Improve the anti-ransomware capabilities of ECS instances - Elastic Compute Service

Ransomware is a common type of computer virus. After an Elastic Compute Service (ECS) instance is infected with ransomware, the business data on the instance is encrypted and used for ransom. This can lead to serious business risks, such as service interruptions, data leaks, and data loss. This topic describes how to improve the anti-ransomware capabilities of an ECS instance.

Background information

As computer and cloud computing technologies develop, various types of computer viruses emerge, including ransomware, which is a particularly common type. Alibaba Cloud leverages years of experience in cloud security protection and advanced security attack-and-defense technologies to provide users with comprehensive security solutions. For more information about anti-ransomware, see Overview of anti-ransomware.

Problem description

When your ECS instance is infected with ransomware, the system files are encrypted, and a ransom note or message appears in your working directory. For example, if a Windows ECS instance is infected with ransomware, the following ransom note appears in your working directory.

Solution overview

Computer virus prevention measures can reduce the risk of virus infection, but the prevention measures cannot completely eliminate virus infection. Data backup provides the final protection against ransomware. However, when you restore data for a disk from a backup or snapshot, data from the point in time when the backup or snapshot is created to the point in time when the disk is rolled back is lost. You must properly design a data backup policy based on your business scenario to effectively protect important data.

The following solutions provide common protection ideas for ransomware:

Solution 1: Use Security Center to improve the anti-ransomware capabilities of an ECS instance
Solution 2: Use an automatic snapshot policy to create snapshots for an ECS instance
Solution 3: Use security policies such as security groups and firewalls to improve instance protection

You can use a single solution or a combination of the preceding solutions based on your business requirements. For example, if you have high requirements for business continuity, you can use all the preceding solutions at the same time. Take note that you are charged for backups or snapshots.

Solution 1: Use Security Center to improve the anti-ransomware capabilities of an ECS instance

Workflow

Procedure

Enable the anti-ransomware feature and purchase the anti-ransomware capacity.
To use the anti-ransomware feature provided by Security Center, you must enable the feature and purchase the anti-ransomware capacity. For more information, see Enable anti-ransomware.
Note
You can purchase anti-ransomware services based on your business scenario and requirements.

Create an anti-ransomware policy.

After you enable the anti-ransomware feature, you must create an anti-ransomware policy.

Create an anti-ransomware policy

Before you create an anti-ransomware policy, make sure that the operating system version of your server is supported by anti-ransomware for servers. If the operating system version is not supported, the data of your server cannot be backed up. For more information about supported operating system versions, see Operating systems and versions supported by anti-ransomware for servers.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Anti-ransomware.
On the Anti-ransomware for Servers tab of the Anti-ransomware page, click Create Anti-ransomware Policy.

In the Create Anti-ransomware Policy panel, configure the Policy Name, Server Type, and Select Assets parameters.

Parameter	Description
Policy Name	The name of the anti-ransomware policy.
Server Type	The type of the server to which you want to apply the anti-ransomware policy.
Backup Route	The communication method that is used to back up data. If you set Server Type to Server Not Deployed on Alibaba Cloud, you must configure this parameter. Valid values: Internet: If you select this option, you may be charged for Internet bandwidth resources. Internal Network: If you select this option, you must use Alibaba Cloud virtual private clouds (VPCs), Express Connect circuits, or Cloud Enterprise Network (CEN) instances to establish connections between the servers that are not deployed on Alibaba Cloud and the anti-ransomware endpoint in the selected region.
Region	The region in which the server resides or a region in which an anti-ransomware endpoint is available. If you set Server Type to Server Not Deployed on Alibaba Cloud, you must configure this parameter. The selected region specifies the endpoint that is used to access anti-ransomware. To successfully back up data, make sure that the server can access the anti-ransomware endpoint in the selected region. For more information, see Anti-ransomware endpoints.
Select Asset	The assets that you want to protect. You can select an asset, an asset group, or multiple assets from asset groups. To select the assets that you want to protect, perform the following operations: In the Asset Group section, select an asset group. Then, all assets in the group are selected. You can clear assets that do not require protection in the Assets section. In the Assets section, enter the name of an asset in the search box to search for the asset. Fuzzy match is supported. Note If you want to apply the anti-ransomware policy to Elastic Compute Service (ECS) instances, you can select ECS instances that reside in different regions. If you want to apply the anti-ransomware policy to the servers that are not deployed on Alibaba Cloud, you must select the servers that reside in the same region. To make sure that the anti-ransomware capacity is effectively utilized, you can add a server to only one policy.

Configure the remaining parameters and click OK.

Protection Policies: the type of the anti-ransomware policy. Valid values: Recommended Policy and Custom Policy.

Recommended Policy: The recommended policy is a built-in anti-ransomware policy of Security Center and cannot be modified. The default values of the following parameters are used:
- Directory to Protect All directories
- Directory to Exclude: Directories that are excluded from the policy
- Non-local Mount Path: Exclude non-local mount paths, such as a directory to which an OSS object or a NAS file system is attached.
- File Type to Protect All File Types
- Backup Start At a point in time within the range of 00:00 to 03:00
- Policy Execution Interval One Day
- Backup Data Retention Period 7 Days
- Maximum Backup Bandwidth:
  - Alibaba Cloud server: 0 MB/s
    Note
    The value 0 indicates that no limits are imposed on the bandwidth.
  - Server not deployed on Alibaba Cloud: 5 MB/s

Custom Policy: a custom policy that you can configure based on your business requirements. You must configure the following parameters: Protected Directories, Exclude specified directories, Protected File Types, Start Time, Backup policy execution interval, Backup data retention period, and The bandwidth limit of the backup network. The following table describes the parameters.

