Ransomware menace-what we can do

As there were multiple ransomware attacks in Doha Qatar in recent months we started receiving so many questions from the public and particularly from our clients. Qatar’s popular Whatsapp group of system admins “Techies Qatar” has been flooded with messages.

I will try to summarize here what we know and we can/cannot do about this menace. Send email for support@htsqatar.com if you have any questions.

1- What is Ransomware in layman terms?
A: It is a computer program that encrypts your files, and later asks money from you to decrypt. Once they encrypt the files, you can use those files only after getting a key from them and decrypt

2-How that program reaches my computer?
A: Like a virus or Spyware reaches your computer, ransomware also uses the vulnerability for the computer.

3-What vulnerability?
If you are not installed the latest security patches, service packs from OS maker( Microsoft in most cases), you can say your system is vulnerable. Also, you need to have a good Anti-virus software updated regularly on your computer and a firewall on your network.

Stop using end-of-life OSes like Windows XP,7, server 2008,2012 and even 2016. Use the latest OS with latest security patches.

4- What is important? Security patches or Anti-Virus.
Security patches and bug fixes.

5-How about firewalls?
There is a firewall on windows, Keep it on always. About company servers and all, read the later part.

6-My files are already encrypted by ransomware, what should I do?
You must be very lucky to get the files back. You can, of course, pay the ransom and get the key for decryption. But so many people here in Qatar didn't get the key even after payment. They are criminal mafia, and you can not expect decency from them.

7-Someone offered me some tools for decryption, will that work?
Not necessarily. Encryption software uses 128 or 256 key for encryption, if you don't have a key, a supercomputer will take 80 years or something to decrypt that. But, as ransomware makers are lazy, they use old encryption keys, and victims share the same with other victims. Someone even re-sell it. It may work. Try if it is free, otherwise no.

8- What are the most common mistakes sysadmins make, so the companies get attacked by ransomware?
In Doha Qatar, we have observed that most attacks happened on the servers through remote desktop. Stop allowing remote desktops on servers for public. If required, allow only through a VPN. Change default port from 3389 to some other random numbers. Help is available all over the internet.

9-How about hardware firewalls like Sonicwall, Sophos, Fortinet, PaloAlto, etc?
No guarantee that it will protect you from a Ransomware attack. It will prevent hackers from attacking your network to an extent. Also, you can create VPN tunnels through these firewalls. A company without a firewall is anyway like a house without doors.

10-What kind of ransomware attack a firewall cannot stop?
Ransomware spread through emails generally not stopped by Firewalls. Or if you have allowed remote desktop ( or any other ports ) in the firewall rules, it will not check the traffic through that port for ransomware

11- Which firewall is the best?
All the firewalls are using same signature, a bit up or down, no much difference in protection. Look for easy to manage, less costly firewalls, with cheaper subscription prices. Same applicable for Anti-viruses. Most of the blah blah you here from marking person are meaningless.

12-How to protect from a ransomware attack through email?
No guaranteed solution. Make sure that your email provider has well-protected servers ( Microsoft 365, google apps, etc ). If you are hosting an email inside your premises, use good anti-spam solutions like Barracuda. Educate the users against clicking on phishing mail attachments.

12- As you always said that there is no 100% guaranteed protection, what should I do?
Backup, backup, backup, backup, backup …….. and backup.

13- I heard reports that even backups are encrypted?
It is because backups are not well planned. Some lazy system administrators simply do an automated backup to a NAS or a computer. If NAS is connected to the network, it will also get encrypted. It is very important to have backups off-line or off-site. Don't overwrite the backup at least for one week. Even you lost today’s backup, you must be able to recover yesterdays

14-What is the legal requirement in Doha in case of cyber-attacks?
You have to report to, +974 4493 3408,( 24 x 7 service). Email to incidents@qcert.org . It is very important and please do follow what they advice.

15- Can we all system administrators in Doha Qatar, can sit and discuss these things?
Well, if most of you are interested.

— — — — — — — — — — — — — — — — —

Contact us on 44775632 or 66709152 , send email to support@htsqatar.com . visit our websites www.htsqatar.com or www.tekstore.qa