If you listen to the news, you’re probably well aware of the threat of ransomware to businesses big and small. It’s easy to find stats on this insidious form of cybercrime—both because it has become so prevalent and so damaging to companies worldwide. Current data shows that ransomware attacks are continuing to escalate at an unprecedented degree. SonicWall’s 2017 Annual Threat Report highlights that the number of such attacks shot up to 638 million in 2016, a phenomenal increase over the previous year that saw 3.8 million attacks.
Yet while you may be familiar with headlines on cybercrime and might even recognize ransomware as a particularly pernicious threat to any size of enterprise, you may not be aware of some facts that help reveal why ransomware attacks can be so devastating. When I researched this topic, I discovered three surprising things:
First, even the FBI lacks an effective solution. Joseph Bonavolonta, a Boston-based cyber and counterintelligence specialist at the FBI, told attendees at a recent security conference: “To be honest, we often advise people to just pay the ransom. The ransomware is that good.” Yet simply handing the extortionists the money they want isn’t financially feasible for many companies, particularly small to mid-sized businesses with shallow pockets. It also isn’t necessary since there are proven ways to more reliably protect data.
Second, no matter how powerful a given anti-virus (AV) and anti-malware product is, it can’t realistically cover all of today’s different potential attack vendors. Ransomware infections have become much more sophisticated than the social engineering experiments that they began as, where someone would make the mistake of opening a bogus invoice in a Word or Excel document, click “Enable Macros,” and have their data infected. Attacks have evolved to include everything from active hacking where hackers break into systems installing ransomware, to worms like WannaCry that exploit operating system vulnerabilities.
With so many other advanced techniques like hollow memory injection that are impossible to detect and exceptionally difficult to prevent, AV products can’t do it reliably. There are simply too many attackers and types of variations on ransomware design for a single-pronged, threat-focused strategy of “active defense” on the front end to be effective. Companies need to pair such strategies with “reactive defense” on the backend, which are data focused and can undo the damage of a successful malware attack. (You’ll learn more about this below.)
Third, when a business’s data is infected, the damage isn’t localized to a single computer—it’s magnified threefold since it only takes one vulnerable computer to bring an entire network to its knees. This “infection magnification” effect means that one infected computer generally leads to a “three-peat” of problems—triple the pain and triple the damage—that looks something like this:
Primary storage corrupted: The trouble begins when the file server is attacked, since ransomware works across network shares. So the ransomware scans for these shares and begins corrupting files on the server.
Distributed storage corrupted: Thanks to cloud sync applications like Dropbox, Google Drive, and Microsoft One Drive, files that get corrupted locally will also get synced to the cloud and then replicate onward to other machines. This affects remote workers and employees who travel, not just the home office. It works in reverse too. If any users or computers get infected on the road, their corruption will spread back to the head office—and then this affects backup storage.
Backup storage corrupted: Normal backup software simply backs up whatever’s on the server. If corrupted files are there, it will back them up. Because most backup systems have limited space for version history, this becomes a huge problem. Usually it’s not an issue to store many old versions since the incremental changes are relatively small. But when ransomware strikes, many changes occur at once, which means the number of changes made to the incremental backup then balloons and can displace all the previous backups. The version history disappears, leaving only a useless backup of corrupted files.
In addition to backups being destroyed if they’re plugged into an infected computer, ransomware can also attack a backup directly, corrupting it just like it corrupts any other file. If your backup fails or gets corrupted, you might feel desperate enough to think about paying the ransom unless you have the right solution in place to keep this from happening in the first place.
What’s the Right Response?
Before you start to feel hopeless, I’ve alluded to the fact that there is a solution that can put you in the perfect position rather than a compromising one. The goal is to find a solution that not only takes a unique approach to backing up data, but also incorporates copying files, scanning file systems, and looking for the types of changes that ransomware causes.
Your goal is to have a solution on board that can very reliably detect the aftermath of an infection. This is fully possible since in the wake of an attack, there will be detectable changes in the file and directory structure, including mangled filenames. There may even be malformed files, like a JPEG file that actually isn’t a valid JPEG. Using new technologies, a customized solution could even examine the mathematical properties of a file to determine whether it has been encrypted or not.
In short, the best response to ransomware is to enlist these types of features with the goal of proactively protecting your backups from the threat of ransomware. The ideal solution works in three ways to provide this defense system:
- Detection. This feature specifically looks for ransomware-corrupted files.
- Protection. This gives the ability to stop ransomware from infiltrating your backups as well as from attacking the backups themselves.
- Response. You also need alerting functionality that informs the administrator immediately when an infection is detected, ideally via both email and SMS to avoid any email lags.
To understand how this proactive approach works, think of the first layer of defense as an active shield around your backups that’s constantly on, 24/7. Since on-premise backups are always in danger of being attacked by ransomware, this solution gives you a wall between the backups and any unauthorized processes that might try to access them. A great way to achieve this is by using a Windows Device Driver that stays very low in the stack and shields the backup from corruption.
The second layer of defense incorporates detection, preservation, alerting, and recovery—a powerful combo that works with on-premise and cloud backups. The solution starts by running a backup but doesn’t stop there—it then automatically scans the file system to detect files that have been encrypted by ransomware. If any are found, the solution immediately goes into lockdown mode to preserve the last clean backup, disable future backup jobs, and alert the administrator about the attack via email and SMS. From there, it’s a much easier task for the administrator to activate a response plan that involves recovering from backup—and with this solution in place, they’ll have a clean backup to recover from, not a corrupted one.
Full-Court Press: Your Defense Ecosystem
At the same time that you bring on board this type of reactive defense system, you want to maximize your existing active defense end-point security as well. Reactive defense is meant to complement whatever forms of active defense you already have in place, providing an extra layer of protection for the backup itself to help you recover your data. So it’s as important as ever to educate users on the front end about social engineering, put up network firewalls, and leverage email filtering and AV/anti-malware software to try to keep the threats out.
But since we know that infections will continue to happen no matter how strong your active defense system is because ransomware can blast through these defenses and infect your server, it’s vital to employ reactive defenses as well. These give you a wall to protect your backups so if the worst happens, you have a last line of defense and a clean backup from which to recover. In fact, it is only once you have this full, two-pronged defense ecosystem in place that your business data is truly protected.
When you use this one-two punch, it’s basically like giving yourself both the benefits of a bouncer at a nightclub who is focused on detecting potential threats, trying to stop them from entering and evicting anyone who gets dangerous—and also having a time machine or “undo button” to go back in time to protect your content, roll back the damage, and recover data to the state it was in before the infection. So while you can’t always beat ransomware attackers before they infiltrate, you can outsmart them by having a clean backup in place that will preserve your data—even if cybercrooks penetrate all of your active defenses.
Linus Chang, Founder and CEO at BackupAssist
Image Credit: Nicescene / Shutterstock