Ransomware has been a thorn in the side of IT professionals for over five years. What those professionals have seen so far though is just the tip of the iceberg. At the same time that IT is improving its response capabilities to a ransomware attack, ransomware “developers” are preparing a new wave of software explicitly designed to get around any improvements made. Organizations need to be on-guard and prepare for ransomware’s next wave.
What is Ransomware’s Next Wave?
Ransomware attacks are increasingly insidious. Their developers know that backup is the primary response to an attack, so they are attacking the backup solution itself. Almost all ransomware solutions encrypt and lock the user out of protected data sets if it gets to them as part of its file system scan.
Many vendors have taken steps to protect the protected copy of data. The next incarnation of ransomware products is trying to gain access to the backup software configuration files and corrupt them. If they can lock the software out of its configuration files, then they make the software almost useless. These ransomware strains are also attacking snapshot data, another common ransomware remedy, and corrupting those.
Another method gaining popularity is to only corrupt a small amount of data per day. In the past, ransomware solutions tried to encrypt as many files as possible as fast as possible, but that made their presence relatively obvious. By encrypting a smaller amount of data over time, the ransomware software can corrupt more data across more backups, making it very difficult for IT to isolate the uninfected copies of data. Additionally, the ransomware file itself also gets backed up as long as it continues to remain undetected. Restore operations will copy the ransomware file back to the system where it can begin corrupting data all over again.
Similarly, some ransomware strains don’t activate the moment they gain access to a compromised system. Instead, the trigger file copies itself sporadically around the network and sits idle. The backup software then sees the trigger files as new data and backs them up. Then after a specific trigger date, the files start encrypting data. When IT responds by restoring uninfected files over the encrypted files, it is also unwittingly restoring the trigger files, which since the trigger date has passed, start encrypting files again, placing IT into an endless loop of corruption.
A Strategy for the Next Wave
Ransomware looms as a more substantial disaster recovery threat than more traditional, natural disasters. IT needs to be more prepared than ever. Organizations need to demand more from their data protection solutions. First, the data protection solution must protect itself, by securing both protected copies and configuration files. Second, the data protection solution has to limit access. Third, it needs to support the rapid and almost continuous copying of data so that various versions of files are accessible. Finally, it needs to assist in detecting and eliminating the ransomware source file.
Ransomware is a profitable “business”, and like any other business, bad actors are re-investing some of their profits into more sophisticated malware. IT needs to evolve their data protection strategy to cover the new capabilities of ransomware’s next wave.
To learn more about Ransomware’s Next Wave and how to protect your organization, watch our on demand webinar “Are You Ready for Ransomware’s Next Wave?” In it we cover the new capabilities of ransomware and provide you with a checklist of steps to take to make sure you are protected.