Outmaneuvering the Ransomware Cybercriminal – How to Stay One Step Ahead
By Roderick Bauer – Marketing Director at BlackBlaze,
If you have been hit by a ransomware attack, you will understand why the WannaCry ransomware attack of 2017 that affected over 200,000 computers around the world with damage estimated in the hundreds of millions to billions of dollars range, was named just that. When you get hit by a ransomware attack, that is exactly what you want to do. The message, “We have gained access to your computer and your files have been encrypted. If you want your data back, you’ll need to pay us…” has left even the most hardened of IT directors sweating behind their desks.
It’s no wonder. When such an attack takes place, and fingers start to point, it’s typically in the IT Directors direction. Just ask Brian Hawkins, the former IT Manager for Lake City, Florida. Last month, when the city’s systems were hit and they were forced to pay nearly a half million dollars, he was blamed for the breach and promptly fired. (Note, in a pending lawsuit, Mr. Hawkins said he had warned the city and advised a purchase of “an expensive, cloud-based backup system” was warranted to avoid this very situation.)
Ransomware Attacks More Prevalent Than Ever
Regrettably, ransomware attacks are becoming commonplace with 86 percent of small-to-medium-enterprise (SMEs) having been recently victimized by ransomware in 2019; with 56 percent of all malware attacks being caused by ransomware. Ransomware has taken the lead as the single biggest destructive force for business data, exceeding even hard drive failures as the number one reason for data loss, and is costing organizations up to $17 million.
As technology innovation continues to advance and evolve, so too does ransomware and those that design and deploy it, since the first attack occurred in 1989. In that case, under the guise of raising money for AIDS research, computers were attacked via infected floppy disks and once infected, the demand came for $189 for a return of their files. This of course is a mere drop in the bucket compared to the demands of modern day.
So why now? Aren’t the good guys as smart – even smarter – than the bad guys? While the ultimate answer is yes, ransomware unfortunately continues to flourish due to a number of factors. Encrypted files are becoming more challenging to decrypt due to highly advanced RSA encryption combined with increasing key sizes. And, ransomware is more accessible than ever, with kits being sold on the dark web for as little as $10. Add to this, the fact that crypto currency has made payments virtually untraceable and irreversible, and you will begin to see why recovery from ransomware has become more difficult – and many times, impossible, causing the cost to business to rise to more than $75 billion per year.
Outmaneuvering the Cybercriminal – How to Stay One Step Ahead
So, what can you do if your company falls victim to an attack? The first thing to do would be to isolate any infected computers and remove them from the network to help ensure the malware doesn’t continue to spread. Then, you should start to assess the damage by determining the origins of the infected file and identifying others that were affected.
Once you have excised the infection and halted the malware from corrupting additional files and applications on your network, your thoughts should turn to your backup strategy. The key point here is that hopefully, you had a Plan B. And here your best (and perhaps only) strategy was to have deployed either a backup or sync solution (see the next section for a warning about using sync) that moved your data physically offsite and off of your network. If you did that, you are more prepared than most. However, this level of preparedness is rarely tested against the exact scenario for which its required.
Time to Restore
When it comes time to restore, after the ransomware attack, the following concerns will typically top your list (although there are remedies):
1.) The ransomware has infected the backups
Many people confuse cloud sync services with backup. If you are using a sync solution, and the syncing process is happening during the time of the attack, the newly infected files are going to automatically sync to the cloud, therefore infecting your entire backup set.
The remedy: This situation can be avoided if you are using backup software that offers multiple versions of your files. In other words, in order to be able to restore quickly and completely, your backup software solution needs to save the original file as it is the first time it is backed up, and then creates a new backup file with every change made. In this way, if a file was to become encrypted by ransomware, you simply restore to a prior version of the file(s) that existed just before the attack.
2.) Restoring data will be burdensome and time-consuming
It is likely that a large or multiple datasets will be affected in a ransomware attack. If this is the case, then the process of restoring data stored on the cloud will likely be a long and tedious process, taking away valuable time that could be dedicated to activities that affect your organization’s bottom-line.
The remedy: The employment of snapshots will help you to eliminate this concern. Snapshots enable the restoration of all data from a specific point-in-time, which is critical when confronting the effects of ransomware. The ideal backup solutions providers offer the ability to take a snapshot of your data and archive that snapshot in the cloud (even multiple clouds concurrently). Others take it one step further and ship USB drives to their customers containing the archived data.
3.) Human error – not all critical data was backed up
There has been much research done in the area of data loss, and many pundits agree, the top leading cause is… human error! We are only human, and however vigilant and dedicated we are, making mistakes is only natural. Unfortunately, a human mistake could have serious long-term business, legal, regulations and financial ramifications for your organization. Whether the mistake was forgetting to save something, to accidentally leaving a laptop on a plane, to not adhering to exact backup procedure (i.e., requiring employees to save files, to a specific file, in a specific order for it to be correctly backed up…) it happens.
The remedy: The most effective backup solutions are the ones that are easiest for the end users and require the least amount of human intervention. It is best practice to invest in a backup process that automatically backs up all user-generated data by default. It should always be viewed as the responsibility of the backup solutions provider to protect business data, regardless of where the end user saves it.
The Best Plan is to Deploy a Plan A, B and C
For most organizations it is not a question of “if” you will be hit by a ransomware attack, but rather “when.” (This unfortunately holds true for many individuals as well, but that’s a discussion for another day.) As ransomware becomes more ubiquitous and cybercriminals continue to develop and evolve their techniques and technologies, the necessity to ensure that your organization has a solid backup solution is imperative to ensuring that normal operations can resume easily and quickly, following an attack.
Ensuring that your backup procedures addresses the three key concerns mentioned above, can be the difference between suffering a ransomware attack that has lasting effects for your organization (and potentially your career) versus thwarting an attack all together. It’s essential to make sure that your data is backed up and unreachable by ransomware infection, which will ensure that your downtime and data loss is minimal, even none at all, if/when you suffer an attack.
About the author:
Roderick Bauer is a marketing director at Backblaze, a world leader in computer backup and data storage. Bauer has held marketing, engineering and product management positions with Adobe, Microsoft, Autodesk and several startups. He’s served as a consultant to Apple, Microsoft, Hewlett-Packard, Stanford University, Dell, the Pentagon and the White House.