By Phil Wandrei
What is ransomware? How to protect and recover from it.
Time accelerates in a ransomware attack
A ransomware attack is a classic example of a ticking clock. Your critical business data has suddenly been taken hostage. Hackers have used advanced encryption to render it inaccessible — and now they are demanding money to decrypt it. How will you respond? Can you ensure the safety of your data if you refuse to pay — or even if you do? While you consider your options, your organization remains paralyzed. Every passing minute increases the pressure to make the right choice.
This scenario has already struck companies of all sizes across industries worldwide. Yours could be next. Are you ready?
In this blog, we will examine:
What is ransomware protection?
The cyber threat landscape, including ransomware, has transitioned to a case of “when,” not “if.” To ensure you can recover your data, you need the right solution with the best technology, the right people, and processes.
By 2031, it is anticipated that ransomware attacks against businesses will occur every 2 seconds, up from every 11 seconds in 2021.1
Organizations require tools (such as anomaly detection, immutable backups, air gap, and multi-factor authentication (MFA) controls) to continually measure and protect their recovery readiness state. They do this to expose and remediate problems, validate their data and business applications’ recoverability, and improve their security to reduce their risk profile. In the event of a successful attack, fast restores are required to resume business operations quickly.
A recovery solution is only viable if it is resilient across various failure modes. One scenario may be a data recovery event to revert to the prior instances before the corruption. At the same time, another may require complete recovery of the business applications to a new location. Designing recoverability across environments and providing simplified automation to test and validate each scenario helps build the recovery readiness state. Knowing the mission-critical data and applications were already validated for recovery by an automated process completes the needed security, compliance, and comfort level. Learn more about how you can “Secure your data, your recovery, and your mission.“
What is a ransomware attack?
Gartner defines ransomware as “cyber extortion that occurs when malicious software infiltrates computer systems and encrypts data, holding it hostage until the victim pays a ransom.”2
There’s a reason ransomware makes the headlines. It’s the kind of attack that gets attention — it’s sudden, brutal, and leaves the victim feeling helpless. In recent years, the rapid rise of ransomware has cast a shadow of anxiety across organizations. Alarmed businesses, IT, and security leaders aren’t just being paranoid. In the third quarter of 2021, there was a 36.8% increase in ransomware attacks.3
What are the types of ransomware?
It is easy to assume that all ransomware is similar, and it is not uncommon to think that one size fits all in terms of prevention and preparation. However, because each ransomware type is usually developed to attack different, specific networks, they can be very dissimilar in how they work. It is essential to understand the different types currently being used (keeping in mind that it is also possible to combine multiple types of ransomware). Suppose your organization is attacked, and you do not have a plan to defend against the different types of ransomware. In that case, the likelihood is that the attack will significantly impact your company.
Here are six types of ransomware:
- CryptoWall – is responsible for a high percentage of ransomware attacks. Typically, CryptoWall attacks its target through phishing emails. The WannaCry ransomware virus is a derivative of the Crypto family and was at the core of the largest cyberattacks ever perpetrated. Unfortunately, the creators of CryptoWall continue to release new versions designed to get around security protections.
- Locky – as the name implies, is what it does (locks you out of files and replaces the files with the extension .lockey). However, its name misses the most damaging part of this type of ransomware – its speed. Locky has the distinction of spreading to other files throughout the network faster than different ransomware strains.
- Crysis – takes data attacks to a new level – actually kidnapping your data and moving it to a new virtual location. The significance of this aspect of the attack is that it qualifies as a breach if your company works with personal data; organizations must contact anyone who may have information on your network to stay in compliance with local, state, and federal guidelines.
- Samsan – attacks unpatched WildFly application servers in the internet-facing portion of their network. Once inside the network, the ransomware looks for other systems to attack.
- Cerber – attacks the database server processes to gain access instead of going straight after the files. Its creators sell the ransomware software to criminals for a portion of the ransom collected, i.e., Ransomware-as-a-Service.
- Maze – is a variant of ransomware representing the trend in what is called “leakware.” After data is encrypted, bad actors threaten to leak ransomed private data on the dark web unless the ransom is paid.
Ransomware prevention and knowledge must stay at the forefront of organizations’ security efforts. Unfortunately, since hackers continuously become more sophisticated in encrypting data and developing new ransomware, you must continually monitor those developments.
