Ransomware Protection: A Sydney Business Owner's Guide

Understanding the Ransomware Threat

Ransomware is malicious software that encrypts your files and demands payment for the decryption key. Modern ransomware operations are sophisticated businesses, complete with customer support, negotiation teams, and even affiliate programs. They specifically target organisations most likely to pay—including Australian SMBs.

How Ransomware Attacks Happen

Understanding attack vectors helps you defend against them:

• Phishing emails: The most common entry point. Attackers send convincing emails with malicious attachments or links.
• Exposed Remote Desktop Protocol (RDP): RDP services exposed to the internet are actively scanned and attacked.
• Software vulnerabilities: Unpatched systems provide easy entry points for attackers.
• Compromised credentials: Stolen or weak passwords allow attackers to log in as legitimate users.
• Third-party compromise: Attackers target your suppliers or service providers to gain access to your network.

Prevention: Your First Line of Defence

Implement Robust Backup Strategies

Backups are your ultimate protection against ransomware. Follow the 3-2-1 rule: keep 3 copies of your data, on 2 different types of media, with 1 copy stored offsite or in the cloud. Critically, ensure at least one backup is disconnected from your network—ransomware will try to encrypt network-attached backups.

Deploy Endpoint Detection and Response (EDR)

Traditional antivirus is no longer sufficient. EDR solutions provide real-time monitoring, behavioural analysis, and automated response to threats. Microsoft Defender for Endpoint, CrowdStrike, and SentinelOne are popular options for SMBs.

Patch Promptly and Comprehensively

Apply security patches within 48 hours for internet-facing systems. Automate patching where possible and maintain an inventory of all software that needs updating. Pay special attention to VPN appliances, firewalls, and remote access solutions.

Train Your People

Technical controls can be bypassed if users click malicious links. Implement regular security awareness training, including phishing simulations. Create a culture where employees feel comfortable reporting suspicious emails without fear of blame.

During an Attack: Immediate Response Steps

If you suspect a ransomware attack:

1. 1Isolate affected systems: Disconnect infected computers from the network immediately to prevent spread. Pull network cables—don't just disconnect WiFi.
2. 2Do not pay the ransom immediately: Paying doesn't guarantee you'll get your data back and funds criminal operations. Consult with experts first.
3. 3Contact your IT support: Your MSP or internal IT team should be notified immediately to assess scope and begin response.
4. 4Preserve evidence: Don't wipe systems until forensic evidence has been collected. This may be needed for insurance claims or law enforcement.
5. 5Report to authorities: Report the incident to the Australian Cyber Security Centre (ACSC) at cyber.gov.au/report and consider reporting to police.
6. 6Activate your incident response plan: If you have a documented plan, follow it. If not, this is a critical gap to address.

Recovery: Getting Back to Business

Recovery from ransomware can take days to weeks. Key considerations:

• Restore from clean backups: Verify backups are clean before restoration. Attackers often dwell in networks for weeks before deploying ransomware.
• Rebuild compromised systems: Don't just decrypt—rebuild from known-good images to ensure no malware persists.
• Reset all credentials: Change passwords for all accounts, especially privileged accounts. Assume all credentials are compromised.
• Review and improve: Conduct a post-incident review to identify how the attack happened and improve defences.