Ransomware is a category of malware whose purpose is to render the targeted data unusable or to block access to IT systems until a ransom is paid, generally in the form of hard to trace virtual money.
It can just as easily encrypt data from a work station as it can with what it has access to on a shared network.
A considerable threat
The 2016 Midyear Security Roundup: The Reign of Ransomware study demonstrates that throughout the first half of 2016 there was a 172% increase in cases of ransomware, in comparison to all of 2015.
The size of the targeted companies is another element to consider. As a result of their limited human and financial resources, SMBs are an ideal target for hackers.
Better safe than sorry
To prevent a crisis of this magnitude, businesses must adopt the best possible security mesures, such as:
• Keep operating systems and software up-to-date;
• Make sure your anti-virus software is updated and activated, and regularly launch the scanning function in order to detect and remove malware;
• Monitor network activity and manage the different authorization levels;
• Offer employee training so they may exercise caution;
• Avoid opening email attachments originating from an unknown source, especially zip files;
• Be vigilant and don't automatically click on links or email attachments.
The limits of traditional backup
In general, businesses believe that they can solve the problem by restoring from previous backups. The ultimate solution to avoid paying a ransom and to regain access to data is indeed to restore a backup dating back from before it became infected.
Simple, right? Not quite! There are various reasons why using a backup copy may not live up to your expectations.
RTO (Recovery Time Objective) is the targeted acceptable time to restore a backup copy so that the company may resume its operations. It’s the necessary time for restoring data back to the application in which it belongs.
Hackers expect you to ask yourself the following question:
Will it be less expensive for me to pay the ransom than it will be to recuperate my data, if it is still available?
RPO (Recovery Point Objective) refers to the maximum targeted period in regards to the backup copy, in other words, the backup frequency. Generally backups are performed daily. Supposing that the previous night’s backup was successful, there is still an important quantity of work that can be lost if a major incident were to occur in the afternoon or evening before the next backup. If last night’s backup was to fail, you could stand to lose two or even three days worth of data.
Infected or unusable backups
• With the growing sophistication of ransomware comes their ability to analyse every drive attached to the infected system. This signifies that every drive that is published in the form of a letter is potentially at risk of being encrypted, including shared network drives. If your backups are accessible via an infected system, ransomware can encrypt or delete your backup data.
• Ransomware could, in theory, exploit a vulnerability in the operating system or the data protection software and directly corrupt the backups.
• When backups are stocked on drives and the ransomware targets a user with sufficient privileges, it could render the backups unusable.
It’s a matter of going back to a recovery point at a time before the data became encrypted in the infected system(s), ideally respecting the objectives of the associated services.
In other words, we want to make sure that such a recovery is possible while maintaining the integrity and usability of the data.
What conditions must we meet to achieve this?
Protecting the backup server
• For security purposes, it is highly discouraged to use a local work station possessing an administration user domain, as this can lead to a very quick propagation of ransomware across the whole network.
• That is the reason why you must use different identification information for the backup, and use it for that purpose only.
• Additionally, only user accounts in charge of backup operations should have access to the server.
Protecting the targeted backup
• Access rights to the backup repository server must be restricted so that only the backup software service user may have access to the server and the backup files.
• In the case of a NAS system, only the backup software service user may receive access rights to the backup repository.
• Deduplication appliances such as the ones from Data Domain require their own identification information which must not be natively accessible from the operating system supporting the backup software.
According to this rule, 3 data copies (one of which is the production data set) must be saved on 2 different media types and 1 copy must be located offsite.
The 0 refers to the verified integrity of the backup, and ensures that it contains 0 errors.
Use advanced features, if required
Businesses may benefit from additional availability and from new ways in which to implement the 3-2-1-0 rule thanks to snapshots of the disk array and of the replicated VMs (Virtual Machines).
In this last example, conserve sufficient snapshots and replicas in order to mitigate an attack and to respond at the right level of services required.
Ransomware has become a product allowing cybercriminals to create a viable and recurrent source of income by extorting victims worldwide. They go as far as reselling their product under the form of services (Ransomware as a Service) to franchise owners.
Even with multi-level protection and user awareness, you can never be 100% guaranteed of having deflected all these threats. It is therefore vital to put in place the necessary measures for data protection so that you may recover efficiently.
Ransomware attacks have become a crucial factor to consider when putting together a continuity plan, as you would for electricity shortages, natural catastrophes or system outages.
These are several major reasons to revisit your business continuity plan as soon as possible with recognised experts such as the ones from Present.
Image credit: © Florian Roth - Fotolia.com