Who are these bad actors?
External malicious actors are, in simple terms, villains. They are hackers or other individuals seeking to infiltrate your organization for their nefarious purposes.
- Greed. Making money is a substantial motivating factor. For example, cryptojacking has become a popular method of stealing compute resources within an organization for mining cryptocurrency.
- Political. Malicious actors may be motivated by political reasons, including using ransomware to fund terrorism.
- Competitive. Some bad actors may want to delete data, leak data, or disrupt business services.
Whatever their intention, they often use password spraying techniques to gain unauthorized access into an organization or system. Or they might try to exploit vulnerabilities, inject botnets, and rootkits to steal and delete data or disrupt an organization’s ability to function.
That is where ransomware comes in. In a typical attack, the hacker uses malicious software (malware) to encrypt your data, often delivered via an infected attachment or link in an email. As in a flesh-and-blood ransom situation, the hacker then demands payment — or you’ll never see your data again! Without an effective recovery strategy, you may think your only option is to pay the ransom and hope for the best.
How does ransomware spread?
Ransomware is often spread through email phishing messages that contain malicious links or through drive-by downloading. Drive-by downloading happens when a user unintentionally visits a contaminated site, and malware is downloaded onto the user’s computer or mobile device. A drive-by download usually exploits a browser, application, or operating system that is out of date or has a security flaw. Ransomware then uses these vulnerabilities to find other systems in which to spread.
10 tips to minimize ransomware exposure
The goal is to reduce risks and minimize the effects of ransomware. Ransomware mitigation requires a combination of best practices and constant vigilance, along with a layered security approach. Steps to minimise ransomware include:
- Plan, plan, and more planning for ransomware protection and recovery: plan for the worst and hope you never have to use it. It is paramount to have a multi-layer security strategy and remember that recovery readiness is critical.
- Employees are critical to a good defense; conduct employee security training:Educate employees on avoiding ransomware and detecting phishing campaigns, suspicious websites, and other scams. Despite their best intentions, employees are still a leading cause of malware.
- Ensure patches are up-to-date and stay current: keep software, firmware, and applications up-to-date to reduce the risk of ransomware exploiting common vulnerabilities.
- Install anti-virus and anti-malware protection: use anti-virus software with active monitoring designed to thwart advanced malware attacks.
- Implement multi-factor authentication: the process of authentication requires each user to have a unique set of criteria for gaining access. Enabling multi-factor authentication (MFA) methods makes it highly unlikely that a valid user account can be impersonated.
- Segment your networks to prevent lateral movements: if a cyberattack is successful, don’t give them unlimited access within your network. Divide your network into smaller segments to prevent lateral movement and to contain the damage.
- Know your data to safeguard your data: identify business-critical data and sensitive data across your environment. Then determine if the data are exposed to vulnerabilities. Using data insights, you can efficiently remediate these risks by removing, moving, or securing this exposed data to reduce the chances of costly breaches and ransomware attacks.
- Perform regular backups: employ a backup and recovery solution that offers a multi-layer framework for protecting, monitoring, and recovering from threats. The solution needs to support a 3-2-1 backup strategy for rapid recovery and secure cloud copies for added protection. 3-2-1 is 3 copies of your data, on 2 different media types, with a copy off-site and preferably air-gapped.
- Test, test, and test: once you have your plan in place, along with the procedures and technologies to execute it, make sure it’s going to work as needed. Perform frequent tests to verify that you can meet the SLAs you’ve defined for critical and high-priority data and applications.
- Enable the Security Health Assessment Dashboard (if you are a Commvault customer): utilize the Security Health Assessment Dashboard to identify, assess, mitigate, and monitor security controls within the Commvault data protection environment.
Ransomware prevention does not have to be complex. With the proper preparation starting with creating a plan, constant monitoring, and a robust backup and recovery solution, you can mitigate the risk of ransomware.
How to get rid of ransomware?
When ransomware does occur, the best approach is to have a validated copy of your backup data restored quickly to resume business operations. Organizations need a layered security approach encompassing multiple security tools, resources, controls, best practices, and strategies for a trusted and protected backup data copy. These security controls are applied within and around the data protection infrastructure to ensure the backup data is secured and recoverable. These steps provide the confidence that when an attack does occur, your backup data is protected and ready.
