Ransomware Protection - What are you Doing

[nwalker]

If you're like me you the Ransomware issue over at GPWA has got me looking at what I do to protect myself from such a situation.

I have two approaches.

Firstly Prevention, - stop it happening in the first place.
Secondly if it does, how can I recover from it.

Rather simplistically, for 1, I make sure all systems are patched up to date, plugins are current and supported, security is configured for least privilege, I use strong passwords, never open suspect emails and never click on links in emails at all, regardless of sender.

For 2, I do regular full backups, keep a copy on site and store a copy off site. I test my restores once a quarter to make sure i can recover.

I probably do other bits and pieces

What do you do that's different or in addition to? lets help each other keep our sites running.

 

[forumsaddict_reboot]

Most hacking is done through "social engineering" tactics. Getting access to account passwords, by spoofing emails is not that hard, especially when the target is not technically savvy.

Senior staff members at GPWA aren't high on the tech knowledge grid. Most were born in the 60s and the 70s.

 

[forumsaddict_reboot]

Also, all attacks require motivation. The two biggest being:

1. Money
2. Personal animosity

Money wins, but this also means that they need to have inside knowledge of what a website is making. This looks like a "targeted" attack, so whoever is behind it knows a lot more.

Russians do this for a living but they mass attack vulnerable computers. It doesn't work most of the time, because a granny would just stop using computer she can't turn on.

 

[nwalker]

Most hacking is done through "social engineering" tactics. Getting access to account passwords, by spoofing emails is not that hard, especially when the target is not technically savvy.

Senior staff members at GPWA aren't high on the tech knowledge grid. Most were born in the 60s and the 70s.

That's quite a generalisation and not one that I concur with. Having been born in the 60's myself and started my work on the early mainframes, and having grown up with the technology as it has evolved I feel I am more than qualified to understand the technical world we live in. In fact I suspect the same is true of the old timers at GPWA.

Hopefully how the attack occurred will be revealed so we can all learn from it.

Perhaps you'd like to enlighten us Senior members on the precautions you're taking, so we can make sure we're up to speed with the latest techniques

 

[justbookies]

This may be naive question. My sites are simple, unlike a forum, and get backed up externally once a day to a paid service that works great. Takes minutes to migrate to a new server, once server is ready. Surely the site at gpwa is backed up in near real time, as it is dynamically changing? At worst, there must be at least a daily backup? I assume they still have access to their nameservers / DNS? Can't they migrate to new server using latest backup and point DNS to that new server. If the server blew up you could do this, so why not in the current situation? gpwa may lose half a day of posts or whatever the time-lag is from backup to when site went down, but they'd be up and running again. Or would this ransomware attack somehow stop you from controlling your own DNS?

 

[aggerd]

would also depend on the hack itself a lot. if some code has been injected months ago, even if they would have several versions of backups, they could all be infected.

 

[AussieDave]

would also depend on the hack itself a lot. if some code has been injected months ago, even if they would have several versions of backups, they could all be infected.

I was about to post the same thing. I'm surprised they didn't use https://sucuri.net/, even cloudflare is a great option.

 

[forumsaddict_reboot]

Perhaps you'd like to enlighten us Senior members on the precautions you're taking, so we can make sure we're up to speed with the latest techniques

I'm just a bricklayer with a loose mouth.

 

[aggerd]

running on windows won't help either probably..

 

[Frank]

Most servers auto back up every couple of day's at the least, I personally use various layers of security, typically i get anything from 200-3000 attempts daily,

 

[Strider1973]

What I understand is that there was a ransomware attack and that several sites are offline. So this means the server is compromised. So someone had access to it and was able to upload ransomware to it.
I'm not an expert but I would take my backups and launch the sites on a new server to be online back fast. Plus hire an expert to find out the cause of the attack. Often it's even possible for noobs to find it out, just by checking for suspicious files and by checking the dates the files were last changed.

Even if no backups were configured (which should not happen for more important sites...!) the webhost should have a backup ready.

I personally save backups locally, and as I don't change my sites much anymore, I don't have to do this too often.

 

[dfiocch]

External backup services.
Many copies every day.

 

[casinobonusguy]

It seems crazy to me that this network can be offline a week.We have our own physical servers but one is used only for backups .We did have a site get hack a couple years ago but within an hour we had older copy live and we learned the hard way older plugins are usually the culprit.We got rid of about 10 directories just because it was too much to maintain and not worth having crappy sites share hosting with your money makers.What I am most shocked about is admitting that you paid to get your site back ,that will make them more vulnerable in the future.

 

[AussieDave]

I personally save backups locally, and as I don't change my sites much anymore, I don't have to do this too often.

I'm the same. Aside from maybe a banner change here and there, everything else doesn't change much. I keep a local backups on a external HDD. And, if I need to change something, then it's done on a staging PC that's not connected to the net. My server take backups daily, but a backup is only as good as the info contained in said backup.

As far as hardening WP, I used a dedicated IP (from my ISP), and use htaccess for that in the wp-admin folder. I tend to use a very small footprint of plugins; really only those I need which would take too long to code otherwise. I have changed the server to Litespeed, and also use the WP litespeed plugin. As far as keeping the crap out... I simply block traffic from anything other than ISP's. I also block browsers greater than 3 versions old. There's a few other precautions I take, which to date seem to do the trick.

If someone is determined to hack you, they will find a way. However, most bots etc., are seeking vulnerabilities. So stopping them at the front gate per se, means they'll seek out softer targets.