Ransomware is like the seasonal flu – it keeps coming back, it’s tough to avoid and recovery can be painful. What is even more troubling is that new versions of ransomware appear frequently, also much like the flu. If ransomware encrypts your data it can be lost forever unless you prepare by backing up your data.
A recent Beazley Breach Insights report shows an overall 37% increase in the reported number of ransomware incidents in the third quarter of 2019 compared to the previous three months and almost one quarter of the incidents come through an IT vendor or managed service provider (such as through remote management access).
Despite the best of intentions there is always a chance of infection. If prevention measures don’t work, then rapid detection and isolation followed by restoration using backup files is the preferred option. However, this can only work if your backup data files have not also been compromised.
How Ransomware Works
Most ransomware comes in two basic flavours. The most common type encrypts personal data and files while the other type completely blocks access to the computer. Well-known ransomware examples include Cryptolocker (2013), Cryptowall (2014), Petya (2016), WannaCry (2017) and Bad Rabbit (2017). The scale of the problem is illustrated by ID Ransomware’s claim that they can detect nearly eight hundred different ransomware versions.
Ransomware typically spreads through phishing emails that contain malicious attachments, but other possibilities include advertising, “drive-by” downloading from infected websites or other system vulnerabilities. The first step in an attack is to encrypt the user’s data so that it’s unreadable without a decryption key. The cyber-criminal then demands payment, often in Bitcoin and anywhere from a few hundred dollars up to hundreds of thousands of dollars, to obtain access to the key to restore the files. With any luck, paying the ransom solves the immediate problem but there is no guarantee the key will actually be delivered (they are criminals, after all!) or that the attack won’t be repeated.
A recent public sector example illustrates how severe a ransomware disruption can become. A Canadian government was recently the victim of a ransomware attack. One news report indicated that, in addition to a payment, the attacker asked for information that would perhaps have paved the way for future attacks. Another news update indicated that their backup data had been recovered, so that not paying the ransom was a feasible choice. Even with the backup data, getting back to normal operations was expected to take several weeks and the effort to restore all their systems was significant.
Good Practices for Data Protection
You may ask whether these costly situations can be avoided. The basic approach to prevent a ransomware attack should be to reduce the opportunities for infection in the first place and then backup the data to a protected storage as an insurance policy.
Here are some of the best practices that reduce the chances of a successful malicious attack:
- Education and training: Phishing attacks involve a person opening an infected file, so removing temptation, raising awareness and promoting vigilance are major deterrents;
- Email blacklisting/white-listing: Anything that blocks phishing emails and minimizes the likelihood of opening unsafe emails is desirable, since email is a major source of malware; and
- Antivirus and anti-malware programs: Endpoint protection tools that can be catch known attacks and detect unusual behavior serve as a good first line of defense;
- Updates and patching: Keeping software such as operating systems updated and patched helps to reduce the number of exploitable vulnerabilities; and
- Software installation: New software should not be installed or given elevated administrative privileges without first doing due diligence and testing.
Data Backup and Recovery – What You Need to Know
Keeping copies of critical data is always worthwhile, but it’s not sufficient just to use the computer’s disk or even an external drive. The accepted practice for data backup is to apply the 3-2-1 rule which states that you should have at least three copies of your data, on two different media, with at least one copy stored offsite.
A backup infrastructure must consider the following best practices:
- Backup isolation: Traditionally achieved by dismounting a tape cartridge, data isolation can also be achieved with secure virtual machines that are not directly connected to on-premise networks or the cloud-based backup storage;
- Backup frequency: Multiple backups per day, especially for critical data, reduces the Recovery Point Objective (i.e., the period of time when data is lost); important data should be identified, regularly copied and then placed in highly protected storage;
- Multiple versions: Multiple levels of backup can also enable earlier snapshots to be made unchangeable; and
- Backup monitoring: Intelligent monitoring incorporating analytics to find which backups contain malware and to prevent them from being restored along with other data can also play a role in ensuring resilience.
The Looming Threat on Cloud Backups
A number of ways exist to gain access to a customer’s backup console to delete backups, including off-site backups stored in a cloud repository. A malicious user could be a local administrator, an external party seeking to do damage or even sophisticated malware. Accidental deletion due to configuration errors such as an incorrect retention period is also a possibility. The question that remains is, if your primary data is compromised, how can you be sure your backup data is safe?
Ransomware recovery fundamentally depends on availability of a backup copy of your data. Recovery processes are most effective when the data is current, available and not also compromised. One way to ensure this is to “hide” a copy of the backup data using storage that is not accessible through the customer’s network. Since this shadow backup process would not be controlled by the customer backup manager and a manual request would be required for file restoration, it is effectively air-gapped. The files in the hidden folder cannot be over-written or changed in any way.
With this feature enabled, when a backup or a specific restore point in the backup chain is deleted or aged out from the cloud repository the actual backup files are not deleted immediately, instead, they are moved to an invisible and near immutable repository. The process to recover from there is protected and requires manual intervention.
This extra level of protection is now available with ThinkOn’s RansomGuard, which is a built-in extension to the popular Veeam Cloud Connect service. RansomGuard integrates seamlessly with Veeam Cloud Connect to make it very easy both to deploy and to use. RansomGuard serves as an invisible mirror repository with underlying air-gap technology that retains your backup data securely in the event of an accidental or malicious deletion. As a user, all you can see is your original backup files; your virtualized workloads are saved as a mirror copy and cannot be tampered with unless requested for a restore.
All in All, Data Protection Cannot be Ignored
Disaster recovery should be a part of your comprehensive availability strategy to help you avoid the risk of catastrophic data loss. Here are some of the protective measures that are essential to mitigate ransomware attacks:
- Do not open unexpected email attachments even if it looks like a familiar source;
- Check on any links embedded in emails sent from unknown sources;
- Use anti-malware software; and
- Back up your files regularly to a well-protected, cloud-based repository.
Once you have a robust backup infrastructure, file protection for backups goes a long way to ensuring your data will remain secure and protected against both ransomware attacks and rogue or clumsy administrators.