Help Center> Host Security Service (New)> Best Practices> Best Practices for Defense Against Ransomware
Updated on 2022-12-02 GMT+08:00

Best Practices for Defense Against Ransomware

Ransomware emerged with the Bitcoin economy. It is a Trojan that is disguised as a legitimate email attachment or bundled software and tricks you into opening or installing it. It can also arrive on your servers through website or server intrusion. Ransomware often uses a range of algorithms to encrypt the victim's files and demand a ransom payment to get the decryption key. Digital currencies such as Bitcoin are typically used for the ransoms, making tracing and prosecuting the attackers difficult.

Ransomware interrupts businesses and can cause serious economic losses. We need to know how it works and how we can prevent it.

Ransomware can intrude servers in various ways and is difficult to kill.

You are advised to enable alarm notifications, so that you can receive notifications when ransomware is detected and take immediate measures, such as harden the baseline, set a strong password, fix vulnerabilities, and manually scan and kill viruses.

How HSS Works

Ransomware cannot be prevented once and for all. HSS provides pre-event, in-event, and post-event protection, helping you enhance security before any attacks take place, proactively detect and fight against attacks, and restore services from backup after the attacks.

Prerequisites

  • Before using HSS for ransomware prevention, ensure you have purchased and enabled HSS.
  • Cloud Server Backup Service (CSBS) does not back up your data by default. To use it for backup and restoration, ensure you have configured regular automatic backup.

Pre-event Security Hardening

Configuring Security Settings

HSS scans your software for unsafe settings every early morning and provides suggestions. You can modify your settings accordingly to enhance server security.

  • The severity of a risk is rated as high, medium, or low.
  • You are advised to fix the configurations with high severity immediately. You can set trusted configuration items so that they will not be reported as risks.

HSS can detect the following types of software: Tomcat, SSH, Nginx, Redis, Apache 2, and MySQL 5

  1. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service (New).
  2. Choose Prediction > Baseline Checks. On the Unsafe Configurations tab, view the configuration check results.

    Figure 1 Unsafe Configurations tab

  1. Click a baseline name to go to its details page. In the Operation column of a check item, click View Details. You can view the check results in Audit Description and handle exceptions based on information in Suggestion.

    Figure 2 Viewing check details

  2. After modifying configuration items, you are advised to perform manual scan immediately to verify the result.

    If you do not perform manual verification, HSS will automatically check the settings at 00:00:00 the next day. If you have no time for a manual scan, you can check the automatic scan result.

Increasing Password Strength

HSS automatically scans servers every early morning for common weak passwords and the passwords you banned, and lists the server names, account names, account types, and usage duration of the weak passwords. You can then ask the weak password users to set stronger passwords.

HSS can detect weak passwords in MySQL, FTP, and system accounts.

  1. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service (New).
  2. Choose Prediction > Baseline Checks. On the Common Weak Password Detection tab, view the configuration check results.

    Figure 3 Common Weak Password Detection tab

  3. Configure weak passwords. Choose Security Operations > Policies, select a policy group, and click the Weak Password Detection policy to add banned passwords.

    Figure 4 Configuring weak passwords

  4. Perform manual scan to verify password hardening.

    If you do not perform manual verification, HSS will automatically check the settings at 00:00:00 the next day. If you have no time for a manual password scan, you can check the automatic scan result.

  5. Choose Installation & Configuration and click the Alarm Notifications tab. Select all the alarm severities. You will be notified of weak passwords.

    Figure 5 Configuring alarms

Fixing Vulnerabilities

HSS automatically scans your servers for vulnerabilities in the early morning every day. The vulnerability management function subscribes to and pushes official updates, and reports system vulnerabilities and uninstalled patches. You can fix vulnerabilities and install patches without affecting services.

  • Vulnerability urgency is rated as High, Medium, or Low.
  • You are advised to fix highly urgent vulnerabilities as soon as possible. You can ignore vulnerabilities that do not need to be fixed.
  1. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
  2. Choose Prediction > Vulnerabilities. Click the Linux Vulnerabilities tab, Windows Vulnerabilities tab, Web-CMS Vulnerabilities, or Application Vulnerabilities tab to view vulnerability details.

    Figure 6 Viewing vulnerability details

  3. Fix the vulnerabilities.

    • Click Handle in the Operation column of a vulnerability. You can fix or ignore a vulnerability.
    • To ignore multiple vulnerabilities, select them and click Ignore.

