An introduction to ransomware

By Phil Wandrei

What is ransomware? How to protect and recover from it.

Time accelerates in a ransomware attack

A ransomware attack is a classic example of the clock is ticking. Your critical business data has suddenly been taken hostage. Hackers have used advanced encryption to render it inaccessible — and now they are demanding money to decrypt it. How will you respond? Can you ensure the safety of your data if you refuse to pay — or even if you do? While you consider your options, your organization remains paralyzed. Every passing minute increases the pressure to make the right choice.

This scenario has already struck companies of all sizes across industries around the world. Yours could be next. Are you ready?

In this blog, we will examine: 

What is a ransomware attack?

Who are these bad actors?

How does ransomware spread?

How to get rid of ransomware?

What are the risks of paying the ransom?

What is ransomware protection?

How to minimize ransomware exposure?

How Commvault fights ransomware.

Commvault’s layers of security protection.

What is a ransomware attack? 

Gartner defines ransomware as “cyber extortion that occurs when malicious software infiltrates computer systems and encrypts data, holding it hostage until the victim pays a ransom.” 1  

There’s a reason ransomware makes the headlines. It’s the kind of attack that gets attention — it’s sudden, brutal, and leaves the victim feeling helpless. In recent years, the rapid rise of ransomware has cast a shadow of anxiety across organizations. Alarmed business, IT, and security leaders aren’t just being paranoid. In the third quarter of 2020, there was a 40% increase in ransomware attacks.2

Who are these bad actors? 

External malicious actors are, in simple terms, villains. They are hackers or other individuals seeking to infiltrate your organization for their nefarious purposes.

  • Greed. Making money is a substantial motivating factor. For example, cryptojacking has become a popular method of stealing compute resources within an organization for mining cryptocurrency.
  • Political. Malicious actors may be motivated by political reasons, including using ransomware as a way to fund terrorism.  
  • Competitive. Some bad actors may want to delete data, leak data, or disrupt business services.

Whatever their intention, they often use password spraying techniques to gain unauthorized access into an organization or system. Or they might try to exploit vulnerabilities, inject botnets, and rootkits to steal and delete data, or disrupt an organization’s ability to function.

That is where ransomware comes in. In a typical attack, the hacker uses malicious software (malware), often delivered via an infected attachment or link in an email, to encrypt your data. As in a flesh-and-blood ransom situation, the hacker then demands payment — or you’ll never see your data again! Without an effective recovery strategy, you may think your only option is to pay the ransom and hope for the best.

How does ransomware spread?

Ransomware is often spread through email phishing messages that contain malicious links or through drive-by downloading. Drive-by downloading happens when a user unintentionally visits a contaminated site, and malware is downloaded onto the user’s computer or mobile device. A drive-by download usually exploits a browser, application, or operating system that is out of date or has a security flaw. Ransomware then uses these vulnerabilities to find other systems in which to spread.

How to get rid of ransomware?  

When ransomware does occur, the best approach is to have a validated copy of your backup data restored quickly to resume business operations. For a trusted and protected backup data copy, organizations need a layered security approach that encompasses multiple security tools, resources, controls, best practices, and strategies. These various security controls are applied within and around the data protection infrastructure to ensure the backup data is secured and recoverable. These steps provide the confidence that when an attack does occur, your backup data is protected and ready.

What are the risks of paying the ransom? 

Paying a ransom is a highly debated topic, and only you can decide what is best for your organization. Factors to consider:

  • Many government security services recommend not paying, and in some countries, it may be illegal to pay the ransomware. For example, in the United States, the US Department of the Treasury has issued an advisory on the sanctions associated with making ransomware payments.3
  • The kits for ransomware as a Service often fund organized crime.
  • Will the bad actors provide the keys to get your files back? Will it leave malware behind to strike again? It is easy to assume that all ransomware is similar, and it is not uncommon to think that one size fits all in terms of prevention and preparation.
  • If leak-ware is involved, General Data Protection Regulation (GDPR) considers it a data breach once discovered, and you have 72 hours to devise a plan and report it.
  • Do you become a future target for your willingness to pay?

Remember, even if you pay the ransom, there is no guarantee that you will recover all of your data, and it may take several days, weeks, and even months to restore it all. 

What is ransomware protection?

The cyber threat landscape, including ransomware, has transitioned to a case of “when,” not “if.” To ensure you can recover your data, you need the right solution with the best technology, the right people, and processes.

In 2021, it is anticipated that ransomware attacks against businesses will occur every 11 seconds.4

Organizations require tools (such as anomaly detection, immutable backups, air gap, and multi-factor authentication (MFA) controls) to continually measure and protect their recovery readiness state. They do this to expose and remediate problems, validate their data and business applications’ recoverability, and improve their security to reduce their risk profile. In the event of a successful attack, fast restores are required to resume business operations quickly.

