally, these backups can often be setup to roll continuously, meaning you can restore files right to the moment you were infected with ransomware. The cloud-based backup you choose should also have the following features:
- Ability to retrieve files by past versions (called “versioning”)
- Two-factor authentication (secures your user account)
Assuming you have your three layers of backup in place, another best practice is to backup at least twice a day (if not continuously), once at noon and again at midnight. This gives you a restore point from the middle of the day instead of having only one, or two that are both after working hours.
Each time we were hit by ransomware, I used the cloud version of our data to restore and then manually ran the local backup again to make sure everything was starting from the same spot. I was struck by how valuable those backups were and how much time they were saving me. Had I not had an effective backup system in place, there was no real “technical” answer for getting our data back.
Besides being a general best practice, our firm saved a massive amount of time and money by having a simple backup and restore system ready to go.
Other Things You Can do to Prevent Ransomware
As I mentioned, it is definitely helpful and necessary to keep up-to-date anti-virus software on all your firm’s computers (including a centralized server if you have one). This can prevent most of the malware attacks that allow cryptoviral extortion, in the first place.
I also recommend downloading a program called CryptoPrevent, which is a type of anti-malware software that is specifically designed to prevent the execution of ransomware by changing the group policy for the folders where that type of malware typically resides. The free version has all this functionality and runs in the background once installed.
I’d recommend pairing it with whatever virus protection software you’re using on all computers that are part of your firm’s network.
What if I notice ransomware on one of my firm’s computers?
Ransomware can infect both the local files of the computer it resides on as well as the files on any network share that might accessible from that computer. The first thing to do if you notice ransomware on a specific computer is to disconnect the ethernet cable and/or disable the Wi-Fi card to cut off access to your network shares.
At that point, leave the infected computer and go check on the network shares to make sure they have not also been infected. If they have been ransomed (encrypted), do a full restore of the infected files from earlier that day or preferably a day or two prior.
Make sure you then check for any unwanted programs on your server.
Once the files on your server are restored, you can then move back to the infected PC and repeat the process. If possible, you should consider doing a System Restore for that computer before restoring files from your backup.
In my experience, preventing ransomware is a lot harder than simply deleted or replacing ransomed files. I would advise attacking the problem from both sides, making sure you have good anti-virus, anti-malware, and backup systems in place. It’s the difference between a ransomware being a catastrophe for your entire firm or a minor annoyance for the IT department.