  4. After the vulnerability is fixed, you can click Verify to verify the fix.

    HSS will automatically scan the settings the next day in the early morning. If you have no time for a manual scan, you can check the automatic scan result.

  5. Choose Installation & Configuration and click the Alarm Notifications tab. Select all the alarm severities. You will be notified of critical vulnerabilities.

    Figure 7 Configuring alarms

In-event Proactive Defense

  • Using Premium Edition: Cloud Virus Scan + Intelligent Policy Learning

Cloud Virus Scan

You can use HSS to quickly isolate and kill intruded servers to prevent the spread of viruses.

  1. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
  2. Choose Detection > Alarms. Check and handle Malicious program alarms.

    Figure 8 Checking malicious programs

  3. Click Isolate and Kill and click OK.

    If a program is isolated and killed, it will be terminated immediately and no longer able to perform read or write operations. Isolated source files of programs or processes are displayed on the Isolated Files slide-out panel and cannot harm your servers.

  4. Choose Installation & Configuration and click the Alarm Notifications tab. Select all the alarm severities. You will be notified of malicious programs.

    Figure 9 Configuring alarms

Policies Against Ransomware Viruses

HSS monitors critical files stored on your servers and generates alarms on unauthorized encryption or modification, protecting your servers from ransomware.

  1. Create an intelligent learning policy.

    1. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service (New).
    2. Choose Prevention > Ransomware Prevention. On the Servers tab, click Add Server. Create an intelligent learning policy for the server.
      Figure 10 Creating a protection policy
    3. In the dialog box that is displayed, select Linux, enable protection, configure the policy, and click Next. For more information, see Table 1.
      Figure 11 Configure ransomware prevention
      Table 1 Ransomware protection parameters

      Parameter

      Description

      Example Value

      OS

      Server OS to be protected.

      Linux

      Ransomware Prevention

      : Enabled

      : Disabled

      Policy

      Select an existing policy or create a new one.

      Use policy

      Policy

      Select an existing policy.

      -

    4. Click Next. Configure the server backup rule and the retention rule.
      • You are advised to enable server backup.
      • Enable Server Backup and configure the retention rule.
        Figure 12 Configuring server backup

        You are advised to periodically back up server data, or your servers cannot be recovered if they are damaged by ransomware.

    5. Click Next. Select servers. You can search for a server by its name or by filtering.
      Figure 13 Selecting servers
    6. Click OK.

  2. Handle alarm events.

    1. Choose Detection > Alarms. Click the Malicious programs, the Events list is displayed.
    2. In the displayed dialog box, select a handling method. You can isolate and kill processes that are not in the policy to prevent unauthorized encryption.

  • Using Web Tamper Protection (WTP) Edition: Locking Files

HSS can lock driver and web file directories to prevent attackers from tampering with them. If HSS detects that a file in the protected directory is tampered with, it immediately uses the backup file on your local servers to restore the file.

If a file directory or backup directory on the local server becomes invalid, you can use remote backup to restore the tampered file.

Only the WTP edition HSS can lock file directories and use backup to restore files.

  1. In the upper left corner of the page, select a region, click , and choose Security & Compliance (New) > Host Security Service.
  2. Choose Prevention > Web Tamper Protection and click Configure Protection.

    Figure 14 Protection settings

  3. On the Protected Directory Settings tab, add a protected directory and back up its files to a local path.

    Figure 15 Adding a protected directory

  4. Enable remote backup. By default, HSS backs up the files from the protected directories to the local backup directory you specified when you added protected directories. To protect the local backup files from tampering, you must enable the remote backup function.

    1. Choose Web Tamper Protection and click the target server name. On the Add Backup Server dialog box, add a remote backup server.
      Figure 16 Configuring the protected directory
      Figure 17 Adding a remote backup server
    2. Choose Web Tamper Protection > Server Protection. In the Operation column of a server, click Configure Protection. On the Protected Directory Settings tab, click Enable Remote Backup.
      Figure 18 Enabling remote backup

Post-event Restoration

If a server has been attacked by ransomware, and your files have been encrypted or lost, you can reinstall the server OS and use the backup in CSBS to restore the server.

Post-event restoration is to restore an intruded ECS by using the backup created before the ransomware intrusion.

  1. Choose Computing > Elastic Cloud Server. In the Operation column of a server, click More and choose Manage Image/Disk/Backup > Reinstall OS.

  2. Choose Storage > Cloud Server Backup Service. Locate the row of the required ECS backup and click Restore.

    Files damaged by the ransomware will be restored.