Ransomware has become one of the most impactful cybersecurity threats over the past years. Besides paying huge ransoms to criminals, businesses suffer 22 days of downtime on average. Today we’re answering one of the key questions: how to protect against ransomware. In this article, you will find 8 viable strategies for 2022 as well as a bonus section dedicated to ransomware protection in Google Workspace.
Protect your cloud data from ransomwareGet SpinOne
Table of Contents
How to Protect Against Ransomware
If you do not protect your organization from ransomware, you will be hit eventually. Without the proper protection against ransomware attacks, data loss is sure to happen. This is a forgone conclusion both on-premises and in the public cloud. How exactly is ransomware such a threat? How does it render data completely useless?
Ransomware uses a process called encryption to make data unreadable by its rightful owner. Encryption uses a mathematical algorithm as a key that makes the data unreadable without the proper key to “unlock” it. Attackers that use ransomware hold the “readable data” hostage until the “ransom” is paid to obtain the key to unlock the data so that it is normalized once again so that it can be read. The ransomware process is by design uneventful to the end-user.
There is nothing that lets the user or administrator know their data is being encrypted silently and maliciously. When the encryption process is finished however and it is too late to stop the damage, the attackers present a message to the end-user letting them know they have been affected by ransomware and they must pay the demanded ransom before their data will be unlocked.
The ”Ransom” note left on the desktop of an infected workstation
How can ransomware infiltrate your environment? There are many attack vectors that deliver ransomware to unsuspecting users. However, one of the most prominent methods that ransomware infects end users is via email. An end-user is tricked into opening an attachment that in actuality contains a malicious executable file that houses ransomware.
Many ransomware variants may make it past traditional antivirus protection and begin the process of encrypting critical files, folders, mapped network drives, and any other resources the end-user has permission to access.
One of the avenues for ransomware infection that ties on-premises environments to the G Suite public cloud SaaS environment is file synchronization. G Suite offers installable utilities to synchronize files from on-premises end-user devices to the Google G Suite cloud. If ransomware infects an end-user device, it will begin encrypting files that will then be synchronized to the Google cloud. The ransomware encryption process is viewed as a change in the file, which will trigger the synchronization process.
Ransomware Can Infect Public Cloud
There are still huge misconceptions regarding public cloud environments and ransomware. Many businesses with untrained or naive and inexperience personnel may fee that once data enters the realm of a public cloud SaaS environment such as Google G Suite, their data is immune to the effects of ransomware infections that wreak havoc on-premises. However, this could not be further from the truth.
The significant advantage of public cloud SaaS environments comes in the form of high availability resulting from world-class data centers and failover mechanisms in the underlying data center technologies used to host the SaaS services.
This should not be confused with data protection. They are two separate mechanisms and involve different technologies. While Google, Microsoft, and others are introducing the most basic nuances of data protection, these in themselves are not and should not be considered backups.
Google G Suite has the ability to restore data in a rudimentary fashion of “versions” of files in their cloud storage as well as a “recycle bin” of sorts that allows “un-deleting” files that have inadvertently been deleted either accidentally or intentionally by end-users for up to 30 days.
While businesses may be able to leverage the file versions as a way to potentially recover data, this is not a method that can be relied upon for wide-scale protection of business-critical data hosted in the public cloud. Ransomware is greedy and destructive to any data it touches.
What if ransomware-infected files are not discovered in the 30-day window of time for recovery? What if businesses need to restore a “version” of a file that what not captured by the versions in cloud storage? What if there are services affected by ransomware outside of G Suite storage, such as email? “RansomCloud,” a term coined for a ransomware variant able to encrypt cloud-based email, offers the smoking gun to show that even public cloud email is at risk for ransomware infection.
Currently, only the G Suite cloud drive storage is available for the recovery of various versions of data. What about email? What about any other services that may potentially be infected by ransomware or a yet to be utilized ransomware attack that targets other cloud services contained in SaaS services like G Suite?
All of these and many other questions lead to the conclusion that more is needed in the way of backups for data stored in the public cloud. This can not be stressed enough – backups are essential to surviving a ransomware attack on-premises and in the cloud.
