The ransomware threat continues to grow – and this is indeed significant, as ransomware cost businesses $5 billion during 2017, according to Cisco. Many organizations that have been attacked are paying the ransom demanded, causing the number of attacks to proliferate. At the same time, attackers are developing new and more creative ransomware variants – increasing both the diversity and the severity of attacks. Cisco research estimates that the number of ransomware attacks is growing 350% year-to-year, and a study by Proofpoint indicates that there was a 46% increase in the number of ransomware attack variants during 2017.
While data centers are often focused on ransomware attack prevention and remediation, it is in fact endpoints, such as laptops, that are typically the weakest links. The majority of data that is attacked sits on endpoints, and these endpoints typically are minimally protected. In fact, many organizations have no dedicated strategy around endpoint backup, and a WorldBackup Day study found that 30% of endpoint users have never backed up their data.
This mindset is a result of how difficult it used to be to protect laptops. When backups used to kick off, system performance would come to a crawl – negatively impacting user productivity to the extent that users would often stop the backup. This is no longer the case with modern, low impact endpoint backup solutions – but the cultural shift to embrace these advancements remains ongoing.
This mindset is also a result of increased utilization of cloud-based applications such as Salesforce.com, which has cultivated a mindset that no data of consequence sits on the laptop itself. However, there are still many situations in which sensitive data is stored directly on the laptop. Even if the data is not generated on the laptop, local copies are frequently stored on a laptop, and users often enable offline access to the data. Furthermore, endpoints contain a significant amount of unique data that cannot be recovered; according to TechTarget, 34% of data on laptops is not stored in the organization’s data center or cloud backup service.
The rising ransomware threat makes it necessary for organizations to adopt a mindset that they will be breached. The probability that an organization will be attacked is growing, and the impact of attacks can be very severe in today’s data-driven economy. Building internal awareness among users is important, but it is inevitable that some users will eventually click on a malicious link despite training. Once breached, new ransomware variants make the malicious software more difficult to detect.
Core to preparing for a ransomware attack is establishing recoverability of endpoint data. Backups should be consistent and frequent to ensure that data can be recovered to a point in time as close to the attack as possible. Backup data should be isolated from the primary data center environment, because some new ransomware variants are aware of (and can access) backup data that lives in the primary data center.
Backup anomaly detection is another critical component of a successful, endpoint-driven ransomware prevention and remediation strategy. Anomaly detection can help organizations to respond more quickly when an attack begins, to stop the spread of ransomware throughout the backup environment, and to be confident that the threat has been eradicated. Ransomware often penetrates backup data and is not detected until user access is inhibited. Some new variants attack slowly instead of attacking thousands of files at once, to slow detection while decreasing IT’s ability to determine what has been encrypted and what has not.
A shift in mindset to embracing regular, low-impact endpoint backup is key to being prepared for, and to minimizing the negative business impact of, ransomware attacks. Though it may seem unlikely that a ransomware attack will occur, attacks are growing more common and more sophisticated – and the potential fall out is severe. Data is critical to day-to-day business operations as well as brand reputation, so it is important to minimize the likelihood of a ransomware attack and the resulting impact of an attack. If an attack occurs, it is critical not to pay the ransom since this encourages further proliferation of attacks. Additionally, it is very difficult to fully recover all data even if a ransom is paid. It is equally as challenging for an organization to be confident that all ransomware files have been fully eradicated from their environment.
For more recommendations on what makes a successful endpoint protection strategy, as well as the advantages of the cloud for endpoint ransomware, join us for Storage Switzerland’s on demand webinar in collaboration with Druva, “Ransomware: Strategies for Protecting Your Weakest Link – Endpoints.”