Ransomware protection and recovery solutions - Elastic Compute Service

Ransomware is a common type of computer virus. After an Elastic Compute Service (ECS) instance is infected with ransomware, the business data on the instance is encrypted and used for ransom. This can lead to serious business risks, such as service interruptions, data leaks, and data loss. This topic describes how to improve the anti-ransomware capabilities of an ECS instance.

Background information

As computer and cloud computing technologies develop, various types of computer viruses emerge, including ransomware, which is a particularly common type. Alibaba Cloud leverages years of experience in cloud security protection and advanced security attack-and-defense technologies to provide users with comprehensive security solutions. For more information about anti-ransomware, see Overview of anti-ransomware.

Problem description

When your ECS instance is infected with ransomware, the system files are encrypted, and a ransom note or message appears in your working directory. For example, if a Windows ECS instance is infected with ransomware, the following ransom note appears in your working directory.

Solution overview

Computer virus prevention measures can reduce the risk of virus infection, but the prevention measures cannot completely eliminate virus infection. Data backup provides the final protection against ransomware. However, when you restore data for a disk from a backup or snapshot, data from the point in time when the backup or snapshot is created to the point in time when the disk is rolled back is lost. You must properly design a data backup policy based on your business scenario to effectively protect important data.

The following solutions provide common protection ideas for ransomware:

Solution 1: Use Security Center to improve the anti-ransomware capabilities of an ECS instance
Solution 2: Use an automatic snapshot policy to create snapshots for an ECS instance
Solution 3: Use security policies such as security groups and firewalls to improve instance protection

You can use a single solution or a combination of the preceding solutions based on your business requirements. For example, if you have high requirements for business continuity, you can use all the preceding solutions at the same time. Take note that you are charged for backups or snapshots.

Solution 1: Use Security Center to improve the anti-ransomware capabilities of an ECS instance

Workflow

Procedure

Enable the anti-ransomware feature and purchase the anti-ransomware capacity.
To use the anti-ransomware feature provided by Security Center, you must enable the feature and purchase the anti-ransomware capacity. For more information, see Enable and purchase the anti-ransomware service.
Note
You can purchase anti-ransomware services based on your business scenario and requirements.

Create an anti-ransomware policy.

After you enable the anti-ransomware feature, you must create an anti-ransomware policy.

Create an anti-ransomware policy

Before you create a policy, ensure that the operating system of your server is supported. For a list of supported operating systems, see Anti-ransomware overview.

Log on to the Security Center console.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Anti-ransomware. In the upper-left corner, select the region of the asset you want to protect: Chinese Mainland or Outside Chinese Mainland.
On the Anti-ransomware for Servers tab of the Anti-ransomware page, click Create Anti-ransomware Policy.

In the Create Anti-ransomware Policy panel, enter a policy name, and select a server type and assets.

Parameter	Description
Policy Name	Set a name for the protection policy.
Server Type	Select the type of server to which the policy applies.
Backup Route	This parameter is required only if you set Server Type to Server Not Deployed on Alibaba Cloud. Specifies the communication method for data backup. Options: Internet: Select this option to transfer backup data over the Internet. This may incur Internet bandwidth fees. Internal Network: Select this option to transfer backup data over a private network. You must use services like Virtual Private Cloud (VPC), Express Connect, or Cloud Enterprise Network (CEN) to connect your servers outside Alibaba Cloud to the anti-ransomware endpoint in the selected region.
Region	This parameter is required only if you set Server Type to Server Not Deployed on Alibaba Cloud. Select the region where the server is located or a region that has a stable network connection to the anti-ransomware endpoint. The selected region determines the endpoint used to access the anti-ransomware service. To ensure successful backups, you must ensure the server can communicate with the anti-ransomware endpoint in the selected region. For more information, see Endpoints.
Select Asset	You can select a single asset, multiple assets across groups, or an entire asset group. To select the assets to protect, do one of the following: In the Asset Group section, select an asset group. All assets in that group are automatically selected. You can deselect assets you do not want to protect in the Asset section on the right. In the Assets section, enter an asset name (fuzzy search is supported) and click the search icon. The relevant assets are displayed. You can then select the assets you want to protect. Note For Alibaba Cloud servers, you can configure servers from multiple regions within a single policy. For servers outside Alibaba Cloud, you can only configure servers from the same region within a single policy. To ensure efficient use of your protection capacity, a server can be added to only one policy.

In the Create Anti-ransomware Policy panel, configure the data backup settings and click OK.

You can choose a Recommended Policy or a Custom Policy.

Recommended Policy: This is a built-in, unmodifiable policy in Security Center for easy configuration. It uses the following rules:
- Directory to Protect All directories (excluding system directories)
- Directory to Exclude Displays a list of excluded directories.
- Non-local Mount Path: Excludes non-local mount paths, such as those for OSS and NAS.
- File Type to Protect All File Types
- First Backup Starts At: Any time between 00:00 and 03:00
- Periodic Backup Interval: 1 day
- Backup Data Retention Period 7 days
- Maximum Backup Bandwidth
  - Alibaba Cloud server: 0 MB/s
    Note
    A value of 0 MB/s indicates no bandwidth limit.
  - Servers outside Alibaba Cloud: 5 MB/s

Custom Policy: Lets you define specific rules for greater flexibility. You can specify the directories to protect, directories to exclude, file types to protect, backup start time, backup interval, data retention period, and backup network bandwidth limit (in MB/s). The following table describes the parameters.