The meager data protection provided as a native feature in G Suite cloud storage is not sufficient for surviving a massive ransomware attack in a G Suite environment. Organizations need an enterprise data protection solution that provides proper backup functionality for data stored in the G Suite SaaS environment that allows proper versioning, retention beyond the 30-day limit imposed by Google with their file versions, automation, powerful restore functionality, migration features, and many other features and functionality that provide proper protection for public cloud Saas like G Suite.
The Cost of a Ransomware Attack
The cost of a ransomware attack can escalate dramatically with every minute and hour that passes with business continuity disrupted. Additionally, the intangible cost of lost customer satisfaction, harm to brand reputation, and many other factors can add up to untold costs that can literally take an organization out of business. Let’s take a look at a couple of scenarios, one with a customer using a traditional cloud backup solution, and one with a customer using SpinOne to protect business-critical data.
Customer “A” has a relatively large environment in Google’s G Suite SaaS environment with some 1,000,000 files stored on Google Team Drives with approximately 15,000 G Suite accounts. An unsuspecting high-level end-user device is infected with ransomware, leading to mostly of the files stored across the G Suite environment being encrypted. The company has chosen a traditional backup vendor for the G Suite cloud environment with no additional ransomware protection. Customer A is required to restore most if not all files stored in their G Suite environment. Google has imposed limitations in G Suite to prevent the abuse of the underlying infrastructure. One aspect of these limits is a 10 I/O request per second limitation. This can slow the restoration process even further.
For an environment of this size, a number of files and potential scope of ransomware infection, it could take upwards of 4 days to recover all files from backup.
Customer “B” also has some 1,000,000 files and approximately 15,000 G Suite accounts. However, they have chosen to use SpinOne for both backing up their G Suite environment and for ransomware protection. This combination of machine learning-enabled technologies immediately starts fighting ransomware as soon as it starts attacking files in the cloud.
As listed above, SpinOne uses 4 steps to protect against ransomware:
- SpinOne Security Scanner identifies the ransomware process
- The ransomware process is effectively isolated and blocked by SpinOne
- Ransomware affected files in the G Suite cloud are automatically identified
- Ransomware encrypted files are automatically restored by SpinOne’s powerful data protection recovery mechanism
When comparing the two scenarios, even though Customer A has a data protection solution in place, the damage can be extensive. Files have to be manually identified that need recovered. As mentioned, the restoration operation may take days! In contrast, by choosing SpinOne, the ransomware attack affecting Customer B was automatically stopped within minutes, the ransomware process was blocked, and files that were affected were automatically recovered!
What is the return on investment or ROI for SpinOne protecting your G Suite cloud environment? Priceless. When considering the damage prevented by this machine learning, proactive, automated response, the damage that was avoided could have saved the business.
We’ve spent years creating data protection software and here is what we’ve discovered along the way: to protect your company systems and data from ransomware, you need to use multiple strategies and tools at the same time. Because relying on one solution like antivirus won’t get you far in case of a full-blown ransomware attack.
Don’t worry, there are solutions that can make your life easier – we speak about them as a part of a strong multilayer ransomware protection strategy we talk about in this article.
In short, here is this approach:
- Data security
- Device security
- Network security
- Application security
- Email security
- Access security
- End-user behavior security
Let’s look at these more closely and also mention some software you can use to shore up your defense.
1. Data Security: Airtight Backup
If you don’t have a robust Data Loss Protection (DLP) plan, all your security strategies will fall apart. The core of all the DLP plan is having a ransomware-proof backup that will let you restore data in case you get hit. Backup is literally the first thing you must take care of, so if you don’t have one, set everything aside and start tackling this task.
What you should remember when implementing your backup plan is that backups are not ransomware-proof by default. It means that if your systems are hit with crypto-ransomware, it will slip into the backup copies as well, leaving you with empty hands.
If your backup provider doesn’t have inbuilt ransomware protection, you need to implement the following backup tactics:
1. Stick to the 3-2-1 rule – have a minimum of three copies of your backup, on two mediums, keeping one copy offsite;
2. Backup your data at least three times a day;
3. Enable version control to be able to restore different versions of your data;
Here is the full article about the Ransomware backup strategy→
An easier way – you can choose a backup provider with inbuilt ransomware protection. Very few providers on the market grant ransomware protection coming with backup services, making the backed-up files isolated and airtight.
