As ransomware groups develop more creative strategies to exploit IT vulnerabilities and encrypt data, enterprises are working to keep up and implementing new solutions to protect their storage systems from ransomware.
For storage companies, keeping data secure is one of their primary operational objectives. They accomplish this not only through backing up all data, but also setting up recovery strategies. But recent ransomware tactics, such as double extortion, are making data protection more difficult and backups less effective in ransomware defense.
If your company is considering how to best secure its storage systems against ransomware, this guide offers several key ransomware security strategies for stored data:
Practical Ransomware Protection for Storage
- Ransomware Targets Stored Data
- The Massive Ransomware Problem
- Dependence on Single Solutions and Backups
- Guide to Protecting Data and Storage Systems from Ransomware
Ransomware Targets Stored Data
Stored data is a precious commodity, so much so that ransomware groups target it above other IT resources. They know how important customer data is to enterprises, not only because it helps organizations more effectively run operations, but also because data protection is crucial to maintaining finances and reputation.
Ransomware-as-a-service (RaaS) also sometimes targets online backup systems. One ransomware tactic is to encrypt backups that reside on computers and servers that the strain has breached.
In short, in the war against ransomware, storage systems are a prime target.
Also read: Ransomware attacks are not a matter of if, but when
The Massive Ransomware Problem
Ransomware groups have been plaguing companies regularly since the early 2010s, but they didn’t gain widespread attention until the COVID-19 pandemic. During the pandemic, the rapid shift to remote work forced enterprises to perform IT tasks through home offices, which often don’t have the protection of company servers and networks.
Ransomware providers have been thriving the past two years, exploiting businesses that are behind on security. At the beginning of the work-from-home period, they designed scams around proposed COVID solutions, like video conferencing tools and masks.
If a company’s storage systems are breached and found to be noncompliant through a ransomware attack, the business could be saddled with fines in addition to the ransom they may or may not pay. Some organizations have gone out of business after a single ransomware attack.
Ransomware attacks cost businesses approximately $20 billion globally in 2021. And 37% of businesses surveyed by security provider Sophos were attacked by ransomware in 2021.
The ransom amounts that ransomware providers demand have increased: in its ransomware threat report for the first half of 2021, Palo Alto Networks found that the average ransomware payment increased 82% to $570,000, from over $312,000 in 2020. For instance, CNA, an insurance company, was hit by a ransomware attack in March 2021 and paid $40 million in ransom money.
Some enterprises struggle to recover from a ransomware attack because the encrypted data was not previously backed up: either they’re financially distraught after paying the ransom, or they don’t pay the ransom and lose their data. And businesses don’t always test their backup strategies, either, according to Kevin Haley, security leader at Broadcom Software.
“During a ransomware attack is a horrible time to discover there is a flaw in that strategy,” Haley said. “Test your backups. Implement offline backups that are onsite. Make sure you have backups that are not connected to the network to prevent them from being encrypted by ransomware.
“Verify and test your server-level backup solution. This should already be part of your Disaster Recovery process. Secure the file-level permissions for backups and backup databases. Don’t let your backups get encrypted. Test restore capability. Ensure restore capabilities support the needs of the business.”
These recommendations are methods for creating an advanced backup strategy. Backups help enterprises recover their data after file encryption ransomware attacks.
But ransomware groups have developed a new form of blackmail too: double extortion, which includes threatening to publish enterprises’ data on the internet or dark web if they don’t pay the ransom. Double extortion is particularly problematic because it renders backups useless for avoiding data exposure.
Dependence on Single Solutions and Backups
Warning enterprises about the rapid rise of security tools, Sam Ingalls, a writer at eSecurity Planet, described approaches to fighting ransomware that are more important than just buying the latest piece of protective software.
“After a flurry of high-profile ransomware incidents, cybersecurity vendors aren’t missing the opportunity to pitch their ‘ransomware protection’ solution,” Ingalls said. “Like other buzzwords, organizations must hold some skepticism when evaluating the potential of these products. There is no comprehensive ransomware protection or one-size-fits-all solution on the market.
“Beyond foundational coverage like antimalware, endpoint protection, and a secure backup strategy, optimal ransomware protection means hardening every aspect of organization cybersecurity. Bolstering identity and access management and developing a micro-segmented architecture are essential to limiting a threat actor’s access to valuable network segments and data. The best way to protect against ransomware is avoiding the initial breach altogether.”
Traditionally, enterprises are advised to back up, back up, back up. Store copies offline, make sure you have reliable backup systems, and have recovery procedures in place. These methods don’t help much if your organization has comprehensive offline backups and the ransomware provider decides to take a double-extortion approach to the attack. Regardless of backup and recovery capabilities, your sensitive data could still be published if you choose not to pay the ransom.
Also read: Best Backup Solutions for Ransomware Protection
Guide to Protecting Data and Storage Systems from Ransomware
It’s easy to be overwhelmed when thinking about ransomware — attackers have sophisticated tactics, and they’re familiar with enterprises’ weaknesses. If your company is struggling with an approach to protect your data and storage environments from ransomware, consider implementing these solutions:
Securing Remote Desktop Protocol
One of the prime targets for ransomware groups is remote desktop protocol (RDP), a protocol used frequently during the pandemic that allows employees to access their work computer from a personal one. RDP has multiple vulnerabilities, and ransomware groups have been able to exploit them. RDP also has problems with brute force attacks, which allow attackers to gain access after repeatedly guessing passwords.
Securing RDP is one of the first steps for remote organizations to take, if the protocol is being used by any of your remote employees. RDP is the attack vector for the majority of ransomware attacks, according to Malwarebytes.
To secure your organization’s remote desktop protocol, change the user policies to only give access to employees who will use RDP. You can also limit RDP access to a set of predetermined IP addresses for users you know need it. RDP should use strong passwords; this decreases the chance of them being guessed in a brute force attack. Another way to avoid brute force attacks is to set limits for password attempts.
Network protection and segmentation
Hackers can launch a ransomware attack by laterally crossing networks. For example, if an attacker gains access to one user’s computer with stolen credentials, they may continue moving through the network with more stolen credentials, including login information for storage systems. Often, lateral movement enables attackers to locate more data to encrypt.
To prevent ransomware, enterprises can implement controls that manage lateral movement, according to Erick Galinkin, researcher at security provider Rapid7.
“A really effective way to do this is via identity and access management,” Galinkin said. “All users — even network administrators — should have standard user accounts and log in with those accounts, unless and until they need to perform an administrative function. This limits the ability of attackers to move around the network as administrators, collecting valuable data unimpeded.
“It also means that seeing an administrator logging in with their admin account all over the place is immediately a red flag, since that is not the standard practice. You can then lock or reset the password on that account, slowing the attacker down significantly.”
Endpoint traffic management is critical for controlling network traffic too. When using software tools for networking, you can assign each endpoint a title and grant it a certain trust level. This allows you to control what the device is allowed to do.
You can also create group-based policies, which place users or devices into categories that you can assign permissions. If you use a solution with analytics for group-based access control, the analytics reveal when traffic or data is flowing between groups that don’t need to communicate. Vendors like Cisco have software that automatically enforces policies on network hardware, like routers and switches. Then the hardware manages traffic coming from endpoint devices, directing it per the determined policies.
Also read: Top Network Access Control (NAC) Solutions
Identity and Access Management
Managing entrance to the network is a crucial step for ransomware protection. All devices should be password protected or at least restricted to a set of approved IP addresses. This limits threat actors’ opportunities to move laterally.
Identity and access management (IAM) shouldn’t be forgotten in the crush of ransomware protection tools, according to Ingalls with eSecurity Planet. However, IAM isn’t a sure way to prevent all attacks.
“While newer solutions are attractive, a robust IAM framework can go a long way in protecting specific individuals and data,” Ingalls said. “This means multi-factor authentication, SSO, and active management of digital identities interacting with sensitive data.
“But here’s where it gets tricky. With the boom in endpoints and remote access, breaching the network perimeter has never been easier for sophisticated threat actors. Role-based access controls can isolate breaches to less privileged segments, but organizations increasingly need advanced behavioral analytics and next-generation firewalls deployed for critical network segments.”
