Using Backups to Turn the Tables on Ransomware
When an enterprise gets hit with ransomware, the fundamental question is whether the cost of downtime is greater than the cost of paying the ransom. Once the ramifications of frozen data—financial and otherwise—lost revenue and productivity and the intangible cost of a damaged reputation are added up, it’s no wonder many organizations decide to just pay up. In most cases, however, this turns out to be a pyrrhic victory, at best. According to a recent survey by Sophos, organizations that knuckle under typically receive only 65% of their data back, usually because of faulty decryption keys or additional ransom demands. What’s more, there’s always the chance of another attack once you’ve outed yourself as an easy mark. In fact, there is no guarantee that another malware bot is not already lurking somewhere in your backup files, waiting weeks or even months to shut you down all over again—only this time your backup is corrupted as well.
State-sponsored malware and cyberwarfare are coming to the fore, especially after Russia’s invasion of Ukraine. U.S. president Joe Biden has encouraged the private sector to step up and ‘lock its digital doors’ as companies of all shapes and sizes will increasingly become targets.
Layer up Against Ransomware Attacks
Since it is not possible to implement 100% protection from ransomware, the appropriate strategy is to make yourself as resilient to attacks as possible. This means not just thwarting breach attempts to the fullest extent possible but ensuring that systems and data can be restored quickly and non-disruptively. Everyone from the smallest MSP to the largest enterprise should implement a layered, intelligent defense model that stresses recovery first, using restored files that are guaranteed to be free of malicious code.
This is becoming more challenging given the widening distribution of the enterprise data footprint. With the cloud and now the edge supporting such large portions of the data workload these days, the number of attack vectors has skyrocketed. Vulnerabilities are growing in line with the increased attack surface that now exists across on-premises infrastructure, cloud infrastructure (public, private and multi-cloud), SaaS applications and endpoint devices.
All the while, most data architectures and configurations remain stuck in the single-data center past, further increasing their vulnerability. It has gotten to the point that many organizations may not even know if critical data is being backed up or, at the very least, lack the visibility needed to retrieve it in an emergency.
Whether data is in an Azure virtual machine or Microsoft 365, it is still under threat from cyberattacks and insider threats–and most SaaS applications now stress the need for a separate backup.
Fortunately, new techniques have emerged that specialize in protecting the security gaps that exist in distributed architectures. A strategy called defense-in-depth has shown a remarkable ability to identify zero-day threats, which are responsible for a large number of theft and extortion attacks. Many organizations are also starting to see the benefits of using different malware-detection tools for live data and backup stores. Doing this enables multiple signature checks to better spot malicious files.
Further, artificial intelligence (AI) is making its way into backup and threat-detection architectures, heightening the ability to not only target ransomware but enhance the overall health of the backup environment as well.
Backups and a Layered Defense
The key to defeating ransomware, then, is not just to back up files but to ensure they are safe and healthy to support rapid recovery and restoration of business processes. A layered defense is still important to make it as difficult as possible to carry out a successful attack, but by adopting a recovery-first strategy you also limit the damage of an attack so perpetrators look elsewhere for a more profitable, easier-to-take-down quarry.
Here are the key elements of a recovery-first approach:
• Encryption: Whether at rest or in motion, all primary and backup data should remain encrypted. This prevents the attacker from seeing what they stole and using it for extortion or sale. Primary data should be saved on native arrays while backups can be handled by software. As well, key controls should be split among multiple admins to further complicate unlawful access to data.
• The 3-2-1-1 Rule: The longtime standard procedure in backup circles calls for three copies of data to be stored on at least two different media with one of them being offsite. A newer iteration (3-2-1-1) recommends two offsite copies, one online and one offline, with the offline version being the ultimate recovery source following a ransomware attack.
• Change Prevention: Encrypted data can still be accessed with a key, but fully tamper-proof copies cannot be changed, in theory at least. There are always workarounds to any tamper-proof software–such as system or policy changes that can still make data difficult to access–so it’s important to ensure tamper-proof copies are fully resistant to meddling.
• Disconnection: Primary and backup infrastructure should not just be separated; they should be physically disconnected from one another. This makes it impossible to corrupt both data sets. Control and data paths should likewise be isolated from one another to stifle ransomware’s ability to spread. And no, just pushing backup to the cloud is not enough, as there can still be avenues for bad code to spread from one to the other if the environment is not configured correctly.
• Intelligence: AI has greatly enhanced the ability to scan even the largest volumes of data for malware, and it can be further trained to automatically isolate zero-day threats for removal. This enables a high level of trust that data is safe and that recovery can be implemented quickly and effectively if access is lost. And it does this in a largely automated fashion that would otherwise require an army of technicians to accomplish.
Turning the Tables
Ransomware is only successful because it has proven to be highly profitable, and the number of attacks reported each year is on the rise. In fact, they doubled from 2020 to 2021, according to NCC Group’s most recent Annual Threat Monitor.
This means hackers are going after softer targets–mid-tier and small enterprises–rather than the more lucrative but difficult-to-crack Fortune 500.
Considering the damage that a successful attack can do to the business model, it’s time for all organizations, large and small, to start fighting back. Foremost, all should focus on taking away the profitability of ransomware by becoming more resilient to data theft and system lockdown. There is no more effective way to turn the tables on perpetrators than by hitting them where it hurts the most: Their pocketbook.
