Ask HN: What is being done, what *can* be done, about ransomware attacks?

- Basic security practices to keep malware from working: applying the latest security updates, giving users the least amount of access and privileges they need to do their work, firewalls to contain the spread of malware within your network, anti-virus software, strong passwords, etc.<p>- Educate employees not to fall for phishing e-mails.<p>- Having up-to-date off-site backups so that if your systems do get compromised, you can restore your systems and get your data back without having to pay ransom.

The long term answer is to switch to Capability Based Operating systems such as Fuchsia and Genode, however these aren&#x27;t ready for prime time, and are a few years out from being viable choices for production use.<p>In the meanwhile, backups that are physically offline are your first step. Then you should have offsite backups that are also offline.<p>Start by buying some new hard drives, and use Clonezilla or whatever is popular now to make copies of your existing drives. Put your old drives in the safe, and run on the new ones.<p>A backup that hasn&#x27;t been tested is a prayer. You MUST test your backups, regularly. You must have sufficient spares to be able to stand a new system from scratch and your backups. That new system just has to function, it doesn&#x27;t need to be as fast as the current one... it just has to actually be good enough to run things for long enough to get proper replacements up and running.<p>If it is a truly critical system, I.E. people will be harmed, or the business will go away if it stops working, it should not be on the internet, and it should have a backup system ready to start at the flip of a switch.<p>Data diodes are network gateways that can only transmit data in one direction. These should be used to ensure you can monitor a system, but never control it from the outside. (You set up a host inside the critical network to poll data, put it in a ring buffer, then send that buffer with forward error correction though the data diode to another server outside the network that reads the data, corrects for errors and dropped packets, and serves requests for data to the outside world)

Most of the attacks could be avoided if the employee didn&#x27;t click that PDF that came from a weird address or if they didn&#x27;t click that link to check what&#x27;s the problem with that shipment they are not expecting.

Critical systems should be unreachable from the Internet. Eliminate all external network connections.

First - Backups! Proper backups make a huge difference in the damage these attacks can do.<p>Second - Copy on write file systems like BTRFS and ZFS further mitigate things when setup to retain snapshots&#x2F;checkpoints of past data on disk. Since these can’t be modified by subsequent writing of encrypted data preventing ransomware from locking you out of your data.