Protecting Against Ransomware (General Actions)

You are advised to perform the following operations to protect your servers against ransomware:

• Minimize the scope exposed to the Internet: Periodically scan external ports and ensure only necessary ports are enabled.
• Reduce system risks: Periodically scan vulnerabilities and system risk configuration parameters to fix vulnerabilities and risks in a timely manner. In addition, pay attention to the security vulnerability information and patch information released by software vendors, and manage and fix vulnerabilities in a timely manner.
• Enhance network access control: Clearly define network security zones and access control rules, minimize access rights, and update access control rules in a timely manner.
• Back up important data: Reliable data backup can minimize the loss caused by ransomware. Encrypt the storage and periodically back up critical service data, and set proper backup retention rules to ensure that valid copies can be used to restore data once being attacked.
• Enhance account permission control: Assign accounts and permissions to different roles based on access control rules such as identity management and fine-grained permission control. Improve the security of privileged accounts. Properly set and save accounts and passwords for key service assets of your company. Configure two-factor authentication to identify the personnel that access key assets and reduce brute-force cracking risks.
• Establish high-reliability service architecture: Deploy cloud services in cluster mode. If an emergency occurs on a node, services will be switched to the standby node, improving reliability and preventing data loss. If you have sufficient resources, you can build intra-city or remote DR and backup systems. If the primary system is attacked by ransomware, your services can be quickly switched to the backup system and will not be interrupted.
• Develop emergency plans for security incidents: Establish an emergency organization and management mechanism to deal with cybersecurity incidents such as ransomware attacks, and specify work principles, division of responsibilities, emergency handling processes, and key measures. Once your service is attacked by ransomware, immediately start the internal cyber security emergency plan and carry out standardized emergency handling to mitigate and eliminate the impact of the ransomware attack.
• Enhance employees' security awareness: Improve employees' cyber security awareness through training and drills. Ensure that employees understand national cyber security laws and regulations and Huawei cyber security regulations, can identify common cyber security attacks such as phishing, have certain incident handling capabilities, and know the consequences and impacts of security incidents.

You are advised to perform the following operations once being attacked by ransomware:

• Rapidly isolate the infected devices: Once being attacked, immediately disconnect the network or power off the system to prevent the spread of the ransomware attack. Change the passwords of infected devices and other devices on the same LAN in a timely manner.
• Quickly handle the intrusion events: Perform real-time security scan on service resources, isolate and block the ransomware, block the source IP addresses of the ransomware and the IP addresses suspected of brute-force attacks, and block the running, communication, and connection of the ransomware.

You are advised to perform the following restoration operations:

• Use backup data to restore services: Determine the data restoration scope, sequence, and backup version based on the backup status of the attacked device, and use the backup data to restore services.
• Check and fix network risks: Identify system vulnerabilities based on ransomware attack paths. Check and fix the system vulnerabilities.