Parameter	Description
Directory to Protect	Select the directories to back up. The following options are available: Specific Directory: Backs up specified directories on the selected assets. You need to add the directory paths to back up in the Directory to Protect field. Examples: Windows: `C:\Program Files (x86)\` Linux: `/usr/bin/` You can add up to 20 directory paths. Security Center runs backup tasks for each path sequentially. If a directory contains many files, the backup process may consume significant server resources (CPU and memory). You can split a large directory into multiple smaller directory paths to run backup tasks sequentially, which effectively reduces resource consumption during backups. All Directories: Backs up all directories on the selected assets.
Directory to Exclude	Specify directories that do not need to be backed up. Security Center provides a default list of excluded directories, which you can modify.
Non-local Mount Path	Select whether to exclude non-local mount paths, such as those for OSS and NAS.
File Type to Protect	Select the file types to protect. The following options are available: All File Types: Backs up files of all types. Specific File Types: Backs up only files of the specified types, such as documents or images. Important You can select multiple file types. Security Center backs up only the files of the selected types on your assets.
First Backup Starts At:	Set the start time for the data backup. Important After a policy is created, the initial backup is a full backup of all data in the protected directories, which can consume significant CPU and memory resources. To avoid impacting your business, we recommend scheduling the first data backup during off-peak hours.
Periodic Backup Interval:	Set the interval for periodic backups. The default is 1 day.
Backup Data Retention Period	Set the retention period for backup data. The default is 7 days. Important Backup data is automatically deleted after the retention period expires. We recommend setting a retention period that meets your business requirements. The following retention options are available: Permanent: Backup data is retained until your Security Center service expires, or you delete the policy or remove a server from the policy. Custom: Specify a custom number of days for retention, from 1 to 65,535.
Maximum Backup Bandwidth	Set the maximum network bandwidth that backup jobs can use. The value can range from 0 MB/s to unlimited. Backups for Alibaba Cloud servers use only private network bandwidth and do not affect public bandwidth. Backups for servers outside Alibaba Cloud require either public or private network bandwidth. You can set a bandwidth limit to prevent backups from consuming too much bandwidth and impacting your business operations. The default value for Alibaba Cloud servers is 0 MB/s. Note A value of 0 MB/s indicates no bandwidth limit. The default value for servers outside Alibaba Cloud is 5 MB/s.

After you create the policy, its status is enabled by default. Security Center will automatically install the anti-ransomware agent on your servers and back up data in the protected directories according to the policy settings.
Warning
You must monitor the status of the anti-ransomware agent and promptly address any exceptions to ensure backup and recovery tasks run correctly. For more information, see View the agent status.

(Optional) Restore data from a valid backup in Security Center.
1. Create snapshots for the system disk and data disks of the instance that is infected with ransomware. For information about how to create a snapshot, see Create snapshot manually.
2. Use a backup in Security Center to restore your business. To restore your business, perform the following steps.
  Create a restoration task
  1. Log on to the Security Center console.
  2. In the navigation pane on the left, choose Protection Configuration > Host Protection > Anti-ransomware. In the upper-left corner of the console, select the region where your asset is located: Chinese Mainland or Outside Chinese Mainland.
  3. On the Anti-ransomware for Servers tab, locate the server for which you want to create a restore job in the policy list.
    Note
    You can use the search box above the list to quickly find the server by policy name or server name.
  4. Click the icon to expand the list of servers. Locate the target server and click Restore in the Restore column.
  5. In the Create Restoration Task panel, select the backup version and files to restore, enter the destination folder, and specify the target server.
  6. Click OK.
    After the restore job is created successfully, you will receive a Restoration task created. message. You can go to the target server to view the restored backup data.

Solution 2: Use an automatic snapshot policy to create snapshots for an ECS instance

Workflow

Procedure

Snapshots are backups that can be used to restore data after the instance based on which the snapshots are created is infected with ransomware. Take note that this solution only provides post-event restoration capabilities and cannot replace active protection measures.

Create an automatic snapshot policy for the disks attached to the instance. For more information, see Create policy.
(Optional) Restore data from valid snapshots that were created before the instance is infected with ransomware.
1. Create snapshots for the system disk and data disks of the instance that is infected with ransomware. For information about how to create a snapshot, see Create snapshot manually.
  Important
  The rollback operation is irreversible. After you roll back a disk, data that you added, removed, or modified from the point in time when the snapshot is created to the point in time when the disk is rolled back is lost. To prevent data loss caused by accidental operations, we recommend that you create snapshots for the disks attached to the instance to back up data before you roll back the disks.
2. Re-initialize the system disk of the instance. For more information, see Re-initialize system disk (reset OS).
3. Use valid snapshots that were created before the instance is infected with ransomware to restore the data of the system disk and data disks. For more information, see Roll back disk using snapshot.

Solution 3: Use security policies such as security groups and firewalls to improve instance protection

Workflow

Procedure

You can use security policies, such as security groups and firewalls, to improve protection capabilities against ransomware. This requires that you have technical expertise on network security.

Learn about the best practices for security groups and firewall policies and configure security settings. For more information, see Best practices for security groups (inbound rules) and Configure firewall rules for Windows.
(Optional) Contact a third-party organization to decrypt and restore ransomware-corrupted data.
1. Create snapshots for the system disk and data disks of the instance that is infected with ransomware. For information about how to create a snapshot, see Create snapshot manually.
2. Re-initialize the system disk of the instance. For more information, see Re-initialize system disk (reset OS).
3. If you do not back up important data or create snapshots before you re-initialize the system disk, you can contact a third-party organization to decrypt and restore the ransomware-corrupted data after you re-initialize the system disk of the instance.
  Warning
  The data decryption capability provided by a third-party organization after a ransomware attack is independent of Alibaba Cloud. Alibaba Cloud is not responsible for the extent of data restoration and possible data corruption.

References

Refer to the following topics if needed: