Commvault
Ransomware Protection
You’ve seen the headlines – organizations with their data held hostage and payouts to perpetrators to restore it. With new strains of ransomware and other malware threats on the rise, your enterprise and customer data is continually at risk despite steps you’ve taken.
Ransomware basics
It is easy to assume that all ransomware is similar, and it is not uncommon to think that one size fits all in terms of prevention and preparation. However, because each ransomware type is usually developed to attack different, specific networks, they can be very dissimilar in how they work. It is essential to understand the different types currently being used (keeping in mind that it is also possible to combine multiple types of ransomware). If your organization is attacked, and you do not have a plan to defend against the different types of ransomware, the likelihood is that the attack will have a more significant impact on your company.
Here are five types of ransomware:
- CryptoWall– is responsible for a high percentage of ransomware attacks. Typically, CryptoWall attacks its target through phishing emails. The WannaCry ransomware virus is a derivative of the Crypto family and was at the core of the largest cyberattacks ever perpetrated. Unfortunately, the creators of CryptoWall continue to release new versions designed to get around security protections.
- Locky– as the name implies, is what it does (locks you out of files and replace the files with the extension .lockey). However, its name misses the most damaging part of this type of ransomware – its speed. Locky has the distinction of spreading to other files throughout the network faster than other strains of ransomware.
- Crysis- takes data attacks to a new level – actually kidnapping your data and moving it to a new virtual location. The significance of this aspect of the attack is that because it qualifies as a breach, if your company works with personal data, organizations must contact anyone who may have information on your network to stay in compliance with local, state, and federal guidelines.
- Samsam- attacks unpatched WildFly application servers in the internet-facing portion of their network. Once inside the network, the ransomware looks for other systems to attack.
- Cerber- attacks the database server processes to gain access instead of going straight after the files. Its creators sell the ransomware software to criminals for a portion of the ransom collected, i.e., Ransomware-as-a-Service.
- Maze- is a variant of ransomware representing the trend in what is called “leakware.” After data is encrypted, bad actors threaten to leak ransomed private data on the dark web unless the ransom is paid.
Ransomware prevention and knowledge must stay at the forefront of organizations’ security efforts. Unfortunately, since hackers continuously become more sophisticated in their ways to encrypt data and develop new ransomware, you must continually monitor those developments.
Ransomware is often spread through email phishing messages that contain malicious links or through drive-by downloading. Drive-by downloading happens when a user unintentionally visits a contaminated site, and malicious software (malware) is downloaded onto the user’s computer or mobile device. A drive-by download usually exploits a browser, application, or operating system that is out of date or has a security flaw. Ransomware then uses these vulnerabilities to find other systems to spread to.
The goal is to reduce risks and minimize the effects of ransomware. Ransomware mitigation requires a combination of best practices and constant vigilance, along with a layered approach. Steps to reduce ransomware include:
- Educate end-users on how to avoid ransomware and to detect phishing campaigns, suspicious websites, and other scams.
- Harden and secure the infrastructure, including systems and networks
- Keep software, firmware, and applications up-to-date. This will reduce the risk of ransomware exploiting common vulnerabilities.
- Use anti-virus software with active monitoring that is specifically designed to thwart advanced malware attacks.
- Employ Commvaults AAA Security framework controls for intelligently controlling access to computer resources, enforcing policies, and auditing usage.
The cyber threat landscape, including ransomware, has transitioned to a case of “when,” not “if.” To ensure you can recover your data, you need the right solution with the best technology, the right people, and processes.
Organizations require tools (such as anomaly detection, immutable backups, air gap, and data isolation support) to measure their recovery readiness state continually. They do this to expose and remediate problems, validate the recoverability of their data and business applications, and improve their security to reduce their risk profile. In the event of a successful attack, fast restores are required to resume business operations quickly.
When ransomware does occur, you need to have a validated copy of your backup data that can be quickly restored to resume business operations. For a trusted and protected backup data copy, organizations need a layered approach that encompasses multiple security tools, resources, controls, best practices, and strategies. These various layers of security controls are applied within Commvault and around the Commvault infrastructure to help ensure the backup data is secured and recoverable. These steps provide the confidence that when an attack does occur, your backup data is ready.
Data protection in the new normal: A conversation with Commvault CIO Reza Morakabati
The ransomware protection strategy
A complete ransomware strategy includes both reducing the risk of a successful attack and lessening the impact of an attack that does succeed. There are five things you need to do: plan, prevent, monitor, restore quickly, and test.
How to protect against ransomware attacks:
- Create a plan: an effective strategy is a foundation for a full and speedy resumption of normal operations.
- Prevent attacks: proactive steps, including foundation hardening, application hardening, and ransomware protection.
