We have all seen it in the news lately: Critical infrastructure and organizations being hit with ransomware attacks; bringing operations to a screeching halt. In many cases these ransoms are paid which further incentivize more bad actors such as REvil, EvilCorp and DarkSide to continue their malicious attacks. As of May 2021, ransomware attacks have almost doubled, with 43% of all ransomware attacks affecting SMB’s. Additionally, the ransom amounts associated with these attacks have been exponentially increasing with the average ransom costing small to medium sized businesses (SMB’s) $380,000 on average. It is largely speculated that most of these cyber criminals have international ties back to Russia where little investigation and prosecution is taken on them.
President Joe Biden has recently called on international governments to implement better safeguards and measures to deter such attacks as well as calling on international leaders to do more to punish criminal organizations within their countries borders. President Biden has gone so far as to create a new executive order to address the increase of these attacks such as that on the Colonial Pipeline or JBS meat packaging. The hope is that this is the dawn of a new, technologically aware, cybersecurity conscious government; one that responds and works in tandem with the private sector to have better policies and procedures such as “zero trust” models, or follows solid cybersecurity frameworks such as NIST.
What does this really mean for SMB business owners though? Surely these criminal organizations have no real want or need to capture and ransom the data of a relatively unknown “mom-and-pop” shop hoping to sell their beloved family recipe cookies? Wrong. What is more evident today now than ever, is that cyber criminals do not discriminate when it comes to targets.
Criminal hackers’ main objectives are obtaining as much monetary gain through the mass accumulation of sensitive or business critical data. Every “pwnd” server or compromised company is a revenue stream or seed and thus are thoroughly fought for. Hackers do as much as they can to compromise the environments and siphon as much information and data from their targets, regardless of their size. When it comes to ransomware, victims have very few options and sometimes it is easier to simply go back to the attackers to get your precious data back.
Not only is this a logistical nightmare for small businesses, but it also overtly affects the way that your customer’s see and trust your brand. Brand damage is one of the most critical consequences when it comes to ransomware attacks. In fact, recent surveys found that over 59% percent of people would likely not continue to support businesses that were affected by ransomware compromises. Remember the hit that Target took when they got hacked? Even though this was a different type of attack on a large corporation, that broken trust and massive impact can be life or death for a small business owner.
SiteLock understands that the average business owner might not have a cybersecurity incident response team, let alone the internal expertise, resources or bandwidth to implement their own cybersecurity playbooks and frameworks. However, the best way today’s SMB can maintain a strong security posture is to prevent or deter a ransomware attack altogether. The following are steps to intended to help prevent a ransomware attack on your website, as well as give you better insight on some world class security strategies.
Although it might just sound like a kitschy phrase, the 3-2-1 backup is the tried-and-true way to maintain any sort of important backup. Always having 3 copies of backups, two being “on-site” in differing formats or mediums, and one being offsite or in the cloud. So, for a standard WordPress site, you could work with your hosting provider or with SiteLock to maintain 2 different backups.
For instance, one could be a host maintained restore from a .zip file alongside a SiteLock download of your database in .sql file format which you can recover from. In most cases you will also want to keep a backup off site. This means you should avoid having your backups in the same network or server that your services are hosted on. You don’t want to keep your backups in a place that an attacker may gain access to and leave you empty handed when disaster strikes.
Having regular backup schedules also helps provide a solid baseline image of your site when it is healthy and uncorrupted. A solid backup of your website can cripple a ransomware attack. If you have an up-to-date backup of your own data offsite, there is (in many cases) nothing of structural value for the attacker to hold for ransom. This by all intents and purposes is only from a purely structural standpoint. Meaning, if you house Personal Identifiable Information (or what we call PII), that information should have additional measures of protection on them such as encryption and salting/hashing.
In most, if not all cases where a ransom was not paid, a company’s backup solution provided critical mitigation efforts to quickly address the compromise and bring back operations quicker than those who did pay a ransom and had to wait for criminals to maybe decrypt your data. You never want this task left to the whims of a criminal hacker. They may return your data, but you can never trust the integrity of the information was left unscathed.
With many standard content management systems, you will need to have at least one admin account to make updates, post content or moderate the site overall. The Principal of Least privilege is another classic security strategy that can be utilized across all sorts of platforms and services. When we talk about a small business website, we always want to make sure that authorized access is restricted to only a few people and others are only given certain permissions based on their roles. Nothing more, nothing less.
This principle also includes permissions on directories, files and other infrastructure that are necessary for your site to function. It may be quicker and easier to create admin accounts for everyone, but if one of those accounts is compromised, the consequences can be grave. Some areas of concern as well as best practice for using the least privilege principle would be in the following areas:
A good start is to have your database users only be able to READ and Write to the database. Again, every site and CMS is different but having a strong password, keeping your database configuration file hidden and maintaining suitable database user permissions will make it much more difficult for a hacker to seriously compromise or ransom your database.
You will have to investigate your CMS or site to determine the best user hierarchy or structure. It is also very important to never share your passwords and to keep strong, random passwords only. If you have a Dev team, make sure that they are using a password management tool to manage their passwords and always use a randomly generated password as this can help prevent hackers from cracking your user’s passwords.
Closely monitoring activity logs will also help you keep an eye on what users are doing and see if irregular changes are being made by certain users. This should also extend to other accounts such as FTP users, users that access your sites server via SSH, or even users from third party platforms. Two-Factor Authentication (2FA) is a great preventative measure to deter would be bad actors from easily taking over an account, so apply 2FA wherever you can!
Outside of setting secure permissions to files and directories, finding ways to hide important directories and files is another great way to deter would be hackers from gaining more insight to how your site is operates along with its potential vulnerabilities. In most sites, you can utilize some .htaccess rules to simply steer people away from directories and files you do not wish them to see or have access to. The use of server environment variables can also help to hide important website or applications configurations from those who might have unauthorized access to your site’s files and directories.
SiteLock can help by automatically warning you when things are out of date on your site. Over 50% of sites that are cleaned by SiteLock’s Website Security Analysts are compromised due in part to out of date themes, plugins or other third party developed software packages. Also using verified third party software, or packages that are often updated and maintained, help in reducing your susceptibility to vulnerable plugins.
At the end of the day, maintaining regular backups in multiple places that are accessible is one of the strongest ways to mitigate a ransomware attack on your site. Implementing other preventative measures – such as limiting privileges on database users, website users, as well as any admins or developers – can help ensure you have strong user authorization methods and a means to monitor what users are doing on your site. Understanding the least amount of file permissions and directory permissions necessary to have your site functioning also helps to mitigate cyber criminals from compromising your site. Finally, regularly reviewing and updating your site’s CMS as well as any third-party packages or modules can help ensure you’re not leaving the door open for cyber criminals to gain access to your sites important database records or files.
As a recognized leader in the cybersecurity industry, SiteLock is here to help. Speak with a SiteLock Website Security Analyst to learn more about preventing ransomware and other cyber threats and let us help you start protecting your website today.
Daniel Convery – Is a Website Security Analyst. When not studying for security certifications or figuring out interesting bash one-liners, you can find him making weird noises with one or more of his synthesizers or playing some boomer-shooters.