Ransomware-proof backup software – SpinOne
We recommend SpinBackup as a highly secure cloud-to-cloud backup solution for G Suite and Office 365 data. It covers many the security and compliance issues, providing you with 24/7 ransomware protection that:
- Identifies and blocks the ransomware source
- Alerts you about the incident
- Stops the encryption process
- Identifies the number of damaged (encrypted) files
- Runs a granular recovery of encrypted files from the last backed up version
If you get hit, your backups will remain sealed and the encrypted files will be restored right away.
Also, note that there are no strings attached:
- You don’t need to install any software (everything is web-based)
- You can start from 5 licenses and choose a monthly subscription
SpinOne offers a 15-day trial of backup + ransomware protection for G Suite and Office 365 data.
How does Spin ransomware protection work? Watch this video:
2. Device Security: Patch Manager and Antivirus Software
Another must-have desktop protection is having an antivirus. Of course antivirus, no matter how good it is, won’t entirely protect you from ransomware (if you thought otherwise, check out why antivirus doesn’t protect against all types of ransomware ). And yet, an antivirus program is a necessary line of defense that secures your devices from viruses, adware, worms, trojans, and others.
How does antivirus help against ransomware, you may ask? It’s simple: since ransomware is often spread as downloadable malware, there is a chance that antivirus will detect and block it before it encrypted any files.
Don’t know where to look for the right software?
3. Network Security: Firewall
A firewall is your first line of defense or your computer network gatekeeper. Contrary to antivirus software, which requires a very small effort to set up, firewalls usually require special knowledge. Firewalls may come as a piece of software or even hardware, which operates between the user device and the Internet. To put it simply, a firewall is a gatekeeper for the incoming traffic, which may contain a ransom code.
A firewall detects all possible exploits in your network and shields them. Also, it minimizes the risk of lateral movement inside your network and filters all the inbound and outbound traffic. It allows blocking any unsolicited and suspicious websites and attachments.
Don’t know where to look for the right software?
4. SaaS/Application Security: Application Audit Software
Employees download and use hundreds of third-party apps and extensions every day. No wonder they are becoming a common channel of malware infections, including ransomware.
These risky applications can contain malware that is deployed when a user provides such apps access to their corporate data.
For example, an employee installs an app that allows signing documents online; in order to function, this app requests different kinds of permissions – to Google Docs, local folders, email, and so on. When the permissions are granted, this app can inject ransomware code to every location it has access to.
This risk with apps is a part of a bigger problem called “Shadow IT”, which we fully address in the article Shadow IT management: rules and tools. But here are some fundamental rules that can eliminate your risk of being infected:
1. Create a procedure for the application approval and the evaluation criteria;
2. Create an ever-growing list of allowed and blocked applications;
3. Prevent users from accessing the blocked applications within your domain;
4. Monitor, assess, and block (if needed) all unauthorized apps connected to your domain.
If you manage a G Suite domain with many users, we advise you to use specifically dedicated application audit tools for these purposes. Otherwise, it is almost impossible to track what users download, what permissions they grant to applications or extensions, and whether the app is risk-free.
Application audit software – SpinSecurity (for G Suite users)
5. Email Security: Anti-Spam Filtering
Phishing emails with malicious links in them are confirmed by cybersecurity experts to be the leading cause of ransomware, being responsible for 67% of successful attacks in 2019-2020. Logically, by reducing the number of phishing emails your employees get, you decrease the likelihood of employees clicking on the link.
There are a few ways to set up phishing and malware protection for your email:
1. If you use G Suite as your business suite, follow the steps on this page.
Don’t know where to look for the right software?
Here are the best email security tools by rating if you look for a third-party solution.
Check out 10 types of ransomware you need to stay away from in 2020 →
6. Access Security: Authorization and Sharings Management
Many organizations have a clear understanding of job roles and who does what within their team, but only some manage computer user roles as attentively as required.
You have to determine the users and the data access they have. It should be clear, who can write to a database or specific data set within your database, and how to temporarily acquire or surrender a role in the case when an employee gains new responsibilities – all these processes should be planned. Having a correct employee exit procedure is important as well.
