Help Center > > Best Practices> Best Practices for Defense Against Ransomware

Best Practices for Defense Against Ransomware

Updated at: Jan 06, 2021 GMT+08:00

Ransomware emerged with the Bitcoin economy. It is a Trojan that is disguised as a legitimate email attachment or bundled software and tricks you into opening or installing it. It can also arrive on your servers through website or server intrusion. Ransomware often uses a range of algorithms to encrypt the victim's files and demand a ransom payment to get the decryption key. Digital currencies such as Bitcoin are typically used for the ransoms, making tracing and prosecuting the attackers difficult.

Ransomware interrupts businesses and can cause serious economic losses. We need to know how it works and how we can prevent it.

How HSS Works

Ransomware cannot be prevented once and for all. HSS provides pre-event, in-event, and post-event protection, helping you enhance security before any attacks take place, proactively detect and fight against attacks, and restore services from backup after the attacks.

Prerequisites

  • Before using HSS for ransomware prevention, ensure you have purchased and enabled HSS.
  • Cloud Server Backup Service (CSBS) does not back up your data by default. To use it for backup and restoration, ensure you have configured regular automatic backup.

Pre-event Security Hardening

Configuring Security Settings

HSS scans your software for unsafe settings every early morning and provides suggestions. You can modify your settings accordingly to enhance server security.

  • The severity of a risk is rated as high, medium, or low.
  • You are advised to fix the configurations with high severity immediately. You can set trusted configuration items so that they will not be reported as risks.

HSS can detect the following types of software: Tomcat, SSH, Nginx, Redis, Apache 2, and MySQL 5

  1. Choose Scans > Unsafe Settings, click the Configuration Detection tab, and click a check item, for example, SSH.

  1. On the detection rule details page, click View Details. You can verify the check result based on Audit Description and handle exceptions on servers based on the suggestions in Recommendation.

  2. After modifying configuration items, you are advised to perform manual scan immediately to verify the result.

    If you do not perform manual verification, HSS will automatically check the settings at 00:00:00 the next day. If you have no time for a manual scan, you can check the automatic scan result.

Increasing Password Strength

HSS automatically scans servers every early morning for common weak passwords and the passwords you banned, and lists the server names, account names, account types, and usage duration of the weak passwords. You can then ask the weak password users to set stronger passwords.

HSS can detect weak passwords in MySQL, FTP, and system accounts.

  1. Choose Security > Host Security Service and choose Scans > Unsafe Settings. Check and modify weak passwords.

  2. Choose Security Operations > Policies, select a policy group, and click the Weak Password Detection policy to add banned passwords.

  3. Perform manual scan to verify password hardening.

    If you do not perform manual verification, HSS will automatically check the settings at 00:00:00 the next day. If you have no time for a manual password scan, you can check the automatic scan result.

  4. Choose Installation and Configuration and click the Alarm Notifications tab. Select the Weak passwords notification item.

Fixing vulnerabilities

HSS automatically scans your servers for vulnerabilities in the early morning every day. The vulnerability management function subscribes to and pushes official updates, and reports system vulnerabilities and uninstalled patches. You can fix vulnerabilities and install patches without affecting services.

  • Vulnerability urgency is rated as high, medium, or low.
  • You are advised to fix highly urgent vulnerabilities as soon as possible. You can ignore vulnerabilities that do not need to be fixed.
  1. Choose Security > Host Security Service. Choose Scans > Vulnerabilities.
  2. Click the Linux Vulnerabilities, Windows Vulnerabilities, or Web-CMS Vulnerabilities tab. Fix vulnerabilities in one click or manually fix them based on suggestions provided.

  3. After the vulnerability is fixed, you can click Verify to verify the fix.

    HSS will automatically scan the settings the next day in the early morning. If you have no time for a manual scan, you can check the automatic scan result.

  4. Choose Installation and Configuration, click the Alarm Notifications tab, and select the Critical vulnerabilities notification item.

In-event Proactive Defense

  • Using Premium Edition: Cloud Virus Scan + Intelligent Policy Learning

Cloud Virus Scan

You can use HSS to quickly isolate and kill intruded servers to prevent the spread of viruses.

  1. Choose Security > Host Security Service. Choose Intrusions > Events and click Malicious program (cloud scan). Select alarms and click Batch processing.

  2. Click Isolate and Kill and click OK.

    If a program is isolated and killed, it will be terminated immediately and no longer able to perform read or write operations. Isolated source files of programs or processes are displayed on the Isolated Files slide-out panel and cannot harm your servers.

  3. Choose Installation and Configuration, click the Alarm Notifications tab, and select the Malicious programs notification item.

Policies Against Ransomware Viruses

HSS monitors critical files stored on your servers and prevents unauthorized applications from encrypting or modifying the files, protecting your servers from ransomware.

  1. Create an intelligent learning policy.

    1. Choose Security > Host Security Service. Choose Advanced Protection > Ransomware. Click the Policies tab and click Create Policy.

    2. Configure policy details.

    3. Click Add Server and select servers in the displayed dialog box.

    4. Click Create and Learn. HSS will learn the operations performed on the servers you added to the policy, collect data about normal behavior, and determine what applications are trustworthy.

      After the intelligent learning completes, HSS will monitor the files you specified in Monitored File, and will trigger alarms if it detects any operations performed by untrusted applications or applications that are not specified in any policies.

  2. Handling alarm events

    1. Choose Advanced Protection > Ransomware. Click the Events tab. Click Handle in the Operation column of an event.

    2. Mark the event as Trusted or Untrusted.

    3. You can manually block, isolate, and kill untrusted processes or processes that are not specified in any policies to prevent unauthorized encryption.

  • Using Web Tamper Protection (WTP) Edition: Locking Files

HSS can lock driver and web file directories to prevent attackers from tampering with them. If HSS detects that a file in the protected directory is tampered with, it immediately uses the backup file on your local servers to restore the file.

If a file directory or backup directory on the local server becomes invalid, you can use remote backup to restore the tampered file.

Only the WTP edition HSS can lock file directories and use backup to restore files.

  1. Choose Security > Host Security Service. Choose Web Tamper Protection > Server Protection. In the Operation column of a server, click Configure Protection.
  2. On the Protected Directory Settings tab, add a protected directory and back up its files to a local path.

  3. Enable remote backup. By default, HSS backs up the files from the protected directories to the local backup directory you specified when you added protected directories. To protect the local backup files from tampering, you must enable the remote backup function.

    1. Choose Web Tamper Protection > Installation and Configuration. Click the Backup Server tab, and click Add Backup Server.

    2. Choose Web Tamper Protection > Server Protection. In the Operation column of a server, click Configure Protection. On the Protected Directory Settings tab, click Enable Remote Backup.

Post-event Restoration

If a server has been attacked by ransomware, and your files have been encrypted or lost, you can reinstall the server OS and use the backup in CSBS to restore the server.

  1. Choose Computing > Elastic Cloud Server. In the Operation column of a server, click More and choose Manage Image/Disk > Change OS.

  2. Choose Storage > Cloud Server Backup Service. Locate the row of the required ECS backup and click Restore.

    Files damaged by the ransomware will be restored.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel