Considering more than 25% of malware incidents last year were ransomware attacks, the increase in the success rate of these attacks shows that organizations are struggling to contain ransomware. Even so, there are ways enterprises can protect themselves from being held ransom by cybercriminals.
The Ongoing Ransomware Battle
According to Gartner’s strategic planning assumption, by 2025, three-quarters of IT organizations will face one or more ransomware attacks. Considering the value of mission-critical data, ransomware is rapidly becoming the greatest threat to data. The increase in the frequency and spread of ransomware can, unfortunately, be attributed to technological trends such as greater adoption of cloud computing and increased digitization. Increased adoption of the internet of things (IoT and the current surge in remote work provide a greater attack surface for threat actors. But why is ransomware so attractive?
Carrying out a ransomware attack is as simple as it’s ever been. Its popularity with cybercriminals is because it provides a low-risk way of getting money. Furthermore, consider threat actors that hide behind the absence of extradition treaties between the cybercriminals’ countries and the countries they target. When successful, these attacks provide large rewards for cybercriminals as the ransom that’s typically demanded is often astronomical.
The emergence of ransomware as a service (RaaS) further complicates the battle against ransomware as these kits can be bought on the dark web. Buying a ransomware kit for hundreds of dollars, with the prospect of making thousands of dollars at the very least off of a victim becomes an investment for cybercriminals. Additionally, cybercriminals are taking advantage of blockchain technology as their platform for receiving ransom payments. Cryptocurrencies make it difficult for authorities to trace ransom transactions.
Threat to Backups
The sophistication of ransomware attacks has an increased focus on backup data. Ransomware is deployed as part of a more expansive attack with a systematic goal. The first phase is often to stealthily penetrate the network, which could be through credentials that have been compromised or malware. This is often followed by gaining access to credentials of critical administrative accounts, followed by an attack on the backup admin console.
To identify where critical data is stored, one would have to obtain access to the backup system. Ransomware takes advantage of this, with the knowledge that compromising the backup console would allow it to carry out more fine-tuned attacks on data, which ultimately provides a clear path to data theft.
Since ransomware is evolving at an alarming rate, organizations may struggle to understand the scope and nature of these attacks. Consequently, their response to such attacks may be off the mark. Many organizations inadvertently approach data backup in a flawed manner, leaving their backups vulnerable to ransomware. Practices such as storing backups on the same network as the primary data or assuming that access credentials are near impossible to compromise invite cybercriminals to deploy ransomware.
Moreover, the fact that there exists no single solution that can wholly safeguard an organization from ransomware attacks means organizations cannot rely solely on existing tools. Organizations are realizing that atop the responsibility of effectively carrying out and maintaining backups, they have to go above and beyond to stay ahead of the ever-evolving threat of ransomware else face the prospect of paying hefty ransoms.
Securing Backups from Ransomware
Compression and deduplication
Having a large amount of data in motion to your replicated copies presents cybercriminals with an opportunity to seize your data. Furthermore, if you do not compress your data, the restoration process becomes not only inconvenient but also costly in terms of time and money. Attackers may take advantage of such circumstances.
Through deduplication, the redundant data fragments in your backups are identified and reduced while compression reduces the bits required to represent data. This not only improves storage efficiency but also places more layers of abstraction on your data which may frustrate threat actors in their attempts to access and control your data.
Backup with immutable storage
It is worth having a copy of your backup in immutable storage to boost your ability to recover from ransomware. Through immutable storage, which can be described as write-once-read-many (WORM) storage, you are assured that data cannot be tampered with once written to storage. Except for a set deletion approach based on your data retention policy, your data is prevented from being modified or deleted. Furthermore, ransomware cannot encrypt your data.
Backup storage solutions taking advantage of the immutability of blockchain technology are presenting users with a publicly verifiable method to ascertain the authenticity of their data.
Air gap measures
To frustrate attackers, you should implement air gaps between systems. Air gaps describe where backup systems are neither connected to other devices nor to other networks to guard against the risk of compromise. There are two types of air gaps that can be introduced between your backup copies; physical and virtual air gaps.
Physical air gaps involve backing up data on systems that are not connected to your network. When done correctly, ransomware is unable to infect all copies of your backup data. On the other hand, when you use different types of operating systems, accounts, storage, and environments for each backup data copy, you are establishing virtual air gaps.
Modern threat actors are bypassing perimeter defenses with alarming ease. Everyone, whether inside or outside a backup environment could be a threat. Furthermore, ransomware magnifies this risk as they can take advantage of compromised access credentials. As such, the zero-trust approach treats any incoming connection to a backup environment as a threat until proven otherwise.
A method of implementing such is through requisite separate account access for your backup environment, then adding a layer of multi-factor authentication to beef up security.
Automated detection and response
Ransomware may stealthily spread through an enterprise’s system for months before the surprise of a ransom demand. One way to fortify your backups against such a scenario is to use automated solutions that detect and prevent malware in your backup environment. Potential ransomware attacks can be flagged by solutions that keep an eye out for inconsistency in data patterns.
However, if such solutions require human oversight, a ransomware attack timed when there is no one overseeing the solution will be successful. An automated solution covers your bases in the event of an attack since the detection and response process, such as deciding and executing quarantine measures, is not dependent on the availability of a human overseer.
Test your backups
Large enterprises may find creating a wholesome backup strategy to be complicated since they strive to protect different types of data and systems. The recovery process may prove to be quite difficult. As such, enterprises may carry out backups but fail to continuously test their recovery processes.
Failure to periodically test your recovery processes may be exposed when you get attacked by ransomware, where deciding between whether to pay the ransom or carry out the cumbersome recovery process you may have been avoiding becomes a dilemma. It is key to familiarize yourself with a form of restoration exercise to make the choice to carry out recovery an obvious decision in the event of an attack.