Ransomware attacks dominated the cyber security landscape in 2020 and will remain a top threat in 2021, posing major challenges for both public and private institutions. The UK’s National Cyber Security Centre recently reported that it handled more than three times as many ransomware incidents as in the previous year. New variations of attacks are always testing security defenses, including more sophisticated “phishing” schemes -- taking advantage of human error or vulnerabilities by duping individuals into clicking a malicious link and thereby enabling ransomware to infect an organization.
Phishing attacks have long been a major threat to all types of organizations, but these attacks have become more prevalent and successful due to the increase in remote working and learning caused by Covid-19. Phishing methods are also increasingly innovative, with new scams becoming more personalized and authentic seeming. In addition, “do-it-yourself” phishing kits are now readily available on the dark web, and Ransomware as-a-Service (RaaS) continues to grow. With barriers to entry now so low, as no special technical skills are required, it’s no surprise that more and more cybercriminals are going phishing. Some of these ransomware variants, such as Lockbit, are sold on underground forums, and their proprietors are even offering refunds if their wares don’t work as advertised.
So how do cyber criminals use human vulnerability to gain entry to an organization’s systems? In the case of universities, for example, they may have tens of thousands of students and faculty who require access, often from geographically dispersed areas. According to statistics provided by the Office of National Statistics (ONS), 65 percent of current UK university students reported having attended no in-person teaching. It only takes one of these users falling for a fake email for an attack to slip through the net. In addition to this, the vast amount of personal data which these institutions carry, from home addresses to detailed parental income statements, make them a tantalizing target for cybercriminals, who can monetize these by selling in bulk on the dark web. Though training can help protect against the dangers phishing brings, it may be too difficult to ensure that any cybersecurity training provided is fully implemented when thousands of users are involved.
WORM storage tech
Threat detection can be useful in preventing ransomware penetration, but threats and the signatures which identify them constantly evolve and become more sophisticated over time, making it hard for even the most advanced cyber security solutions to keep up completely. Backup is another useful tool; however, backups are not impervious to tampering. Many ransomware strains, such as the EKANS strain which has recently plagued manufacturers, go after organizations’ backups with the same voracity as primary data. This means that even if organizations have diligently kept up with their backups, these backups can still be encrypted, and the data held hostage by cybercriminals. This also means backups need the highest possible level of protection.
One of the best ways to safeguard data against ransomware attacks is WORM (Write Once, Read Many) storage technology. With WORM, data is locked from any further changes at the time of storing the data. A retention policy is set to determine for how long this data cannot be changed, and during this period it is not possible to change or delete the data. After the retention period ends, WORM protection is removed, and the data can be managed as normal. By making data immutable (unchangeable) and, therefore, tamper-proof, WORM eliminates the ability for ransomware to change data in place, rendering an attack useless.
WORM techniques have been around for a while, used predominantly with removable media such as tape and optical media (CD-ROM, DVD, etc.), and is often referred to as air gapped storage. This term comes from there being physical space between the removable media storage and the computer systems that access data. This is considered the ultimate protection for data, but it has many disadvantages, such as operational management costs, inflexible access to data and slower data retrieval times. In modern 24\7 operations driven by efficiency and need for immediate data access, removable media has become unpopular.
Phishing through admins
WORM on hard disk and flash drives has had a checkered past. Until the last few years, WORM was only adopted by organizations that needed compliance to demonstrate digital records being tamper proof (finance and healthcare for example). The reasons it was limited to these organizations are that a) they were the only ones that had a need for this level of protection (pre-ransomware) and b) WORM implementation was not simple or cheap.
Initial implementations of WORM were only configurable either at an entire storage system level or across a whole file system. You had to be very sure that any data you wrote to these systems were intended to be unchanged and stored for a long time. In the event of any mistakes, you could not roll back, as is still the case. In addition, dedicating an entire storage system or file system to a specific WORM-required workload becomes expensive as this is storage that has a very limited use case.
The S3 Object Lock API provides a very elegant implementation of WORM that allows for granular WORM policies applied at the individual object level, eliminating the need to dedicate an entire storage system just to service WORM-required use cases. This works through a client server communication between the application managing the data and the storage system. The application configures the data with a retention period as determined by defined data protection levels and updates the metadata for the object. Once the storage system receives the data object, reads the metadata concerning the Object Lock policy, the system stores the data with the protection policy applied. This data cannot be changed until the retention period expires.
It is also imperative to ensure that the data is protected from internal attacks such as a phishing attack with administrator credentials. The storage system must provide adequate protection to prevent any privileged user circumventing the WORM process and deleting data through an admin backdoor. Systems with secure shell preventing root user access are key to ensuring complete tamper-proof functionality.
Filling the gaps
Protecting ever-changing data workloads such as databases and file shares with WORM would be prohibitively expensive as every time a file was changed, a new version would be saved, racking up storage costs very quickly. But protecting backup data is perfect. Once written, this data does not change and typically needs to be stored unchanged for a longer period. This way you manage to have an immutable copy of all your data without the negative impact. All the major backup software companies have S3 Object Lock support in their products today or certainly on their near-term roadmaps.
Object Lock makes WORM technology more accessible for institutions, which is particularly important for healthcare, local government, and education organizations with limited IT resources. In the event of a ransomware attack, they can quickly and easily restore a clean copy of their data and continue operations.
Cybercrime continues to evolve at a much faster pace than the technical knowledge and cyber hygiene of the average individual user. So, it’s simply unrealistic for modern institutions with thousands of stakeholders relying on their systems every day to expect perfect compliance with cybersecurity best practices. As a result, it’s up to the organization’s leadership to fill in the gaps with technologies such as WORM/Object Lock that provide the best defense for combatting ransomware.
Neil Stobart, VP Global Systems Engineering, Cloudian