More and more users have to deal with ransomware attacks. Ransomware software exploits vulnerabilities to break into the business server and encrypt all the data on the server to run an extortion. Such events may result in sudden business interruption, data breach, and data loss, severely threatening the user’s business.
This article analyzes the common causes of ransomware attacks, and provides corresponding security solutions to help protect your system from ransomware attacks.
Our survey on cloud users shows that many users fail to follow the best security practices when using cloud server resources. The following are the three major issues:
The key account passwords are weak or no authentication is enabled.
- The key accounts (root, administrator) for server logon have simple passwords or no password at all.
- Important business services such as database (Redis, MongoDB, MySQL, MSSQL Server) can be accessed with simple passwords or without a password.
No access control policy is implemented. The businesses are open on the Internet without any protection. High-risk services such as RDP, SSH, Redis, MongoDB, MySQL, and MSSQL Server can be accessed directly on the Internet.
- The operating system and software of the application server have high-risk vulnerabilities. Malicious attackers can exploit these high-risk vulnerabilities to upload ransomware software and start remote attacks.
These issues can be exploited at a low cost, and are often used by hackers to start ransomware attacks such as database deletion. Attackers can cause heavy damage to the business without an account and password.
To minimize the impact from ransomware attacks, we recommend that you use the following measures to protect you and your institution.
Reliable data backup can minimize the loss incurred by ransomware. However, security protection must also be provided to these data backups to prevent them from being infected and damaged.
We recommend that you keep at least two data copies: a local backup and remote backup.
Also, use different methods to back up data so that the loss can be recovered as much as possible when extortion occurs.
- ECS snapshot
- RDS data backup
- Backup of important data by using OSS
- User-developed data backup policies or solutions
The account that Alibaba Cloud allocates to you is the first “critical key” to all your businesses on the cloud. Once the “critical key” with the highest privileges is leaked, hackers can essentially gain control over all the cloud service resources that support your business, thereby directly threatening the overall business security on the cloud.
Alibaba Cloud provides the Multi-Factor Authentication (MFA), password security policies, and auditing functions to ensure the security of your cloud service accounts. You can easily enable and configure such features on the cloud interfaces.
We recommend that you properly allocate accounts and permissions for different roles within your organization by using RAM. This can prevent security risks arising from erroneous operations during O&M management.
In ECS servers, you can deploy key businesses such as database services, file services, cache, and other crucial services that are highly involved with data. Security of the administrator accounts with the highest authority for these services is a prerequisite for guaranteeing the continuous and reliable operation of your business.
We recommend that you properly set up the account name and password.
- Do not open these high-risk services on the Internet. See Strengthen network access control to configure strong access control policies.
- Enable authentication.
- Prohibit direct logon by using the root account.
- If you are using a Windows system, we recommend that you change the default name of the administrator account.
- Configure strong passwords for all services. A strong password must consist of at least eight characters, and must contain uppercase and lowercase letters, numbers, and special symbols. Do not include usernames, real names of users, company names, or any complete words in a password.
Recommended tools: Alibaba Cloud RAM, system and software hardening
Refined network management is the first defense for your business.The network security architectures in many enterprises have no business segmentation, which is insecure. With effective security partition, access control, and access permission, penetration can be blocked or mitigated, and unauthorized individuals can be prevented from entering the business environment.
For example, you can restrict the management protocols such as SSH and RDP, limit the IP addresses connecting to data-related services (such as FTP, Redis, MongoDB, Memcached, MySQL, MSSQL-Server, and Oracle), and only allow trusted IP addresses to access these services. In addition, you can perform real-time analysis and auditing on outbound network behaviors.
We recommend that you use a secure VPC network.
- Use VPC and security groups to divide different business sections with different security levels to isolate different applications.
Configure security group and firewall filtering policies on both inbound and outbound traffic.
- The database services are not necessarily to be directly managed or accessed from the Internet. You can configure inbound access control policies to prevent database services from being exposed to the Internet and exploited by hackers.
- You can also configure more stringent intranet access control policies. For example, only allow an intranet IP address to access a database server.
A high-performance, redundancy-capable infrastructure is the basic requirement to guaranteeing a robust application. In a cloud environment, you can build a highly-available architecture leveraging Server Load Balancer clusters. When a node suffers an emergency, the Server Load Balancer cluster helps to avoid single points of failure and data loss without business interruptions.
When resources are adequate, enterprises and organizations are advised to build a backup system for disaster tolerance within the same city or in a different city. When the main system suffers extortion, you can quickly switch your business to the backup system to ensure continuity.
Recommended tools: disaster tolerance architectures made up of Alibaba Cloud Server Load Balancer, Alibaba Cloud RDS, and other high-performance services
Port scanning helps to identify the security vulnerabilities in your enterprise. When connecting your services to the Internet, you have to make a decision on which business to publish to the Internet, and which are for internal access only. With few services published to the Internet, chances of being attacked are lesser and the security risk is reduced.
Enterprise IT management personnel must regularly perform security tests on the business software to detect any vulnerabilities. Once any at-risk service is detected, vulnerability scanning tools must be used to scan it. Any detected vulnerabilities must be fixed as soon as possible. Pay a close attention to related vulnerability and patch information released by the software provider to promptly fix vulnerabilities.
- Develop and follow the IT software security configuration, initialize security hardening on the operating systems (Windows and Linux) and software (FTP, Apache, Nginx, Tomcat, MySQL, MS-SQL Server, Redis, MongdoDB, and Mecached) and regularly verify that they are working.
- Install anti-virus software for ECS of the Windows operating system and update the virus library on a regular basis.
- Regularly check and install the latest security patches.
- Modify the default name of the administrator account, and configure a strong password for the logon account.
- Enable the logging feature and perform centralized management and audit analysis.
- Create different accounts, assign necessary permissions for them, and enable the auditing function. For example, create accounts with different permissions for servers and RDS databases. You can also implement more stringent access policies such as VPN.
- Implement strong password policies and perform regular maintenance and update. Make sure that all operations are strictly recorded and audited.
- Make sure that critical points are monitored in real time and exceptions are handled immediately upon detection.
Recommended tools: Alibaba Cloud Security Server Guard
Most of the security issues come from insecure codes. Code security directly relates to business risks. Programmers are required to incorporate security architecture into the overall software from the very beginning to ensure security at the code layer. They also must follow standard software development procedures to associate security elements in every stage.
We recommend that you focus on security encoding and security test results by developers or software services. In particular, you must audit and evaluate the security of developed business code and perform online black box tests. You can also conduct black box penetration tests on a regular basis.
Recommended tools: Alibaba Cloud Security Web Application Firewall (WAF), and SDL standard procedures
Security is a dynamic process of confrontation. Before the occurrence of a security threat, you must always learn and identify different external risks. To ensure security, you have to shift from the impossible tasks of preventing intrusions to a series of tasks designed to prevent loss.
Preventive measures are essential, but equally critical is the lag between early warnings and responses to them. You must establish an effective monitoring and perception system to implement a secure system policy.
Recommended tools: Big Data Security Analysis Platform
In the ever-changing process of attack and defense, it is hard to successfully defend against all the security vulnerabilities. You must prepare contingency policies for possible security emergencies, so that you can reduce the loss of the incident through quick responses, standardized emergency response processes, and typical handling regulations.
Recommended tools: Manageable Security Service (MSS) and security incident emergency response service
Security is an ever-changing counter-attack process. Cloud users are advised to pay attention to and be sure of the proper performance of the protection works. This ascertains persistent and reliable business operations.
For more information, see the following hardening documents: