Combating Ransomware in Post Production Operations

Ransomware was a hot topic this last weekend. In a developing story, Britain’s National Health Service was hit by a major attack, with other targets worldwide including FedEx, Deutsche Bahn, Telefonica, Nissan, and Renault. And while not quite the same flavor of ransomware, even Netflix and Disney were recently targeted in high profile attacks.

Extortion attempts like these bring to light the fact that no person or company with important data can blissfully ignore the threat. In fact, post production may be a ripe target.

Ransomware is an especially nefarious type of malware. It usually finds its way onto a computer through unsafe messaging attachments, and once it infects a computer it looks for any storage it can access. It then attempts to encrypt your files, effectively locking you out of them, then it demands payment to restore access. If you pay the ransom there’s no guarantee that your files will actually be restored.

Essentially, every storage device to which an infected computer can write is potential treasure for ransomware. And post production, with its immense appetite for storage, offers a larger than typical attack surface — ransomware can affect not just your personal computer’s hard drive, but also disks connected via USB and Thunderbolt, as well as NAS and SAN network storage. And yes, cloud storage may also be affected.

A Welcome Mat for Ransomware

Each “endpoint” — any device that connects to your network/storage devices — represents a possible welcome mat for ransomware to gain access to data and begin its destruction. The more endpoints with write access to storage systems, the more potential vulnerabilities you have.

Most companies naturally fall into practices that emphasize convenience to digital assets over securing those assets. Post production is no exception. We want everything spinning, online, mounted, ready, available everywhere, and now. But in exchange for that undeniable efficiency and convenience there must be some administrative and procedural measures in place to keep things humming along.

While antivirus software can handle familiar threats, it is of little to no use against attacks that use new malware or variants of existing ransomware. Reasonable countermeasures can be put in place to help prevent ransomware from entering your organization, and to minimize its consequences should you be infected.

These tips are written with shared storage users in mind, but most are applicable no matter what systems you’re using. Following these tips can help minimize your attack surface and mitigate the severity if your operations do fall victim to a ransom incident.

Tips for Ransomware Prevention and Mitigation

  1. Backup! — (Of course, right?!) Backing up important data is the single most effective way to combat the prevalence of ransomware and minimize its consequences if you are affected. Synchronizing is not the same thing as backup — if you’re hit by ransomware your synchronized sets of data are also at risk of being encrypted. (We recommend using EVO Nearline, any backup software, and/or going straight to an archive solution like Storage DNA.)
  2. Spread out — Keep multiple backups of critical data, and store your backups in physically separate locations.
  3. Offline your backups — Keep backup destinations read only or offline when possible.
  4. Communicate — Ensure that all users are made aware of the threat of opening unsolicited emails and attachments or visiting unfamiliar websites. Put steps in place to make users aware of their role in helping to actively prevent malicious software from destroying your company’s data.
  5. All your eggs in one basket? — Avoid storing everything in one massive volume. Having a single large shared space for everyone is certainly convenient, but it also comes with serious risk potential if any of your computers become infected with ransomware.
  6. Do a permissions audit — Don’t give all users access to everything. Keep media and library volumes read only for all users except those who ingest. This one tip may be very effective in keeping the majority of your data shielded from ransom attempts. (You can do this on EVO from the NAS & Project Sharing page.) Give write permissions only to required users, and only for required storage/shares.
  7. Unmount! — Only mount what you need, when you need it. Unmount what’s not in use. Going a step further: Close your applications and sign out of your computer when done.
  8. Don’t ignore nearline — Configure nearline storage so that it has the fewest endpoints possible with write access. Preferably, do migrations server-side or have just one or two secure computers that can migrate data between systems.
  9. Out with the old — Use a modern OS and stay up-to-date with security patches. Sometimes, being on the bleeding edge of a new OS version isn’t the best thing to do either, but, if you’re still seeing gradients in your OS… it’s time to upgrade.
  10. Check endpoint configuration — Email is one of the main infection methods. Keep production workstations configured with only the software needed for production work, and avoid using these systems for email. According to Microsoft, “…the best solution to ransomware is to be safe on the Internet and with emails and online chat.”

For more information on ransomware visit the “No More Ransom” project, an international organization of anti-cybercrime agencies, Kaspersky Lab, and Intel Security. The project aims to educate users about how ransomware works and what countermeasures can be taken to effectively prevent infection, with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.