An MSP's guide to ransomware:

0 downloads 334 Views 910KB Size Report
drive to the FBI or local law enforcement, along with anything you discover about the ... to clean the infection, we rec
!

!

An MSP’s guide to ransomware: How to help clients prevent attacks and prepare for the worst-case scenario It’s the call you dread…your client’s in a panic because they’ve been hit with ransomware. One of the fastest-growing trends in cybercrime, ransomware infects a computer or other device and works fast – locking the user out or encrypting their files. Once the damage is done, a ransom notice appears, demanding payment to restore access. It’s bad enough when it happens to you, but when it happens to a client, you’re left with a messy clean-up job and a lot of crisis management.

Start reselling today! 888.299.2522 | [email protected] | intermedia.net/resellers

When ransomware strikes… Typically, ransomware starts with a phishing email that contains an infected attachment or tricks the receiver into clicking a malware-laden link. The malware searches through My Documents, the desktop, shared files that get synced with cloud or network-based file servers, etc. looking for documents, spreadsheets, presentations, images, text files, video, music and other kinds of files that contain information a user might be willing to pay to retrieve. Then it individually encrypts each file. In most cases, the user isn’t even aware that this happening. But then the ransom note appears…but your panicked client knows just who to call…you.

CONTAIN THE INFECTION The initial damage is done, so the first course of action is to contain the infection. There’s a very real possibility that more than one user will get infected—either through the same attack vector that brought in the initial infection, or by one infection propagating itself across your client’s network. Your first act should be to get the infected machine off the network. Then you have to figure out the scope of the infection – the type of malware it is, how many machines are impacted, how much data is involved, etc. You also want to find out how the infection got in, that way you can patch any security weaknesses or holes. After that, you’re ready for the clean-up.

ANALYZE THE ATTACK If you plan to perform any forensic analysis on the infected machine, now is the time. This isn’t required, but if you have the capability to do some investigation, it will help you determine how the infection came in and who else in the client’s organization might also have been targeted – both those folks who have triggered an attack on their machines and those who received the phishing email but didn’t act on it yet. You’ll need to quarantine their computers, too. Depending on the nature of your client’s business, or if there’s a regulatory compliance requirement, you may want to report the incident and give relevant data from the original hard drive to the FBI or local law enforcement, along with anything you discover about the source of the infection. When you’re ready to clean the infection, we recommend that you put a new hard drive in the machine and then reimage. If you have to use the existing drive, then we recommend you do a NIST secure wipe. That’s really the only way to ensure that you’ve really wiped it clean.

ANALYZING A MALWARE ATTACK: INTERMEDIA’S EXPERIENCE At Intermedia, we take a memory image of the infected machine: memory dump, latest state of machine, which users are logged in, processes running, system parameters, etc. We also review the logs of the user’s activity on the network. Then we interview the user to understand their experience. In some cases we might take the infection to a live sandbox environment to understand the behavior of the malware: what it is, what it does, what domains or IP addresses it tries to contact, what registry keys it creates, etc. We finish by cloning the drive and then storing both the original and the copy. This is the process we follow for any kind of malware, not just ransomware.

2

RESTORE THE FILES Once the impacted machines are clean, it’s time to restore the files. How long this will take will depend on the backup solution you are using with this client, how much data has been encrypted…and the amount of work you’ll have to juggle around and reschedule to fit in this emergency procedure. And of course, during all of this you’ll need to explain what’s happening to your client and reassure them that they haven’t lost all their data. Unfortunately, their users will be benched until they can get access to their files and get back to work. However, if you are providing Intermedia’s backup and file sharing solution to your clients, file restoration is a pretty quick process. This means significantly fewer support hours from you and as close to painless relief for your client as they can get. From the Control Panel, you select the SecuriSync® service, and then for each infected user, select each top level folder and perform a mass restore to the date and time right before when you estimate the infection occurred. The files will quickly be restored to that moment! You can read our how-to guide for detailed instructions on performing a restore.

Preventing ransomware attacks The best defense is usually a good offense. A lot of this pain and agony could have been prevented with solid employee education. As a trusted partner to your clients, you have a great opportunity to offer training to their employees on preventing ransomware attacks. Like other cyber security issues, ransomware occurs primarily as a result of employees falling victim to phishing emails. Holding regularly scheduled security training sessions with your clients can keep users abreast of the latest security threats, help them spot phishing emails and questionable links, and prevent most ransomware infections. Be sure to talk to clients about actions they should take should they be hit by a ransomware outbreak as well. For instance, do they know to immediately close their computer to help reduce the spread of infection? Do they know that there are options available to retrieve their data without paying a ransom? Such training has a two-fold benefit for your business: it’s a great recurring revenue opportunity; and, it reduces the amount of time you will have to spend cleaning up after ransomware attacks. And while you can certainly offer “ransomware cleanup” as a service, and you should, you’ll engender deeper loyalty by pairing it with preventative training as the first line of defense. That way, they won’t feel that you are just out to capitalize on their misfortune, but rather working hand in hand with them to prevent attacks before they can do damage. Check out our partner guide to email security for tips on employee education and other products and services you can provide to help clients secure their email from phishing attacks.

Given the increase in the sophistication and amount of ransomware attacks being perpetrated on businesses today, providing your clients with preventative education and ransomware recovery services is a must. These professional services can differentiate you from your competition, while instilling loyalty in your client base and providing you with additional revenue. Consider adding SecuriSync to your portfolio as a backup and file sharing solution that offers point-in-time mass restoration capabilities to quickly restore files in the event of a ransomware attack. Intermedia’s backup and file sharing solution offers a 99.999% uptime SLA, enterprise-grade security, and an easy-to-use experience for employees. And it’s managed from within the Control Panel and integrated with your other Intermedia services for easy client setup and administration. Learn more about how Intermedia helps partners succeed through its attractive partner programs, products and services, and consultative security expertise, by contacting us at [email protected] or 888-299-2522.

Start reselling today! 888.299.2522 | [email protected] | intermedia.net/resellers