If you were to ask a CISO what their biggest headache was, chances are that ransomware would be high on their list. Over the last several years, the numerous CISOs I have spoken with have had to drop everything when a senior executive’s laptop was infected and their hard drive was encrypted. They were forced to answer a lot of questions. How did this happen? Why didn’t the anti-virus and firewalls prevent this? How will we get back up and running quickly and will we have to replace all of our computers?
At this point and when they are feeling most vulnerable, it can be tempting for these same senior executives to decide they’re taking no chances and to allocate further resources to the appropriate cyber defences so it doesn’t happen again. However, ultimately it’s what that new expenditure is directed towards that determines the return on investment. For example, it’s a positive sign to see this channeled towards the continuous backup and recovery for desktops and laptops. However, replacing the hard drives is simply throwing good money after bad, when secure data erasure can restore a computer/laptop and drive to a pristine state much faster and with less demand on the capacity of the IT team.
Ransomware, of course, only requires a victim to open an attachment or click on a link to download the malware, which could be unique to the target, thus bipassing most endpoint protection. Recent strains of ransomware, like Wannacry, used worm-like capabilities to spread from machine to machine within an organisation, thus causing even more havoc than a single infection.
Sometimes researchers discover and publish the keys to decrypt encrypted hard drives, although most of the time that’s not the case. In either situation, the target organisation is left with the task of recovering the usability of those machines. If backups do exist it is not advisable to just reload the data, or even re-image the machine and then reload. Sophisticated malware can leave behind elements that can start a new infection, download new payloads and cause even more damage. This has been termed ‘persistence.’
To ensure machines are completely clean before re-installing the OS, apps and data, each machine should undergo complete data sanitsation. This is defined as the process of deliberately, permanently and irreversibily removing or destroying the data stored on a memory device in order to make it irrecoverable. This includes traditional IT equipment with data storage and mobile devices, along with internet-connected devices, such as wearables, medical devices and infotainment systems in automobiles. A device that has been sanitised has no usable residual data, and even with the assistance of advanced forensic tools, the data can never be recovered. There are three methods to achieve data sanitisation: physical destruction, crypotographic erasure and data erasure.
What’s astounding is how little is currently known and understood about data sanitisation. This comes from confusion about the definition of data sanitisation and the varying methods of achieving it. For example, many organisations mistakenly implement certain data removal methods, such as factory reset, reformatting, data wiping and data clearing, because they believe these methods are capable of achieving data sanitisation, when in fact they are not. As a direct result, most organisations are not employing the necessary steps to implement a data sanitisation process and therefore leaving themselves vulnerable to a ransomware attack.
The loss of data and time spent decrypting a ransomware attack is not the only headache for CISOs. Another is the cost to replace hardware when computers are rendered unusable. Not to mention the cost of lost business hours involved when computers are out of action.
Many organisations are choosing to replace all hard drives impacted by recent ransomware infections. Instead of the usual one-off infections, Wannacry and Petya spread throughout an IP address range, disabling hundreds, if not thousands of devices. As these attacks are so sophisticated, and in some cases suspected of originating from national state actors, the concern is that reformatting and re-installing the corporate image may not completely eradicate all traces.
While this is a legitimate concern when dealing with advanced malware attacks, many organisations are unaware that replacing hard drives is a needless expense. Using full disk secure erasure can be done more simply with less labor for IT staff. Full disk erasure overwrites boot sectors and restores a disk to pristine state. And it can ensure that the drive or computer/laptop can be reused, thus saving the business a significant amount of money that would have been spent on purchasing new equipment.
The same method can also be applied to destructware attacks, which only differ from ransomware in that the attacker has no intention of extracting a ransom. Recent cases of ransomwares in Ukraine for example appear to be destructware posing as ransomware as the attackers had no intention to provide decryption keys. There have been several massive destructware attacks in the past. South Korea and Saudi Arabia both had attacks that made the storage media on tens of thousands of computers unusable. In the case of Saudi Arabia we know that they purchased 50,000 hard drives as replacement as the quickest way to get back in operation. Using data santisation tools they could have saved the expense of such a large purchase and gotten back to work faster and just as safely.
It’s estimated that in 2016 criminals earnt a staggering $1 billion from ransomware attacks. And this year looks to be no different. While prevention and detection are key components, having a plan in place for response is just as important. This is where routine data sanitization can play an important dual role. Firstly, by minimising the overall volume of data that needs to be routinely backed up and secondly by restoring hard drives to their original state before data recovery is carried out.
Richard Stiennon, Director of IDSC and Chief Strategy Officer, Blancco Technology Group
Image Credit: Carlos Amarillo / Shutterstock