Ransomware is one of the biggest cybersecurity threats for organisations across the public and private sectors, and it’s become especially pressing in light of the current crisis. Remote access to data is now essential for many businesses to function. It’s prompted many ransomware operators to publicly vow to abstain from attacking health organisations, while others have directly targeted concerned members of the public via fake mobile Covid-19 tracking apps.
In the UK, 58 per cent of companies choose to pay operators the ransom when attacked, which averaged $84,116 in Q4 2019 - up 104 per cent from Q3. But this only represents a fraction of the total cost of ransomware. By locking users and organisations out of their data, ransomware grinds operations to a halt for days or weeks at a time. This can have a tremendous impact, with the total cost of these attacks this year projected to be $11 billion.
Remote working setups can increase vulnerability to attacks in the first place, while also making the effects of such an attack dramatically worse. And, in the present climate, the downtime brought about through attacks on governmental, medical and emergency responders could mean the loss of lives. With so much potentially at stake, how can organisations reduce the risk and damage caused by such attacks?
The solution lies in backups that are distanced from your day-to-day operations, easy to access in a crisis, all while being tamper-proof. This typically means a well-configured cloud backup.
Fighting back with backups and the cloud
One of the most common forms of ransomware is known as “crypto ransomware.” This typically encrypts valuable files or the contents of an entire disk to prevent you from accessing it, and a ransom is demanded to regain access. If the data isn’t backed up somewhere, you risk losing all your data or being forced to pay a hefty sum to regain access.
If caught by an attack, the quickest way for organisations to end downtime and avoid paying a ransom is to restore the affected data using backups. No one backup is immune from being affected by ransomware, but your organisation can build a great deal of redundancy - and thus resilience - through keeping multiple versions and maintaining a degree of separation between backup copies.
A common rule is the 3-2-1 rule: you should keep 3 copies of your data, with 2 on different media formats, and one of those should be off-site. Making sure one of your backups is off-site allows you to create distance between your day-to-day operations and your backup copy - an “air-gap”. This air-gap allows you to protect the backup more stringently than if it were bound to your own network.
However, air-gapping can often mean that restoring data from that backup can take a great deal of time - often in the order of days. In our current emergency, where time is of the essence to some teams, those lost days spent restoring a backup could represent a death blow to organisations.
The most accessible off-site backups are in the cloud
Most organisations need to be back on their feet in seconds and minutes. Therefore, they have to pick the off-site backup that delivers the most rapid restoration possible - which, in practice, most often means the cloud.
Cloud data centres are online and staffed 24/7, benefiting from an extra - and independent - layer of security in the form of constant on-site surveillance and state-of-the-art security protocols. The always-on nature of cloud-stored data means that organisations can have near-instant access to their data, in addition to the extra protection. Economies of scale at a data centre also mean that storing data in the cloud is less expensive than on-premises storage and a more economical option for most businesses.
However, cloud backups are not invulnerable to ransomware
Data in the cloud can still be affected by ransomware. Most ransomware attacks are started on-premises through infected USB drives, URL downloads and email attachments; all of these can be uploaded to the cloud through a backup. If previous recovery points aren’t available, then that can render a cloud backup useless.
Many ransomware operators know they can extort money from individuals and organisations by targeting cloud backups. In some cases, cybercriminals access the networks of victims via exposed remote desktop services, gain access to their cloud credentials, and then proceed to delete their cloud backups. Having picked off the target’s backups and left them defenceless, the operators then deploy their ransomware package.
A less common vulnerability is when a cloud object bucket - the container that holds your data - is left open and accessible to the public. This poses a colossal risk to the privacy of your organisation and its stakeholders, as we recently saw with a misconfigured AWS bucket exposing 500,000 personal and financial records. It also poses a huge operational risk, especially considering an open bucket could be edited and closed again by an attacker.
One of the best ways you can keep your cloud backups safe is working with a provider that provides an immutability option for your buckets. An ‘immutable’ bucket is one where data written cannot be deleted or altered by anyone throughout a specified retention lifetime. You can also set up the bucket to delete the data automatically after that retention period has elapsed.
This helps to prevent ransomware attacks, which typically work by encrypting all of your data and making it only accessible through purchasing a key from an attacker. It also prevents remote access and deletion by an attacker who has gained access to your cloud credentials. By adequately protecting and retaining data, the immutability option also helps organisations comply with industry regulations, such as GDPR, and avoid potential fines and penalties.
Against ransomware, the best offence is a good defence
There are a swathe of anti-malware and decryption tools to help remove and stop ransomware. However, operators are smart and their tactics are always evolving - they inevitably will chip away at any vulnerable architecture, and mitigation will ultimately prove costly. The best way to keep ransomware operators at bay is by having redundancy and resilience when they do strike.
That’s why regular backups are essential, with at least one secure off-site backup being key to bouncing back if an attack comes. If time is of the essence, then that off-site backup should be in the cloud. To make sure you keep that air-gap between your operations and your backup, you should take advantage of immutability features - make sure your cloud provider offers them, and also make sure that the immutability options are consistent and stringent.
While you can’t control ransomware operators, you can control how you prepare and respond - by taking these steps, you’ll be best prepared to continue functioning in spite of a ransomware attack, especially at this most demanding time.
David Friend, co-founder and CEO, Wasabi Technologies