It’s not enough to set access controls. Ransomware groups have advanced techniques that can bypass even strict policies. Analytics platforms that study traffic from the entire enterprise infrastructure reveal anomalies that might not otherwise be noticed if they only cover one layer of the infrastructure. Still, implementing IAM across the entire network is part of a ransomware defense.
Also read: Top Data Analytics Tools & Software
Employee Training and Awareness
Sometimes overlooked by large enterprises is the role their employees play in protecting the company. But human error is responsible for the majority of breaches, so providing employees with clear, extensive training is one of the best ways companies can protect their infrastructure. Personnel who work closely with storage systems and databases should receive dedicated training, specific to data storage.
Although some security tools help employees in identifying threats, treating the employees as a line of defense is a better approach, according to Matthew Rogers, CISO at cloud solutions provider Syntax.
“There is existing software that works with most email platforms to highlight anything that looks suspicious in an email,” Rogers said. “It will even lock down hyperlinks and quarantine embedded malware and weaponized documents. But the best protection against phishing campaigns is training and awareness. Companies need to establish a plan to monitor and test how effective their employees are at spotting phishing emails and following established company security protocols.”
Email security software is helpful for highlighting potential phishing attempts, but it’s not a complete solution. Ransomware can still slip through the cracks, and thoroughly training employees is the best way to help them avoid attacks, not just the ones that come through emails. If they can recognize suspicious activity across the board, they’ll be better prepared to help the company avoid ransomware overall.
Also read: Best Email Security Providers & Services
Monitoring storage systems
Companies need to encrypt data for all their devices and protect storage resources of all sizes, according to Chester Wisniewski, principal research scientist at Sophos.
“Monitoring for and protecting against ransomware is no different for large-scale storage systems than it is for a small consumer NAS,” Wisniewski said. “There are two primary things you need to monitor for. First, the encryption needs to be initiated from a computer attached to the storage system. This means protecting all the computers with endpoint security software capable of detecting the process of encrypting files.”
Enterprises should also keep an eye on strange behavior in their storage systems, even simple file-sharing programs.
“Second, it is important to monitor for large uploads of information flowing out to popular file sharing services used by criminals as well, like mega.io and Backblaze,” Wisniewski said. “Many ransom groups use a tool called rclone that can use any of a multitude of cloud storage providers. This type of monitoring could also detect malicious insiders, so it is well worth watching out for.”
Rclone, a software for managing high-latency storage content, is also open source: In 2020, researchers learned that in one version of the software, the password generator was weaker than it should have been. If exploited, rclone allows attackers to export data from the enterprise computer to a location determined by the ransomware provider.
Rclone is one example of file-sharing protocols that can be exploited. Carefully monitor all data flows, including ones that seem ordinary.
Protecting Computers and Servers
Employee computers are one of the most common starting points for ransomware: the code can easily download to an endpoint device from a clicked link in an email or a malware-ridden, unsecure website.
Don’t neglect your less conventional devices, either. Not everyone thinks about larger computers or servers, but mainframes are particularly important for IT infrastructure, according to Ray Overby, the founder and CTO at KRI Security.
“The mainframe remains a crucial piece of IT for so many organizations: 71% of Fortune 500 companies use the mainframe, due to its dependency and speed,” Overby said. “And with the pace of IT innovation, organizations are increasingly integrating the mainframe into modern IT environments, connecting it to cloud infrastructure, which opens it up to more risk than ever before.
“To mitigate these risks, security teams need a strategy that includes routine penetration testing and automated vulnerability scanning. Pentesting can reveal some, but not all, of the gaps in software architecture. Integrity vulnerabilities in the OS-level code — sometimes inadvertently left by third-party vendors — can be addressed by vulnerability scans. With automated scanning in place, organizations can find and address these issues before hackers exploit them to access the mainframe.”
Although some mainframes, like IBM’s Z series, include security features, it’s a best practice to scan enterprise computers and servers: mainframes with built-in protection are still subject to ransomware attacks. Any hardware that supports high-performance computing should also be monitored consistently and tested to prevent ransomware.
Read Next: Top Cybersecurity Solutions