According to the Sophos State of Ransomware 2022 Report, 60% of organisations were hit with ransomware last year. With attacks becoming more numerous and sophisticated, and ransom payments increasing, the cybersecurity world is having to scramble to protect sensitive information and data.
There are now dozens of variants of this malware out in the digital world and the situation is continuously evolving, particularly with the shift from a linear attack model to the more malicious ransomware as a service model.
As threat actors continue to exploit vulnerabilities rapidly, ransomware is still the biggest challenge for cybersecurity. Organisations should therefore be well-versed in how to prevent ransomware attacks as well as how to eradicate them should they successfully encrypt the organisation’s data or systems.
What is ransomware?
Ransomware is one of the most serious data security issues on the internet and one of the most significant kinds of cybercrime that organisations face today. Ransomware is a type of malware that encrypts files and documents on anything from a single PC to an entire network, including servers.
Victims of ransomware often have little choice but to either pay a ransom to cybercriminals to regain access to their encrypted data or network, restore data from their backups or hope there are freely available encryption keys.
How do ransomware infections start?
Many ransomware infections begin with an individual inside an organisation clicking on what appears to be an innocent or trustworthy link or attachment, that downloads malicious payload when opened and encrypts data or the network.
Larger ransomware campaigns might exploit vulnerabilities and unpatched software to gain access to business data or networks. Threat actors will hunt through networks to get as much control through internet-facing servers or remote desktop logins, and then encrypt everything they can. File-encrypting ransomware can be a big issue for organisations of all sizes if critical files, networks, or servers are encrypted and inaccessible.
Even worse, after you have been targeted with file-encrypting ransomware, criminals will publicly declare that they are holding your corporate data hostage until you pay a ransom to get it back. Some will even post stolen data online for all to see, damaging your business reputation.
There are critical information security practices your organisation can undertake to significantly decrease the chances of becoming a victim of ransomware. These practices should be included as part of your company’s data security strategies:
- Consistent and frequent data backups: The strongest defence against ransomware is backing up every vital file and system. Test your backup files to ensure that data is complete and uncorrupted.
- Incident response plan: In the event of a ransomware attack, it is vital to have an incident response plan in place and ready for action.
- Access controls: Ensure employees have access only to data that is vital for their role, particularly those who use devices that connect to company networks remotely, such as contractors. This reduces the chance that an attack can spread into your network.
- Regular updates and patches: Most business software applications are frequently updated by the application developer, but it is important security teams have a process for ensuring patch and vulnerability management is regularly updated, to keep sensitive data safe.
- Secure credential tracking: Anyone with access to a system can be a ransomware vulnerability point. If passwords are not updated or restrictions are inappropriate, this can result in higher ransomware attack probabilities at these points.
Ransomware attack response
Below are some of the steps that should be taken to respond to a data breach as a result of a ransomware attack:
- Isolate affected systems: Immediately identify which systems were infected and isolate them to prevent the ransomware from spreading if infected devices cannot be removed from the network. Power down the devices to prevent the ransomware from spreading if the systems are infected. Let internal and external teams know how they can help reduce the impact of the incident.
- Report the attack: Companies should alert relevant authorities, other affected businesses, and individuals whose information was compromised as soon as possible if there is a data breach. People may take steps to reduce the chance that their personal information is misused if they are alerted immediately that it has been compromised.
- Remediate any damage: The simplest approach to recovering a machine from a recent backup if one has been made and securely stored is to scan the machine for signs of infection and then restore it. If no backup exists, identify the type of ransomware that has infected the machine and act accordingly
- Recover data: It is critical to ensure that backups are current when recovery is required. The best backup practices include redundancy and keeping backups segregated or offline. Industry standards should be adhered to in order to achieve effective backup procedures.
Challenges of ransomware and data
4 out of 10 Australian businesses have experienced a ransomware attack since 2020. Ransomware is not new, and neither is the fact that paying a ransom is no guarantee of getting your data back, with research showing 76% of businesses who are victims of cyber-attacks paid the ransom to recover data, but 30% were unable to get their information back.
As a result of the time, inconvenience, and expense involved in decrypting encrypted data, it can often be a key management decision to try and recover data from your business backups instead. This approach has the advantage of not putting money into the hands of criminal organisations while avoiding any punishment for doing so. There is no specific legislation in Australia that prohibits paying a ransomware demand, but Commonwealth, State, and Territory laws prohibit paying in situations where one is careless or reckless as to whether the money will be used for crime.
The Australian Cyber Security Centre (ACSC) strongly advises against paying any amount of ransom to cybercriminals. This course of action is much easier for organisations with strong and dependable backup systems, although there are challenges.
Challenges restoring data from backups
When an adversary encrypts files on the network, the only option besides paying the ransom is to restore data from backups. However, backups must be safeguarded against being encrypted, which defeats the purpose of using them to restore enterprise data.
The most common way to restore data is to recreate it from an onsite backup or a snapshot. A snapshot contains more than just data; it contains metadata, parent copies, and even deleted files. These snapshots have recently been dubbed “immutable,” a term that refers to snapshots that are copied and cannot be altered.
In addition to preventing snapshots from being wiped, backup security tool suppliers have added deterrents to prevent the data from being moved or deleted. This provides extra defence against malicious programs that seek to corrupt backup files or ensure data erasure. It’s also worth keeping backups in the cloud, providing a logical and physical separation. More backup and recovery tools now support storing immutable backups in the cloud.
RPO, RTO and ransomware
The goal of conventional disaster recovery planning is to minimise revenue losses and reduce the need to reconstruct lost data by reducing the recovery time objective (RTO) to the minimum.
An organisation’s disaster recovery plan should identify the recovery time objective (RTO), which indicates how quickly data should be restored. Faster recovery means more frequent backups and higher storage costs. The other important factor is the recovery point objective (RPO), which indicates how far back the restore should go to locate a clean, functional copy of the data.
Attackers often wait weeks or months after infiltrating networks before deploying ransomware, making it difficult to determine how far back you must look for a clean copy of the data. To protect against ransomware, you must retain more data copies for longer and ensure they are secured.
When restoring data after a ransomware attack, firms should consider how long it will take to retrieve and verify backup copies, particularly remote ones. Because backup systems are slow at retrieving large quantities of data, organisations typically rely on other disaster recovery tools, such as snapshots and mirrored systems. However, these systems can also be vulnerable to ransomware attacks.
Having the option to restore data to cloud instances rather than on-site helps, but security teams must focus on critical operational systems for recovery. This must be included in the recovery plan and tested in advance. More complex IT systems, including hybrid and containerised workloads, are making it harder to bring systems back online.
Backup and recovery risks
After a ransomware attack, recovery data is more difficult and riskier than recovering from a system outage or natural disaster. The greatest risk is that backups may contain undetected ransomware, which then replicates into the production system or recovered systems. Unfortunately there isn’t a fool-proof way to scan data for ransomware before it is backed up.
Using air-gapped copies and immutable copies and snapshots, as well as keeping more copies than would be required for conventional backup alone, reduces this risk. Commercial pressures for short RTOs and recent RPOs can make data recovery more cautious and approachable.
Meet the challenges of ransomware and data with the experts
In today’s evolving threat landscape, it is vital to have an assurance that your data is safe and secure. The security specialists at INTELLIWORX offer both data backup and disaster recovery services to ensure your business is operational and secure at all times.