IT needs a proactive way to stop ransomware. It’s here to stay. Most ransomware countermeasures are reactive. The damage is done before IT can deploy their reactive countermeasures. When ransomware gets through an organization’s defenses, it starts to encrypt data, and the race is on. How much data will the ransomware encrypt before IT can disconnect the infected systems?
Identification of an attack comes in the form of a user stumbling onto a file that has been encrypted and calling IT for help, or the virus itself popping up its payment page. The longer it takes for notification to occur, the virus damages more files and the recovery effort becomes much broader. Assuming the organization has a good backup, IT then starts a very long and arduous recovery process. If the organization does not have a good backup, IT has to Google “How to Buy BitCoin.”
Who Guards Your Digital Assets?
While most organizations will agree that their digital assets are as important – if not more – than their physical ones, few organizations guard digital assets like they guard their physical assets. Beyond mission critical applications, data protection is typically a once-per-night event that rarely completes with 100 percent success. Data monitoring and security is almost non-existent except for, again, the most mission critical applications.
The problem is so much of the digital assets are outside of those mission critical applications. Most employees create or edit dozens of documents on a daily basis. They also receive through email electronically signed contracts, receipts and statements of work. This may not be the master customer list, but it is data the organization cannot reproduce at will. This is the data many decide to pay ransom to get back if the backup system cannot recover it or if the version of the data that is encrypted is radically different than the version that the backup system has. Finally, determining which data is worth paying ransom for itself is a challenge. Most IT does not have the staffing nor the time to compare every potentially encrypted file with the last known good backup.
Prevention is Impossible
Humans are required to be human, and can therefore be counted upon to make mistakes. New zero-day (original) exploits are discovered every day. It is hard to protect against an attack that hasn’t ever happened before.
Obviously, IT should spend time to make sure servers are up to date and vulnerabilities are eliminated. They should also make sure users are trained to not click on suspicious links. But the reality is there is a limit to what IT can do. It is very probable that most organizations will deal with a ransomware attack this year, and in many cases multiple attacks per year for the foreseeable future.
The Data Protection Challenge
The challenge facing data protection is three-fold. First, data protection has to radically change to address the nature of a ransomware attack. An organization can be infiltrated and have its data encrypted at almost any hour of any day. Once-a-night backup helps, but there is plenty of critical data, modified between backups, that remains at risk. In fact, several ransomware strains don’t execute as soon as they infiltrate the organization, instead waiting until the end of day.
The second part of the challenge is the actual recovery effort. It takes most organizations hours, if not days, to realize a ransomware product is loose on their network. Again, many strains will actually wait until the most ideal time to attack. By the time the attack is identified, the malware application may have encrypted hundreds of thousands of files. In fact, one of the more impressive aspects of ransomware applications is how quickly they are able to do their work.
If the ransomware application is successful in spreading itself throughout the organization, then IT is in for a very long recovery effort. Recovery times of multiple days are not uncommon.
From a backup and recovery perspective, time is consumed more by the number of files that need to be restored than the size of the files. Asking a backup application to find 100,000 files in its inventory, copy those files one at a time across the network and then write those files to the various infected storage systems is a recovery process that could take the better part of a day.
These recovery times assume that the prior backup has all the data and is not itself a victim to the attack. The reality is some organizations that had a good backup STILL paid the ransom because it enabled the organization to get back to work faster.
The third challenge is determining if it is even safe to begin recovery. How does the organization know when the malware is eliminated? It is not uncommon for a malware to use the original point of entry to replicate itself into other accounts. Again some strains may lay dormant until the first instance is neutralized, then activate and start the encryption process all over again.
The Solution: Identification and Intervention
Regardless of the character of the ransomware, all such exploits exhibit the same behavior. To do their job, they must change (modify) a large number of files quickly. Without modification (encryption), there is no need for ransom. And, if the malware works too slowly (too few files are modified), then there is no need for ransom either. A well-built backup and recovery strategy should easily recover a few files.
Therefore, the action of ransomware and several other types of viruses should follow an easy to identify pattern: the rapid modification of a large number of files in a short period of time – something only a computer program could do. It is this signature (not something related to the malware’s code) that allows us to easily identify what’s going on and put an end to it.
The solution is a monitoring tool with the ability to also take action to stop the current attack. Since ransomware is “hardware neutral”, storage system vendors should not be the provider of the monitoring solution. The solution should instead be software based and able to interact with a variety of hardware types as well as the various user directory services. It needs to work in conjunction with file data and directory services to monitor in real-time what files each account is changing.
Ransomware is a serious threat to an organization’s digital assets and IT needs to give its potential impact the same, if not more, focus than disaster recovery planning. The likelihood of the organization experiencing a ransomware attack is much greater than being the victim of a disaster. Certainly, IT should take preventive best practices countermeasures like snapshots, replication and backup.
However, before the organization invests massive amounts of money in upgrading its ransomware countermeasures, it should look for a way to identify ransomware behavior, such as users clicking unknown email links, as soon as it starts. Doing so significantly lowers the investment required in the protection infrastructure.
Sponsored by NTP Software
Watch Storage Switzerland and NTP Software CEO Discuss using Archive to protect against Ransomware in our ChalkTalk Video, "WannaCry, Snowden, Wikileaks… Is Your Data Next?"