A recovery solution is only viable if it is resilient across various failure modes. One scenario may be a data recovery event to revert to the prior instances before the corruption. At the same time, another may require complete recovery of the business applications to a new location. Designing recoverability across environments and providing simplified automation to test and validate each scenario helps build the recovery readiness state. Knowing the mission-critical data and applications were already validated for recovery by an automated process completes the needed security, compliance, and comfort level. Learn more about how you can “Secure your data, your recovery, and your mission.”

How to minimize ransomware exposure? 

The goal is to reduce risks and minimize the effects of ransomware. Ransomware mitigation requires a combination of best practices and constant vigilance, along with a layered security approach. Steps to reduce ransomware include:

  • Educate end-users on avoiding ransomware and detecting phishing campaigns, suspicious websites, and other scams.
  • Plan for the worst – have recovery plans and playbooks prepared and ready to execute.
  • Harden and secure the infrastructure, including systems and networks.
  • Keep software, firmware, and applications up-to-date to reduce the risk of ransomware exploiting common vulnerabilities.
  • Use anti-virus software with active monitoring designed to thwart advanced malware attacks.
  • Employ a backup and recovery platform that offers a multi-layer framework for protecting, monitoring, and recovering from threats. It should use native capabilities and smart integrations with leading cybersecurity technologies (such as Key Management Server (KMS), Privileged Access Management (PAM), Security Information and Event Management (SIEM), and Security Orchestration, Automation, and response (SOAR) platforms).

How Commvault fights ransomware

Commvault data protection and recovery can be a valuable part of your anti-ransomware strategy. Commvault provides multiple security layers by protecting and isolating your data, providing proactive monitoring and alerts, and enabling fast restores if a ransomware attack is successful. Advanced technologies powered by artificial intelligence and machine learning, including honeypots, make it possible to detect and provide alerts on potential attacks as they happen so you can respond quickly. By keeping your backups out of danger and making it possible to restore them quickly, you can minimize the impact of even a successful ransomware attack so you can get back to business right away (and avoid paying expensive ransoms).

Protecting and isolating your backup copies is critical to data integrity and security. Therefore, Commvault has taken an agnostic approach to immutability. With Commvault, you do not need special hardware or cloud storage accounts to lock backup data against ransomware threats. If you happen to have Write-Once, Read Many (WORM), object lock, or snapshot supported hardware (which Commvault fully supports), you can still use Commvault’s built-in locking capabilities to complement and layer on top of existing security controls. Having the ability to layer security controls across different infrastructure types is what sets Commvault’s immutable solution ahead of its competitors. Learn more about Commvault’s immutable infrastructure architecture. 

Commvault’s security protection layers

With every environment having a mix of different infrastructures, securing backup data against random unauthorized changes can seem challenging. Just like securing your house, you need to identify the risks and then enable the protection and monitoring capabilities to match your needs. 

Many experts recommend having a layered anti-malware and ransomware strategy. Commvault has built these security capabilities into our data protection software and policies without the incremental management overhead. Commvault Complete™ Data Protection software includes five security layers: 

  • Identify and mitigate risks to backup data within a single interface
  • Protect by applying security controls based on industry-leading standards
  • Monitor for ransomware, insider threats, and other threats
  • Respond and take action on threats and continuously validate backup data
  • Recover data quickly across multiple on-premises, cloud, and hybrid environments

Commvault’s secure backup framework consists of feature sets, guidelines, and best practices to manage cybersecurity risk and ensure data is readily available. It is essential to understand that these capabilities are all part of Commvault’s core platform experience, Commvault Complete™ Data Protection. There is no special licensing, additional costs, or required hardware or software. The layered security depth is enhanced through greater integration with Metallic™  and Commvault HyperScale™ X for those customers seeking the simplicity of Backup as a Service or a data protection appliance, respectively.   

Opportunity and risk— that’s the reality for businesses today and the people responsible for the data. A single ransomware event can threaten the bottom line or define a career. So how do you prepare? By making sure you are recovery ready. Learn more at www.Commvault.com/ransomware

Footnotes

Gartner, 6 Ways to Defend Against a Ransomware Attack, by Manasi Sakpal, November 16, 2020.

www.kratikal.com, November 16, 2020.

Department of the Treasury, Advisory on Potential Sanctions Risk for Facilitating Ransomware Payments, October 1, 2020.https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001

Best Practices for Running Containers and Kubernetes in Production – 4 Aug 2020 – Gartner ID G00730344