Parameter	Description
Directory to Protect	The directories that you want to back up. Valid values: Specific Directory: Security Center backs up only specified directories of the specified servers. You must enter the addresses of the specified directories for Directory to Protect Example: Windows server: `C:\Program Files (x86)\` Linux server: `/usr/bin/` You can enter up to 20 addresses. Security Center runs backup tasks in sequence based on protected directory addresses. If a large number of files are stored at a protected directory address, a large amount of server resources such as CPU and memory resources may be consumed to back up data at the address. In this case, you can split the directory into multiple addresses. Then, backup tasks run in sequence based on the addresses. This helps reduce the server resources that are consumed by each backup task. All Directories: Security Center backs up all directories of the specified servers.
Directory to Exclude	The directories that you do not want to back up. Security Center displays default directories that do not need to be backed up. You can add more directories or remove specific directories.
Non-local Mount Path	Select whether to exclude non-local mount paths, such as a directory to which an OSS object or a NAS file system is attached.
File Type to Protect	The type of the files that you want to protect. Valid values: All File Types: Security Center protects all files. Specific File Types: Security Center protects files only of the selected file type. You can select file types such as Document and Picture. Important You can select multiple file types. Security Center backs up only files of the selected file types for the specified assets.
Backup Start At	The time at which you want to start a data backup task. Important If this is the first time that you back up all data in protected directories based on an anti-ransomware policy, a large number of CPU and memory resources are consumed. To avoid negative impacts on your services, we recommend that you back up data during off-peak hours.
Policy Execution Interval	The time interval between two data backup tasks. Default value: One Day.
Backup Data Retention Period	The retention period of backup data. Default value: 7 Days. Important The backup data is stored only within the specified retention period. We recommend that you specify the retention period based on your business requirements. Valid values: Permanent: The backup data is retained until Security Center expires, you delete the anti-ransomware policy, or you remove the specified server from the anti-ransomware policy. Custom: You can specify a retention period. Valid values: 1 to 65535. Unit: days.
Maximum Backup Bandwidth	The maximum bandwidth that can be consumed by a data backup task. Valid values: 0 to unlimited. Unit: MB/s. If you create the anti-ransomware policy for an ECS instance, only internal network bandwidth is consumed. If you create the anti-ransomware policy for a server that is not deployed on Alibaba Cloud, public or internal network bandwidth is consumed. You can configure this parameter to prevent backup tasks from consuming an excessive amount of bandwidth and ensure service stability. Alibaba Cloud server: 0 MB/s Note The value 0 indicates that no limits are imposed on the bandwidth. Server not deployed on Alibaba Cloud: 5 MB/s

(Optional) Restore data from a valid backup in Security Center.
1. Create snapshots for the system disk and data disks of the instance that is infected with ransomware. For information about how to create a snapshot, see Create a snapshot.
2. Use a backup in Security Center to restore your business. To restore your business, perform the following steps.
  Create a restoration task
  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Anti-ransomware.
  3. In the anti-ransomware policy list of the Anti-ransomware for Servers tab, find the server on which you want to create the restoration task.
    To search for the server, you can enter the name of an anti-ransomware policy that is applied to the server or the server name in the search box above the anti-ransomware policy list.
  4. Click Restore in the Actions column of the required server.
  5. In the Create Restoration Task panel, configure the following parameters: Select a restored version, Select a restore file, Recovery directory address, and Recovery target machine.
  6. Click OK.
    After the restoration task is created, the Restoration task created. message is displayed. You can log on to the server to view the restored data.

Solution 2: Use an automatic snapshot policy to create snapshots for an ECS instance

Workflow

Procedure

Snapshots are backups that can be used to restore data after the instance based on which the snapshots are created is infected with ransomware. Take note that this solution only provides post-event restoration capabilities and cannot replace active protection measures.

Create an automatic snapshot policy for the disks attached to the instance. For more information, see Create an automatic snapshot policy.
(Optional) Restore data from valid snapshots that were created before the instance is infected with ransomware.
1. Create snapshots for the system disk and data disks of the instance that is infected with ransomware. For information about how to create a snapshot, see Create a snapshot.
  Important
  The rollback operation is irreversible. After you roll back a disk, data that you added, removed, or modified from the point in time when the snapshot is created to the point in time when the disk is rolled back is lost. To prevent data loss caused by accidental operations, we recommend that you create snapshots for the disks attached to the instance to back up data before you roll back the disks.
2. Re-initialize the system disk of the instance. For more information, see Re-initialize a system disk (reset the operating system).
3. Use valid snapshots that were created before the instance is infected with ransomware to restore the data of the system disk and data disks. For more information, see Roll back a disk by using a snapshot.

Solution 3: Use security policies such as security groups and firewalls to improve instance protection

Workflow

Procedure

You can use security policies, such as security groups and firewalls, to improve protection capabilities against ransomware. This requires that you have technical expertise on network security.

Learn about the best practices for security groups and firewall policies and configure security settings. For more information, see Best practices for security groups (inbound rules) and Configure firewall rules for a Windows ECS instance.
(Optional) Contact a third-party organization to decrypt and restore ransomware-corrupted data.
1. Create snapshots for the system disk and data disks of the instance that is infected with ransomware. For information about how to create a snapshot, see Create a snapshot.
2. Re-initialize the system disk of the instance. For more information, see Re-initialize a system disk (reset the operating system).
3. If you do not back up important data or create snapshots before you re-initialize the system disk, you can contact a third-party organization to decrypt and restore the ransomware-corrupted data after you re-initialize the system disk of the instance.
  Warning
  The data decryption capability provided by a third-party organization after a ransomware attack is independent of Alibaba Cloud. Alibaba Cloud is not responsible for the extent of data restoration and possible data corruption.

References

Refer to the following topics if needed: