Ransomware: What's Old Is New Again

Posted 06/28/2017 by Gregg Ogden

Apparently bolstered by the 'success' of the 'WannaCry' attack in May, ransomware cyber attackers have launched another wide-scale strike. This time they’ve leveraged the Petya strain, which uses an older style MBR (master boot record) virus for their nefarious objective – holding your data for ransom! Much like the WannaCry attack, it’s a large-scale, multiple country and industry event, and we sympathize with anyone who was affected. Unfortunately, even with the constant chatter in the news of threats, many organizations remain unprepared for such attacks.

So exactly what do we mean by what’s old is new again? Well, more than 30 years ago, the first boot-sector virus was created and designed to be shared via floppy disks (yup, old tech) to infect computers based on MS-DOS. The virus loads a different MBR, or boot sector, onto the hard disk. Since the new MBR gets accessed before the 'real' OS, the system boots up from the hacker’s MBR to prevent access to, or corrupt, your data. Now fast forward to the year 2017 and we have the timeworn MBR virus being repurposed for ransomware – and it seems to have been extremely effective!

Although, like the last time I blogged about ransomware, we don’t have all the details yet. However, we do know that many ransomware attacks originate through endpoints, including things like desktop computers, laptops and edge or fringe computing resources, which for one reason or another often do not have the same protective rigor applied as the core computing resources.

Just like WannaCry, if the attack was successful, your only options are to pay up, or implement your data recovery plan - and do it quickly. As we should all know by now, having a data recovery plan is essential. But with the scope and complexity of ransomware attacks continuing to escalate, you have to have a comprehensive strategy. You need a Data Platform that not only covers your core enterprise (private and public cloud environment) but also one that can protect your endpoints. Having unassailable, up-to-date copies of all these environments is the only way to ensure the ability to recover rapidly when another attack comes.  

Building on our experiences working with companies around the world, I am re-running our list of best practices to protect and recover from Ransomware attacks:

  1. Develop a program that covers all of your data needs. You must identify where your critical data is stored, determine your workflows and systems used to handle data, assess data risks, apply security controls and plan for evolving threats. If it is not protected, it cannot be recovered.
  2. Use proven data protection technologies. You need solutions that detect and notify of potential attacks, leverage external CERT groups, identify and prevent infection, maintain a 'GOLD' image of systems and configurations, maintain a comprehensive backup strategy, and provide a means to monitor effectiveness.
  3. Employ backup and data recovery (DR) processes.Don’t rely solely on snapshots or replica backup. Your backup process data could just as easily be encrypted and corrupted if it is not stored in a secure way where a ransomware attack cannot get to it. If your process or vendors don’t offer ransomware protection that addresses the proper way to store your data, then your backup plan is at major risk!
  4. Educate employees on the dangers of ransomware and how to secure endpoints.Train you staff on all DR and data security best practices to get endpoint data protected within your Information Security Program. Most breaches are from good people making simple mistakes.

Now is the time to evaluate your organization’s threat-readiness against ransomware. Simply applying these key steps is vital to make sure your organization is doing everything possible to avoid long-term consequences from an attack. If attacked, the goal is to quickly get your data back, and your business up and running.  Further information is available via my recent webinar “How to Protect Against Ransomware.”

You need endpoint data protection to reduce your risk of data loss, preferably through one simple solution that includes your hybrid IT environment and your many endpoints. The best solutions cover your end-users with data protection, security and added visibility into all of their corporate data – whether stored on laptops, desktops or cloud-based file-sharing services. It’s all about maintaining control with comprehensive backup and search capabilities of files and folders (even those outside of your data center) and help with protecting against data loss from ransomware attacks like we’ve seen this week. The best solution will let you deploy either on-premises or in the cloud!

You need to prepare now to avoid old and new threats. Develop your plan, use tried-and-true technologies to recover, ensure your DR plan is rock solid and fast and educate your users. Commvault can help. Continue following this ongoing story on our social media channels.