- Monitor your environment: always be on the lookout for any anomaly, detecting the attack as quickly as possible to reduce its impact.
- Restore your data: perform fast restores with an intact and secure data copy to quickly resume normal business operations and reduce the ransomware impact.
- Test your plan: perform frequent tests to verify you can meet your defined SLAs for high-priority data and applications
With ransomware, there is both opportunity and risk – that’s the reality for businesses today and the people responsible for protecting the data. So how do you prepare? With Commvault solutions, you can ensure you do the one thing that matters most if you fall victim: Recover Fast.
Can you restore your data – no matter what? You need to ensure your data is always available in an increasingly complex environment. You’re managing more endpoints and applications, with more potential points of attack and risk. You also may have moved substantial data to the cloud. But if you don’t have a ransomware recovery plan or are dependent on manual processes, it could take weeks to recover your data and applications after a breach. And without quickly knowing what data was involved in an incident, you can’t notify those impacted in a timely, compliant way.
Reduce human error
Train users to practice security best practices and employ organization-wide endpoint protection to restrict external software and downloads.
Reduce Exposure
Reduce threats from poor practice, misconfigurations and incomplete preparedness to reduce attack vectors.
Resilient architecture
With Commvault’s resilient architecture, you’ll have a security-focused platform to recover from a diverse array of malicious, compliance and user-based risks.
Ransomware alerts
Be alerted to potential ransomware/malware attacks so you can quickly react and ensure minimal impact to users and businesses.
Reporting visibility
Gain the visibility needed for proactive compliance management and timely incident remediation and reporting.
Insightful analytics
Leveraging insightful analytics, you’ll easily monitor the entire data pool, risk profile and compliance status with alerts, dashboards, and reports.
Streamline operations
With built-in automation, policies and scripts, you will eliminate improvisation, ad hoc measures and avoid lost time when a full and speedy recovery is required.
Reliable recovery
Thanks to reliable disaster recovery, you’ll minimize productivity, financial and legal impacts by swiftly returning users, systems and the business to productive operations.
Enterprise infrastructure
Ensure quick, reliable and scalable recovery of data on-premises, in the cloud, or wherever it’s hosted.
Verify
Your staff and third-party resources are up to speed on processes and infrastructure.
Validate
Regularly test and report your data, applications and systems that can meet your recovery service levels.
Rethink
Assess readiness for future attack scenarios against endpoints, applications and backup infrastructure and make necessary adjustments.
Are you in control?
Check out one of our topical webinars
Ransomware strikes: Behind the scenes of a ransomware recovery
Managed cloud storage for your ransomware recovery strategy
Ransomware technology requirements
Does your current data protection and management solution offer…
Robust security framework based on AAA best practices: Authentication, Authorization, and Audit (AAA) framework is a set of security controls protecting who has access, and what they have access to, while monitoring events and activities for proper security posture.
Protect backups with air gapped copies: a technique that complements data isolation. Air-gapped networks have no connectivity to public networks. Tape is a traditional medium for air-gapped backups because tape can be removed from the library and stored offsite. To air gap secondary backup targets on disk or cloud, some access is needed, but communication is severed when it is not needed. Watch video
Avoid ransomware file reinfections: ensure a clean and secure recovery by browsing and erasing suspicious or unnecessary files from the backup data, or create an isolated recovery. Watch video
Lock down cloud backup copies per your schedule: enable WORM/Object lock in cloud so that data cannot be deleted or changed for the duration of the lock period. Data is protected from changes within Commvault as well as changes direct change attempts.
Data isolation: having secondary and tertiary copies of backup storage targets segmented and unreachable directly from the public portions of the environment using virtual LAN (VLAN) switching, next-generation firewalls, or zero trust technologies. Read more
Protect your backup copies from ANY changes with immutability: “unchangeable or changeless.” When applying this to backup data, whatever data you backup according to your set policies will be available to restore, unchanged and unmodified. Immutability protects against changes from within the backup solution, as well as outside of the backup solution.
Monitor and detect suspicious activities: through active, backup, and event monitoring receive alerts to any anomalous events or changes within your environment. Detect ransomware activity, such as unauthorized system changes, with honeypots. Watch video
Continuously authenticate access with zero trust principles: Commvault’s security frameworks are based on Zero Trust principles. The underlying philosophy for zero trust is, “Never assume trust, but continuously validate trust.” Zero Trust ensures access is continuously validated using various multi-authentication, and segmentation techniques. Read more
What you can do with Commvault’s single, integrated Data Recovery solution
Don’t let ransomware make your organization a victim. With Commvault, you’ll have an end-to-end solution that improves threat and risk mitigation across all endpoints and applications. You will always have recovery readiness and greater confidence in your data backup, recovery and compliance.
