Ransomware prevention strategy/high availability

It’s everyone’s responsibility involved with using IT to be trained about security and malware.

1. Do not enable SSH on ESXi
2. Use very strong passwords
3. Don’t login using Administrative accounts use a different account and escalate permissions to that user
4. Ensure all devices are patched asap against vulnerabilities
5. Adequate anti virus on desktops mail servers in bound and outbound Web inbound and outbound scanning
6. Immutable backups offsite using Backblaze or internal Linux server Cloud).
7. Anything is possible, to avoid zero downtime, if you have the Resources and Budget!
8. You could use VMC (SDDC on AWS) to spin up in the Cloud.

But all these needs resources, design, and planning.

For instance, most storage technologies can take periodic snapshots that are out-of-band from any spread route ransomware can take. Also, you can protect your storage environment against a ransomware attack by storing a copy of the data at a location that is not accessible from the internet.

https://www.experts-exchange.com/questions/29250232/Ransomware-recovery.html?notificationType=commentAdded#a43482803

https://www.experts-exchange.com/articles/37654/Guidelines-for-Adequate-Cyber-Hygiene.html

https://www.experts-exchange.com/articles/37631/Transform-From-Trust-to-Zero-Trust.html

1.  To prevent an attack.
You can't prevent an attack. The attacker will use various ways to get in using social engineering to get a user to do something.
Your defenses are: Training and more training and testing i.e. knowbe4.com tools. They can knock on the door as often as they want but until you invite them in you're safe.

2. God forbid a business gets attacked - what can be put in place ahead of time to prevent disruption to the business?
I use a combination of tools i.e. file resource management (updated daily) with new ransomware extensions and ransomware type activity.  Keep all machines patched not only the OS but applications as well. Antivirus/Anti Malware (helpful but not the silver bullet).  Reduce the attack surface as much as possible.. I will lose a few hundred files but not a few million. Not letting the wolf in the door is the only real solution.

3. How/when do you know it's safe to connect anything back up to a network etc.  
by going after the source of the problem and doing a wipe/reinstall.
the one source could have migrated to other machines like a human infection.

4. What are you guys doing? They're goal would be zero downtime if humanly possible, or realistically as close to zero as possible!
Training, testing, and more training. Reduce  the problem between the keyboard and chair which is your weakest link.
Backup and Backup and Backup using the 3-2-1 rules I would do 3-2-1-1 adding 1 immutable backup
You have to constantly test your defenses and your mitigations to ensure that they still work.  If the backups worked originally but failed a month ago you're in trouble.

High value targets makes the attacker more patient. They may sit dormant for a week, do a slow reconnaissance for a month then start executing.   If the first attack fails, they will try, try again.

Veeam can restore to The Cloud.

Hi Andrew

I am so sorry for the delay in the response, this is a very critical issue but been a bit overwhelmed lately.

Currently using Capture Client/SentinalOne,  DPI-SSL and ProofPoint.  

Andrew - what can you tell me about VMC or SDDC, is it generally difficult to configure? I have had zero time to work with AWS to date, I hate to admit.  Are you aware of any third parties that might support it in the US you could recommend?  I just don't know how it works God forbid if you have to spin up in the cloud and then rep changed data back to prod.  These environments are using vsphere essentials, with 4-8 VMs

They want to do all they can do avoid downtime.

Thanks again for all your help

LiCompGuy

VMC, is VMware Cloud on AWS, you don't have to think about AWS, it's vCenter Server and ESXi hosts.

Just the "hardware" is AWS.

That's the point, you can preserve all your existing knowledge, and not worry about AWS.

4-8 VMs is rather small, it will cost them more for zero downtime, and you are probably going to need to look at all the environment, servers, softwares, recovery, DR etc

Hey Madunix

Thanks for all the info.  We have to work on enhancing backups. They are airgapped but not in the cloud, what scares me is how long it can take to recover from a backup, so was hoping for a way to come up with a means of replicating servers in the event of an emergency to be able to spin things up, it is a small vmware environment,  not sure how realistic it is to do this, and how difficult/reliable it is.

I guess we are doing some right things by having ProofPoint, Sonicwall Firewalls/DPI-SSL, and CaptureClient/SentinelOne

Any other suggestions ?  It seems like no one is safe..... Or perhaps I am over-reacting.

Hey Andrew

You almost gave me whiplash with your fast response.  So how do I proceed or find out about VMC, 

Is it just a service offered by VMware - how do I find out costs, what about provisioning setting up on AWS - dumb question - is that something we purchase through VMWare and we need to create the account on AWS or it is a service offered through VMWare?  How do end users connect to the hosted environment in the event of an outage?

It sounds like it could be a good option.  Just trying to find out how I can get all the info so we can put it on the table - it sounds like there may not be that much of a learning curve....

You almost gave me whiplash with your fast response.  So how do I proceed or find out about VMC,

Is it just a service offered by VMware - how do I find out costs, what about provisioning setting up on AWS - dumb question -

You can take and try it all for no cost as a test trial for 30 days.

You may want to think and start small, of maybe Replicating, which you can use Veeam Backup and Replication to perform.

and how much downtime, really can they afford ?

This way you could replicate all VMs to another host, with just the purchase of another host.

But if you think about this logically, if you were replicating in real time, if a VM got attacked, the copy would also be infected.

So you would have to go to backups.

I would work with asking, how much downtime, can the business afford, most save zero downtime, but do not understand the cost associated with that.

So would 1 hour, 4 hours be okay and for which services ?

Hello Andrew

Based on what I mentioned I have in place for security - do you think I am over-reacting, and have to scramble like crazy?  I know you and some of the other guys here for years.

Sonicwall Firewall DPI-SSL, CaptureClient/SentinelOne/ProofPoint etc.

So is VMC then a service you purchase through VMWare and they have the agreement with AWS to replicate to their servers?

We are using Veeam to replicate locally but want the high-availability in case of losing the local site as mentioned.

I could use Veeam to replicate the VMs to a cloud service, but have not found companies that offer the ability to spin up servers etc., and failback..

Sorry if I am missing anything - just getting beaten up today.  I can't thank you enough for your help.  

Based on your experience - you think VMC could be a way to go?  I will try sales then at VMware.

As for the cost, it is up to the owner, like you said, downtime can be VERY expensive....

Just trying to come up with something solid as quickly as possible.  

Andrew - thank you so much.

it uses standard AWS pricing for storage, data out, and vm's.
You say an air-gapped backup, but no mention of 1 copy being offsite.
Are you using the 3-2-1-1 rules
3 copies, 2 different media, 1 offsite, 1 immutable.
How long do you keep backups? a week, month, a quarter, a year, forever?

Everything you mentioned is helpful but PBKAC (problem between keyboard and chair), the users are your biggest problem. Train, Test, retrain.

Air gapping helps, but again is not the silver bullet, ask the Iranian Centrifuge operators.