Moreover, for maximum transparency, safety, and efficiency we recommend tracking as many user activities as possible. Having proper software can minimize the human factor and keep your corporate network safe even in case your employees fail to follow your cybersecurity guidelines.
If you are an Office 365 user, you may want to check more about roles and permissions in the Security and Compliance Center.
7. Authentication Security: Set Up Password Policy and Enable Two-Factor Verification
Strong authentication practices prevent your system from unauthorized access, like brute-force attacks, password stuffing, and account hijacking.
Weak authentication practices like the lack of a strong password policy and two-step verification make it a piece of cake for a hacker to penetrate your system and inject ransomware.
Weak password policy is the reason behind up to 81% of data breaches. Thus, we recommend you to create a strong password policy and ensure your employees understand and follow it.
Here are some of the main rules:
- Create a unique password for your work. It shouldn’t be the same as in your social media.
- Don’t make your password too short. It should include eight characters at least.
- Use various characters: upper- and lowercase letters, digits, and symbols.
- Never create too obvious passwords like 123456, qwerty, abcdef.
- Change your passwords regularly.
Two-factor verification (or 2FA) provides the second step of checking whether a user is authorized to enter. Ensure 2FA is installed and used to access data in your corporate network.
2FA may prove user identity in a number of different ways. For example, by generating a unique code by a special app like Google Authenticator. The code can be sent via a text message, email, etc.
2FA requires both email and mobile phone to get access to an account. Having the second check-in place dramatically decreases the risk of unauthorized access, and thus limits the ransomware attacks too.
8. End-User Behavior Security: Train Your Employees
In most cases, the end-user is the one that performs an action that triggers a ransomware attack. Security awareness training for your employees, although not being a panacea, can decrease the number of unaware or careless employees up to 90%, which drastically lowers their chances of clicking the wrong link.
Make sure that you have an easy-to-understand cybersecurity training conducted, and all the information is efficiently learned. Then, ensure that people know how to safely behave over the internet and within your internal IT infrastructure. Some testing (and rewards) will help too.
One of the best ways to educate your employees is by running a mock phishing attack. You can send out fake phishing emails and watch people clicking the links. After that, explain that in real life they might have caused a ransomware infection.
Don’t know where to look for the right cybersecurity training?
Here are the best security awareness training by rating
How to Protect Against Ransomware Attacks in G Suite
Backups are the only sure way to recover your data in the event of a ransomware infection that manipulates your data in the public cloud or anywhere else. As mentioned, the backup and recovery functionality provided by the G Suite SaaS public cloud environment is very limited. Spinbackup totally removes the limitations to adequate backups by providing an enterprise-grade backup and recovery solution for G Suite.
SpinOne provides the “One-Two punch” needed to eradicate the ransomware threat in G Suite completely. Coupled with powerful automated backup and recovery capabilities, Spinbackup adds Machine Learning enabled cybersecurity protection that works seamlessly with the data protection functionality to protect against ransomware processes infecting G Suite cloud environments and automatically restore any files that may have been affected by the ransomware encryption process. It makes it the best way to protect against ransomware for organizations.
Choose SpinOne for the following automated responses to ransomware and ransomcloud attacks:
- Security Scanner identifies the source of the attack
- Blocks the source and encryption process
- Identifies the number of damaged (encrypted) files
- Runs a granular recovery of encrypted files from the last successfully backed up version
Check out these and other SpinOne Ransomware Protection features.
Native cloud-provided data protection solutions are absolutely required for businesses to withstand and survive a ransomware attack effectively. However, even though backup is one of ransomware protection best practices, alone do not prevent the potential downtime that may result from a ransomware attack.
SpinOne’s ransomware protection and backups are absolutely priceless to businesses looking to back up their data and protect against ransomware attacks altogether. SpinOne saves companies from the manual recovery time needed to identify affected files and restore them. Instead, it blocks the ransomware quickly, identifies the affected files, and automatically restores them. It all makes SpinOne an excellent enterprise ransomware protection service.
By implementing the proactive, automated, and intelligent response provided by SpinOne, businesses can take the offensive against ransomware attacks instead of simply reacting to an attack and restoring data manually.