Removing The Ransom From Ransomware

By Don Foster

I recently asked a member of the IT community, whom I met at a trade show, if they had been affected by the most recent ransomware attacks (this was around the “not Petya” attack timeframe).  The gentleman’s answer was a simple nod. 

In discussing this, I later discovered that his organization is budgeting dollars to buy bitcoin and get their data back as a part of their ransomware recovery strategy.  Needless to say, this budget amount wasn’t huge, but it also was not insignificant.  He continued to say that no matter how great their technologies were to stop these types of attacks, one way or another they get through their defenses.

That point stuck with me. 

Building a perimeter security is extremely important. Sniffing packets for malware data is key to tracking the spread of malware and ransomware from within. Anti-virus and anti-malware tools are great to help detect the known variants and reduce the spread. Yet none of these technologies – even when combined together – will stop the instance of a good person in the company potentially unleashing a strand of malware code by accidentally making a mistake (no matter how many times you explain it, the IRS does not email you… but I digress).  The time to shift away from the thinking of “it won’t happen to us” to “how do we prepare for when it happens to us” is upon the entire IT community.

Fast restore and recovery for any IT system is the first and most important step to take. Having a backup simply is not good enough anymore, especially if it is not on a properly hardened storage system.  An unfortunate competitor of ours had a highly public issue where ransomware had deleted the BACKUPS from the storage attached to its backup server as the malware rampaged through the organization (search reddit – it really is not hard to find).  If you have a backup, you must be able to restore it quickly and ensure that the locations where you are placing your backup copies are properly secured from a ransomware or malware threat. Commvault makes this easy through our secure architecture, making us the reliable choice to address these concerns.  However, getting prepared goes beyond backup and fast recovery.

Once an attack starts you will only know it is spreading by the small amount of network traffic that is generated in transferring the worm code (unless the code is creating a VPN and replicating data to a secure outside facility – a new trend known as leakware for you GDPR fanatics). Also by the amount of change that is occurring on your system’s data.  The great thing about backup is that when done properly, it is aware of your data, its change rates, and it can even collect data to understand patterns of how your organization works.  If a critical system suddenly rewrote all of its blocks of data back down to its storage, your backup would know.  The delta backup would look like a full, or the snapshot would suddenly be the size of a mirror copy, and more than likely would raise eyebrows to the administrators in charge of the system.

This realization however is too slow. So what if your backup system could do more? 

We are taking those next steps to do more to protect your data as a part of smart and intelligent backup. Making it easy to reduce the risk concerns of these attacks. The recent updates to our product give us the intelligence through AI and machine learning to understand data access, change and transmit patterns across your environment.  Detecting anomalies to the daily operations and providing a fast path of action to stop a potential outbreak or fix a nagging issue in your enterprise. Because we are aware of your data, your backup and fast recovery plan not only gives you an out if you get attacked, but the ability to provide best case recovery actions to return your systems back to the point prior to the attack. We have done more to protect you by even setting honeypot traps; that if these files are ever changed, it will trigger an alert with options for definitive action to secure the system away from other potential targets. 

Fast recovery is the goal. Revealing when, where and how an attack has started as close to point zero as possible by providing a new level of intelligence, automation and analysis – that is how your backup vendor can do more.

Just another reason why Backup is Cool!

Learn how to recover from a ransomware attack, quickly and with confidence.