Ransomware is becoming more advanced. So should your approach to defence

By Ezat Dayeh, Senior Systems Engineering Manager, Western Europe at Cohesity.

  • 2 years ago Posted in

Organisations fall foul to ransomware attacks every 11 seconds and cybercriminals continue to be more frequent and sophisticated. Ransomware has ‘real world’ ramifications as is clear from a spate of high profile attacks. In order to reduce the blast radius of such attacks, businesses need to consider next-gen data management solutions capable of recovering critical systems and processes quickly while also assisting to decrease downtime significantly.

Nowadays sophisticated cyber-attacks affect our everyday lives - from attacks on hospitals to disruptions to fuel and food supplies. Cybercriminals are now becoming increasingly aggressive and have adapted their tactics over time. In order to attempt to receive a monetary payout, cybercriminals are doing more than just encrypting production and backup data. Now they are stealing (or more technically “exfiltrating”) sensitive data from businesses and threatening to expose it on the dark web, in so-called “double extortion” schemes.

How Did We Reach This Point?

The increase in ransomware attacks can be put down, in part, to the growing adoption of cryptocurrency. Some argue that cryptocurrency empowered cybercriminals to increase their criminal enterprise by enabling them to launch their attacks virtually anonymously, demand untraceable payments, and in a number of cases easily obtain the ransom. This anonymity fuelled the first generation of ransomware, “ransomware 1.0” so to speak — the WannaCry era.

Ransomware 1.0 variants like WannaCry targeted and encrypted production data. Backup systems quickly became the de facto solutions to address ransomware 1.0 threats. Organisations that protected their data could utilise capabilities designed to not only help them quickly respond to attacks, but quickly recover without paying any ransom.

Initially, attackers were happy to focus on the lowest hanging fruit. But as restoring data from backup tools to avoid paying the ransom became more of an industry standard practice, it forced cybercriminals to change their tactics. In addition to user and production data, cybercriminals evolved to also start targeting the backup data and systems, leading to the rise of “ransomware 2.0”.

Cybercriminals used ransomware 2.0 variants like DarkSide and Ryuk to aggressively attack the backup data sets stored on various legacy backup providers. Upon analysing DarkSide’s source code, security researchers found code was utilised to disable or delete the data on various backup solutions, security services, and critical Microsoft services like VSS, SQL Server, prior to unfolding an attack on production copies of data. But what about the threat of data exfiltration? According to Covewave’s research, 80% of ransomware attacks in Q2 2021 involved claims of data being stolen by cybercriminals. And, unfortunately, nearly two thirds of the impacted organisations confirmed that they paid a ransom to stop their sensitive data from being leaked. This represented the next evolution of attackers’ tactics, leading to the emergence of “ransomware 3.0” – the most disruptive variant yet.

Ransomware attacks are generally disruptive, but data exfiltration takes the threat to a whole other level. According to IBM Security, the average cost of data breaches is nearing $4.24M. In addition to the direct cost of remediating the impact, regulatory penalties, and victim

outreach and penalties, this cost includes the damage a data breach would cost to a business’s brand and reputation with customers, suppliers, partners, and employees.

Alleviating the Threat

In the era of ransomware 3.0, there are a number of proactive measures organisations can take to mitigate the threat. For example, making sure the foundation of your security posture is solid. This means having processes in place to quickly patch known vulnerabilities, while ensuring your production and backup data is encrypted, and follows least privileged access management.

Social exploitation remains a key way in which cybercriminals propagate ransomware attacks so investing in regular employee training and awareness programs will help build a ‘security-first’ mindset and strengthen what would otherwise be the weakest link in the cyber defence chain.

It should go without saying that protection needs to cover both your production and backup systems and this is why immutable backups – which are designed so they can’t be tampered with y – are now a necessity rather than a nice to have. And, in addition to taking measures to defend against an attack, investments need to be made to reduce the impact if breached. In the case of ransomware, this includes having the ability to detect an attack as early as possible. This can be done by monitoring source-side data in production with the help of AI and ML to identify anomalies in near real-time.

It is also essential to recover critical systems and processes with aggressive recovery time and recovery point objectives and provide automated failover and failback orchestration, so organisations can reduce downtime of critical systems significantly in the event of a successful cyber-attack. Organisations would also be well served by testing these critical recovery processes. This needs to include the recovery of systems and environments and rehearsing with the individuals required to execute the whole process.

What Comes Next?

If the advancements of ransomware have taught us anything, it’s that cybercriminals will continue to adapt and hone their tactics. As such, it’s now more apparent than ever that next-gen data management technology is vital for businesses' preventive efforts. Capabilities of a next-gen data management platform, such as immutable backups and encryption, coupled with a vigorous recovery strategy, and the execution of multi-factor authentication, offer a path for businesses to tackle the threat of ransomware 3.0 and beyond.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.