Malware is a huge problem that gets bigger every year. The biggest and nastiest one going around is called Crypotolocker. It encrypts all your files and then demands a substantial ransom to recover them. Paying the ransom does not necessarily get your files back. Unfortunately, there is no anti-virus product on the market which can guarantee protection from Cryptolocker. So how are you supposed to protect your business?
Unfortunately, there is no single off-the-shelf solution that will protect you from Cryptolocker or other malware. This is because Cryptolocker morphs daily and the antivirus vendors are always at least a few hours behind.
The key is to have a multi-level/layer approach. The idea is that if something penetrates one layer of protection, hopefully the next layer will stop it. Each layer compliments the others and mitigates the risk of something nasty getting through. There’s so much more than you can and should do than just using traditional antivirus software.
Antivirus Software
As always, good antivirus software installed on each PC and server is must. I like the cloud based antivirus software such as WebRoot. These don’t rely on downloading virus definitions each hour, but rather send a signature of each file to a server in the cloud for analysis. The advantage of this approach is that cloud server always has the very latest virus definitions, so you can’t encounter a situation where the anti-virus vendor has an antidote for a virus but your computer hasn’t downloaded it yet.
Gateway Antivirus
This is simply running antivirus software in your router, where all Internet traffic has to go through. It’s akin to running two different antivirus programs on your PC from different vendors, something you should never do as they will conflict with each other. It also provides protection for PCs that might not have antivirus software installed for whatever reason. SonicWall Gateway antivirus is one example.
DNS Protection
DNS is essentially an address book for the Internet. Whenever you type in www.google.com into your web browser, that address gets converted into an IP address. Instead of using your ISP’s DNS server, you subscribe to a commercial DNS service such as OpenDNS Umbrella by Cisco. Every time your computer connects to a server on the Internet, the IP address is compared against a known list of infected IP addresses. If you try to access one of these infected IP addresses, the data communications are blocked.
One of the weaknesses of Cryptolocker is that there aren’t a lot of command and control servers. So maintaining a list of these is quite simple and an extremely effective way to protect against infection, far superior to antivirus software.
Sandboxing
Sandboxing is a system whereby anything unknown is examined in a controlled and secure environment to examine any malicious outcomes. This is a recently introduced feature in the latest generation of routers and firewalls such as SonicWall. This provides an added level of protection which resists evasion tactics and zero-day threats. Email attachments or website downloads are analysed before they’re allowed to reach your computer.
Continuous Incremental Backups
The last layer of protection are backups which are inaccessible to Cryptolocker. These should be taken every 15-60 minutes, depending on how much data you can afford to lose. I usually configure 15 minute incremental backups using software such as ShadowProtect. I underlined the word inaccessible above as this is of utmost important. If your backups can be accessed by Cryptolocker, then it will also encrypt your backups, even if they are backed up in the cloud (e.g. DropBox). Local backups to a USB hard drive won’t cut it. You need a network share somewhere that is only accessible with an account used by the backup software.