What are the risks of paying the ransom?
Paying a ransom is a highly debated topic, and only you can decide what is best for your organization. Factors to consider:
- Many government security services recommend not paying, and in some countries, it may be illegal to pay the ransomware. For example, in the United States, the US Department of the Treasury has issued an advisory on the sanctions associated with making ransomware payments.4
- The kits for ransomware as a Service often fund organized crime.
- Will the bad actors provide the keys to get your files back? Will it leave malware behind to strike again? It is easy to assume that all ransomware is similar, and it is not uncommon to think that one size fits all in terms of prevention and preparation.
- If leak-ware is involved, General Data Protection Regulation (GDPR) considers it a data breach once discovered, and you have 72 hours to devise a plan and report it.
- Do you become a future target for your willingness to pay?
Remember, even if you pay the ransom, there is no guarantee that you will recover all of your data. 35% of data remains encrypted after the ransom was paid.5. And even with the encryption keys, it may take several days, weeks, and even months to restore it all.
How Commvault fights ransomware
Commvault data protection and recovery can be a valuable part of your anti-ransomware strategy. Commvault multi-layered security is built on Zero Trust Principles and based on the National Institute of Standards and Technology (NIST) cybersecurity framework to protect data and recover quickly in the event of a ransomware attack. Commvault helps protect and isolate your data, provides proactive monitoring and alerts, and enables fast restores. Advanced technologies powered by artificial intelligence and machine learning, including honeypots, make it possible to detect and provide alerts on potential attacks as they happen so you can respond quickly. By keeping your backups out of danger and making it possible to restore them within your Service Level Agreements, you can minimize the impact of even a successful ransomware attack so you can get back to business right away (and avoid paying expensive ransoms).
Protecting and isolating your backup copies is critical to data integrity and security. Therefore, Commvault has taken an agnostic approach to immutability. With Commvault, you do not need special hardware or cloud storage accounts to lock backup data against ransomware threats. If you happen to have Write-Once, Read Many (WORM), object lock, or snapshot supported hardware (which Commvault fully supports), you can still use Commvault’s built-in locking capabilities to complement and layer on top of existing security controls. Having the ability to layer security controls across different infrastructure types sets Commvault immutable solution ahead of its competitors. Learn more about Commvault’s immutable infrastructure architecture.
Commvault’s security protection layers
With every environment having a mix of different infrastructures, securing backup data against random unauthorized changes can seem challenging. Just like securing your house, you need to identify the risks and enable the protection and monitoring capabilities to match your needs.
Many experts recommend having a layered anti-malware and ransomware strategy. Commvault has built these security capabilities into our data protection software and policies without the incremental management overhead. Commvault data protection and management platform includes five security layers:
- Identify and mitigate risks to backup data within a single interface
- Protect by applying security controls based on industry-leading standards
- Monitor for ransomware, insider threats, and other threats
- Respond and take action on threats and continuously validate backup data
- Recover data quickly across multiple on-premises, cloud, and hybrid environments
Commvault multi-layered security consists of feature sets, guidelines, and best practices to manage cybersecurity risk and ensure readily available data. It is essential to understand that these capabilities are part of Commvault’s core platform experience, Commvault Complete™ Data Protection. There is no special licensing, additional costs, or required hardware or software. The layered security depth is enhanced through greater integration with Metallic™ and Commvault HyperScale™ X for those customers seeking the simplicity of Backup as a Service or a data protection appliance, respectively.
Opportunity and risk— that’s the reality for businesses today and the people responsible for the data. A single ransomware event can threaten the bottom line or define a career. So how do you prepare? By making sure you are recovery ready. Learn more at www.commvault.com/ransomware
1 CYBERSECURITY VENTURES, Global Ransomware Damage Costs Predicted to Exceed $265 Billion by 2031, David, Braue, June 3, 2021.
2 Gartner, 6 Ways to Defend Against a Ransomware Attack, by Manasi Sakpal, November 16, 2020.
3 Digital Shadows_, Ransomware Q4 Overview, Ivan Righi, January 19, 2022.
4 Department of the Treasury, Advisory on Potential Sanctions Risk for Facilitating Ransomware Payments, October 1, 2020.https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001
5 SOPHOS, The State of Ransomware 2021, 4-19-21.