Ransomware attacks have become a daily occurrence, and it’s only getting worse. According to Cyber Security Ventures, ransomware attacks will increase 30 percent from 2019 to 2021, resulting in an attack every 11 seconds. With the surge in remote working and online businesses, ransomware attackers are exploiting all vulnerabilities with sophisticated and costly attacks.
Cybercriminals are expanding who they target. Instead of targeting banks, they have attacked Carnival Corporation, New Zealand Stock Exchange, and Konica Minolta. Local governments, hospitals, and schools are now prime targets because ransomware-as-a-service has made it easy to be a cybercriminal. As a result, The Aberdeen Group notes that half of all enterprises have experienced a ransomware attack within the last 12 months.
Ransomware attacks are also getting more vicious. The notorious ransomware gang Maze not only encrypts the victim’s data, but also steals it and threatens to release it to the public. Maze just threatened to release 10TB of data if Canon did not pay their ransom. Previously, Maze published data belonging to LG and Xerox, who refused to pay, while Garmin paid a multi-million-dollar ransom to avoid a similar fate. During a global pandemic, hackers have taken ransomware to new levels.
Cybersecurity best practices
The statistics say that your organization will fall victim to a ransomware attack. When you combine relentlessly evolving cyberattacks with the need to run a digital business online, the question is when not if you will be compromised. The attack may come when a remote worker is phished on personal email, somebody opens an infected file in a shared DropBox folder, or a bot discovers a database exposed on the public internet. Therefore, while it is important to protect from attacks, it is even more important to know how to respond to them.
If paying a ransom is your only option, you’ve already lost. Paying a ransom exposes you to further attacks and negative public exposure. Not only do you suffer downtime and the cost of the ransom, but your customers lose faith in you.
The National Institute of Standards and Technology (NIST) recommends a Cyber Security Framework (CSF) with five essential functions:
- Identify business-critical assets data and applications
- Automate data protection for business-critical assets and backups
- Ensure flexible recovery options from clean backups
- Detect attacks early
- Proactively respond to prevent threats from spreading
By following these guidelines, organizations can reduce the impact of any potential attack.
Step 1: Segment your data
Ransomware protection begins by segmenting your data. While an organization does not want any data to be compromised by ransomware, some data is still more valuable than others. With the rise in exfiltration attacks, you need to be even more vigilant about not letting some data be attacked. Otherwise, you could find your private customer or business data posted on the internet.
Therefore, organizations should understand which data needs additional protection and keep it away from the most likely attack vectors - i.e. end user devices. They should also leverage tools to validate that critical information does not “leak” onto those devices by scanning for signatures - e.g. Personal Identification Information or Personal Health Information.
Cyber-attackers lose leverage when they cannot affect your most valuable data. Therefore, identify, segment, and monitor that data carefully.
Step 2: Protect your data
When attacked, you need to be able to recover the data that is compromised. That means you need to protect all your data, automatically and securely.
Organizations should protect all their data. While most protect data center servers and applications, modern businesses have data sprawled everywhere. More businesses are depending on data stored in SaaS applications like Microsoft 365 and GSuite, and those platforms can store and distribute infected documents. Meanwhile, employees run on endpoints, such as laptops and smartphones, and since they are often outside firewalls, endpoints are particularly vulnerable to threats and can serve as a vector into the larger organization.
Running such broad and comprehensive backups requires sophisticated automation. Furthermore, as applications become more intricate, the interdependencies become more complicated. It is not enough to simply automate backups, enterprises must automate runbook execution and streamline core processes for rapid recovery. Testing is also key – to ensure that backups in place don’t just exist, but can be readily transferred and deployed when needed.
Finally, backup security is paramount. Most ransomware targets backups, because they are both the first line of defense and a central pool of all data. Therefore, you need to encrypt backups and store them in an isolated location. First, encrypt backups in-flight and at-rest, where only critical organization members have access to the encryption key. Second, store the backups in the cloud, like AWS, for unparalleled scalability and security. Beyond the security of using a trusted cloud provider, leveraging an external platform creates an air gap between the backups and the data centers or endpoints. By encrypting and air gapping from onsite infrastructure, organizations can ensure their backups are safe.
Step 3: Respond quickly to cyber-attacks
By responding quickly to a cyber-attack, an organization can minimize the damage. A rapid response should include early detection and rapid recovery.
Cyber-attacks are not silent because they have to encrypt or delete data. Unfortunately, most environments are so large and dispersed, it can be difficult to detect the attack. By protecting everything, however, the organization has visibility across all their data. The backup process should detect unusual data patterns and raise alerts with the security infrastructure. Backup’s unique, centralized perspective on the entire environment is an asset to the security operations team.
Once detected, restores must be rapid and uninfected. Restoring servers with infected backups does not recover the environment. Moreover, restoring data to servers certainly does not do much good if endpoints remain infected. Therefore, the “auto-detection” of a ransomware attack should help readily identify the last clean copy of backup data and significantly streamline the restoration process.
Data protection providers that tie together the critical best practices help thousands of customers save billions in ransom payments and even more in damaged corporate reputation.
Despite an environment where hackers are constantly trying to extort companies, there is hope. Instead of front-page news that forever damages a company’s reputation, ransomware can be rendered a manageable inconvenience. By understanding their data, securely protecting data in the cloud, and analyzing their backups, companies can regain their power over cyber-attacks.
Stephen Manley, Chief Technologist, Druva