Ransomware is a form of malware that encrypts files on computers and demands that you pay a ransom to decrypt these files. Instead of paying the criminals behind a ransomware attack, you can use Code42 software to restore files from a date and time prior to the infection.
This tutorial provides best practices for Code42 administrators to follow to ensure that they are in the best situation to recover from ransomware.
Defeat ransomware with frequent backup
The best defense against ransomware is frequent, reliable, automatic backup of all the endpoints in your enterprise. Analysts and industry experts recommend frequent backups to mitigate risk of data loss and eliminate ransom payments. The best backups are those that happen automatically and continuously and offer versioning that supports reliable file restore.
Prepare your Code42 environment
Set file backup frequency and version retention
Precise frequency and version settings provide a robust set of backed up files from which to choose. This enables you to download files from a date and time before the ransomware infection. The version settings must allow backups frequently enough to give you a range of dates from which to choose. If these settings are too restrictive, it's possible that even your oldest version could be encrypted by ransomware.
To change frequency and version settings:
- Sign in to the administration console.
- Choose Settings > Device Backup.
- Click the Backup tab.
- Navigate to Frequency And Versions.
Following are the default settings.
- In Frequency, drag the slider on Backup new version to indicate how often to back up and create new versions of files in the archive.
We recommend the default setting of Every 15 minutes to ensure there are versions to revert to in the event of a ransomware attack.Large files
You can change the frequency interval to a longer period to accommodate large files.
- In Version retention, drag the slider to indicate which versions to keep from different time periods, and leave Remove deleted files at the default setting of Never.
Ensure you keep enough older versions so that you have clean versions you can restore.Deleted files retention for ransomware
Some ransomware programs change file extensions, causing the CrashPlan app to think the original files were deleted. This results in the original files being removed at the time set by the Remove Deleted Files value in the Frequency and Versions settings. Therefore, leave Remove Deleted Files at the default setting of Never to prevent removal of files in the event of a ransomware attack.
- Click the Lock button on both Frequency and Version retention to apply the settings and push them to users.
Changes to frequency and version settings are applied to each backup archive after the user's device connects to the Code42 server.
Use USMT to retain Windows settings
Users' files are only one part of the data that might be compromised when a ransomware attack occurs; Windows users may also find that their settings are lost. To prevent losing Windows users' settings, back up Microsoft's User State Migration Tool (USMT) data. This allows you to restore users' Windows settings in the aftermath of an attack.
Verify file selection
You can change inclusion rules to expand the set of backed up files. For example, if a users' settings only back up the user's home directory (the default), then data that resides outside of that directory is not backed up. You can choose additional folders to back up, if desired.
When changing these rules, ensure that you have appropriate exclusions applied to ensure that only desired files are backed up; for example, it is typical to exclude system and application files and folders from backup.
Exclude known ransomware file types
You can proactively add file exclusions of known ransomware file types to ensure that infected files are not stored in archives. While not all ransomware attacks change the file extensions, excluding these file types can assist in keeping backup archives clear of at least some infected files.
After you have made all the preparations, you should test restoring files to ensure that it works as expected in the event of a ransomware attack. You can restore files using the CrashPlan app.
Ensure all endpoints are backed up
Your ability to recover from ransomware is only as good as your backups. You are only adequately prepared if all your endpoints are backed up continuously without interruption.
Install the CrashPlan app on all endpoints
- Prepare deployment packages for the CrashPlan app.
- Push installations from a central server to devices in your Code42 environment using software deployment tools such as SCCM.
Ensure backups run
To ensure backups are running, you can use a number of methods, such as reports and alerts, to identify devices that may require administrator action.
To determine if any endpoints are not getting backed up, you can view device status using the Reporting web app. The report shows the percentage of backup completed, the last date and time backup was completed, and the last time any backup activity occurred, among other information.
Generate warning emails
Organization administrators automatically receive email reports if a CrashPlan app isn't able to reach any backup destinations after a certain time period. However, if there are additional users you wish to receive these reports, add their email addresses:
- Sign in to the administration console.
- Select Settings > Organization.
- Click the Reporting tab.
- Add email addresses in Recipients.
- For Alerts, select No backup for, and select the number of days that must pass before warning emails are sent.
Monitor with the administration console
Use the Code42 API
You can view device backup status using the Code42 API by using the
Backup is not the only defense. In a public service announcement, the United States Federal Bureau of Investigation (FBI) provides additional recommendations for defending against ransomware. The recommendations include:
- Patch software (operating systems, Java, Flash, web browsers, software, firmware).
- Schedule regular antivirus and anti-malware scans.
- Disable macros for email attachments.
- Restrict execution permissions in known ransomware locations.
- Use the principle of least privilege.
- Train your users to:
- Open attachments only from known parties.
- Download software only from trusted sites.
File synchronization is not backup
File synchronization, offered through a variety of products, provides a way for your organization to share files among teams or throughout the enterprise. At first glance, you might think that file synchronization would be a good way to back up files. But backup and sync are not the same thing:
- File synchronization only accounts for some files, whereas backup can account for all files.
- File synchronization requires users to actively place files in a specific directory or upload them, whereas backup occurs without user intervention. Code42 allows administrators to define backup policies without requiring user interaction.
- If a synced file is infected by ransomware, and that file is synced with a server, it has the potential to infect any endpoint that accesses it.
- Synchronization encourages replication of the ransomware throughout the synced file set. Consider the Locky ransomware. It corrupts up to 100 times, and in a synced environment, potentially replaces all older good versions of the synced file. This leaves you with no healthy file for recovery. Even if you are able to recover back to a healthy file, many sync products require to you recover each file individually by rolling back to a previous version.
Therefore, you should not rely on synchronization as a means to back up your files.
- Code42 blog: Data On The Edge: Ransomware
- Wikipedia: Ransomware
- FBI: Ransomware Victims Urged To Report Infections To Federal Law Enforcement (Alert Number I-091516-PSA)
- Symantec: ISTR Insights Special Report: Ransomware and Business 2016
- Gartner Group: Use These Five Backup and Recovery Best Practices to Protect Against Ransomware