Ransomware is the latest and greatest threat from those wishing to profit from doing harm to data. While it started as a threat to consumer data, it is clearly expanding into a full-on assault against corporate data, which costs companies around the world incredible amounts of money. You can either prepare for this very real danger or prepare your organization to join the ranks of those who have lost data, money, or both.
What is Ransomware?
Ransomware fits into the malware category of software but is designed with a specific purpose: to hold data for ransom. Where a ransom would typically be paid for a person, ransomware kidnaps data that is important to someone or some company. Someone in a company opens the wrong email, clicks on the wrong ad, or downloads the wrong file and it activates an instance of ransomware, which then “kidnaps” files by encrypting them. Once the ransomware encrypts as many files as it can, it then notifies the victim that they can no longer access their own data without paying a ransom. Once the ransom is paid, the victim is (hopefully) sent a key to unlock their data.
Historically, ransomware targets individuals and the ransom is usually small; at around $500. Thousands of individuals paid the ransom to get their data back. (Victims who do pay the ransom are typically given the key to unlock their data.) Unfortunately, though, the criminals behind these attacks realized that if an individual would pay $500 to get their data back, a company might pay tens of thousands of dollars. This is why ransomware attacks against companies began in 2014 and 2015.
The key to making this possible was a change in tactics. Historically, a ransomware package would encrypt each individual file. This takes a very long time when a cyber criminal attacks a company and the malware might be noticed before a significant amount of damage is done. Unfortunately, someone learned all they need to do is encrypt the Master file table and suddenly no one can gain access to their files. Another time saving method is to only encrypt data that has been modified in the last 24 hours. The simple changes in tactics allow for much quicker attacks against much larger targets.
A ransomware package can attack any file that a user has write access to, which obviously includes a user’s laptop or desktop. However, in corporate environments it also includes NFS and SMB shares the user accesses. Depending on the environment, a single infected user could impact hundreds of other users.
There have been a number of high profile attacks against corporate targets in the last few years, including small businesses, police departments, and hospitals. The first well-publicized hospital attack completely shut down the record-keeping and billing systems of Hollywood Presbyterian Hospital. (Patient care systems were unaffected.) The initial ransom demand was $3.4 million, but was negotiated to $17,000. Kansas Heart Hospital was attacked and also decided to pay the ransom, only to be told that there would be a second ransom in order to get all their data back. They decided not to pay the second ransom even though some of their data remains encrypted.
This escalated ransom demand is exactly why companies should prepare to be able to defend against a ransomware attack without paying the ransom. Companies who fail to this place their data, their customers, and the financial viability of their company at significant risk.
It is hard to recommend where to start when talking about ransomware, because all parts of the defense system must be in place for the protection programs to effectively work. Of course companies should make sure their security measures are up-to-date and intrusion detection systems are using the latest technologies. They should also educate users about how cyber criminals deploy ransomware software. Since a common attack vector is the use of RDP sessions, companies seeking to stop ransomware should consider disabling RDP, or at least limiting it to internal IP addresses or those on a VPN connection.
The last line of defense against a ransomware attack is a good backup system. It doesn’t matter if someone encrypts your files if you are able to restore the unencrypted versions. But since any good corporation already has a backup system, why are some companies still finding themselves in the situation where they must consider paying the ransom?
One reason could be that even if one has a backup system in place, most backup systems only run once a day. Assuming that last night’s backup worked, a significant amount of work can still be lost if a ransomware attack happens in the afternoon or evening before the next backup runs. If last night’s backup failed – and they often do – a company could lose two or even three days of data. In fact, some ransomware attacks are smart enough to target data modified in the last 24 hours – data that is most likely not yet backed up. it’s also possible that a ransomware attack can affect the backup system. If backups are stored on disk and the ransomware software is able to target a privileged account, it can even encrypt the backups.
This is why ransomware is the latest reason for something other than nightly backups. In backup parlance, what is needed is a system capable of a much tighter recovery point objective, or RPO. The two most common methods to accomplish this are referred to as continuous data protection (CDP) or near continuous data protection (near-CDP).
With near-CDP – also known as flat backups – frequent snapshots are taken of protected volumes and are then replicated to a backup system. Snapshots are typically taken once an hour, which can provide an RPO of an hour or less. Snapshots are also typically read-only, so attackers attempting to overwrite historical data would not be able to do so.
CDP systems immediately replicate modified data into a backup system that stores a log of all changes. The log is what makes it different than simple replication, because a CDP system can restore any file or object to the current version or any previous version stored within the system.
Historically, CDP systems protected volumes by replicating changes in a file system. Modern storage systems can perform CDP in a different way by immediately ensuring that any new or modified files or objects are stored in multiple places. They can also make sure that each file is immutable. That is, even if a privileged account were to begin encrypting files, and unencrypted version of every file would always be available; it could not be overwritten. A storage system capable of doing such things would be very effective against ransomware.
It is clear that purveyors of ransomware are targeting bigger and bigger companies. It is also clear that traditional backup systems that leave as much as two or three days worth of data unprotected are not sufficient to protect against these attacks. One of the most effective ways to protect against ransomware and traditional data loss problems is a storage system that is capable of protecting itself. A system that continually and immediately creates immutable copies of all data would be a very effective last line of defense against ransomware.
Sponsored by Nexsan