The Scourge of Ransomware
What is Ransomware?
Ransomware operates by encrypting ﬁles on the infected computer and then demanding a bitcoin ransom in return for the decryption key. Attacks can exploit a broad spectrum of vulnerabilities – although phishing is possibly the most common – enticing a user to click on an innocent-looking email attachment, which then drops a deadly payload on the endpoint.
I recently heard from a VAR, the sad story of a company that had to shut its doors because of a ransomware attack. The company was on the verge of delivering on what was possibly the biggest order they’d received when they were infected. All the critical data on their endpoints became inaccessible making their ability to deliver to their customer, a virtual impossibility. The ransom being demanded was so high, the amount was worth more than the company itself! They had no choice but to simply shut shop.
A few chilling ransomware news:
- Despite its rise to become a top threat to businesses in 2016, one out of 3 SMBs have no idea what ransomware is.
- Total ransomware climbed about 128% this last quarter over the same time the previous year.
- A single ransomware network appears to have chalked up over USD 100 million in payments just during the first half of this year!
- Healthcare and Manufacturing companies seem to be the hot targets primarily due to their reliance on legacy systems combined with weak security – although nobody is really immune.
Ransomware attacks can potentially be more damaging than classic breaches which result in stolen bank accounts or credit card information. Many such losses are recoverable soon after the breach has been discovered, but business plans and product designs that are a company’s crown jewels can be irreplaceable.
In almost all cases, the infected computer is a user’s laptop or workstation. So, any data stored on local disks, file shares, and mapped network drives are vulnerable. Enterprise File Sync and Share solutions also become vulnerable due to the replicative nature of their work. Since ransomware deletes the original files and replaces them with their encrypted versions, EFSS solutions faithfully replicate these changes in their repositories as well. While EFSS solutions may have some file versioning capabilities, they don’t usually have an option to perform a bulk restore.
Sadly, existing anti-malware solutions cannot be relied upon to detect and stop all ransomware. The rapid and quick-moving malware underground ensures that anti-malware vendors are always playing catch-up.
Educating users on how to identify possible payloads and avoid them, would seem to be the best approach against ransomware – after all, prevention is better than a cure. While this can be effective, the reality is that the ransomware authors have to bypass a defense just once to do their dirty deed, and they constantly change tactics in order to do so. Even the best prepared amongst us can get outwitted at some point or another.
Experience tells us that the best defense against Ransomware is a data backup. Without a backup, years of stored data could be lost. Even without ransomware, the costs from data loss, theft, and hard drive crash – not to mention legal and disclosure costs related to such data loss – should build a compelling case for endpoint backups.
How to prevent Ransomware?
- Educate your users on the damaging effects of ransomware and help them identify possibly dangerous payloads (like phishing emails).
- Invest in reliable backup software that can back up all your endpoints. Look for something that can handle both Windows and Mac computers.
- To make the solution more bulletproof, consider putting your backups on the cloud. Make sure the solution can utilize cloud storage as a backup target.
- Look for software that is cloud-agnostic and doesn’t tie you down to their own cloud. You should be able to shop around for the best cloud storage prices and have the software work with the cloud of your choice.
- Make sure that the backup payload that is being sent to the cloud is encrypted – using encryption keys you control. After all, this is valuable data that you’re spending good money protecting. Make sure it is safe from prying eyes.
- If you’re managing many endpoints, you’ll want to be sure to look for a solution that:
- Can be centrally managed via policies
- Can scale over tens of thousands of endpoints.
- Allows users to do their own restores.
- You’ll also want to look for some type of integration with the user namespace you’ve implemented – like Active Directory.
- Since your outbound network bandwidth can be at a premium, look for software that can minimally do the following:
- Perform incremental backups – i.e. identify files that have been modified and move only those to the cloud. Or even better, maybe even move only portions of the files that have changed – this could be especially useful for very large files like PSTs that change very little every day.
- Can resume a failed backup from the point of failure.
- Be resource-sensitive and use techniques like compression and de-duplication to save network bandwidth and storage space.
- Allows you to manage data retentions by file versions – so you can get back data from a previous day or even a previous week.
While, educating users on the damaging impact of ransomware and training them on techniques to steer clear of them is important, having a solid endpoint backup strategy is a critical step in readying yourself for a ransomware attack.