Insights from Ransomware Preparedness: ESG Report

By Chris Rogers, Senior Technology Evangelist at Zerto, a Hewlett Packard Enterprise company.

  • 3 months ago Posted in

The threat from ransomware tops the cybersecurity agenda for many organisations with 75% citing they have experienced at least one attempted attack in the last 12 months, according to a report from ESG, Ransomware Preparedness: Lighting the Way to Readiness and Mitigation. The research indicates that 65% of businesses are aware of the devastation that a successful attack could wreak, and rate it as one of the top three most serious threats to the viability of their organisation.

However, while it is positive to see that awareness of this potential danger is high amongst respondents, much less encouraging is their capability to recover from the aftermath of an attack. Only 16% retrieved 100% of their data, including those who went as far as paying the ransom demand, and 40% lost hours or days of data because they were unable to restore everything prior to the point of the attack.

Changing the anatomy of attacks

The research emphasises how important it is to accept that ransomware poses a real and immediate threat which is not going away. It is not a question of if an attack will occur, but when, and how far it can spread.

Ransomware can cause havoc rapidly as attackers often target network infrastructure to propagate the malware and infect as many systems as possible. While nearly six in ten organisations reported that regulated data, often in the form of personally identifiable information, was the target of successful ransomware attacks, configuration data is at risk too. By encrypting critical elements of network systems and servers, attackers are intent on disrupting core infrastructure components to render them inoperable. In fact, over half of the respondents in the study confirmed that this type of data had been affected by ransomware.

Attackers will also try to infiltrate backup systems with the aim of making it impossible to restore data from this storage too. This adds more pressure onto victims, forcing them to consider giving in to ransom demands as a way of regaining access to their files.

The research highlights that IT leaders are worried about the security of their backup and recovery infrastructure with one in three (29%) expressing serious concerns. Many are looking at extra precautions to safeguard their backup copies which are crucial for fast recovery in a crisis.

Real-time backup scanning is not the norm

Backup scanning remains a popular tried and tested approach. Carried out in real or near real-time, any suspicious files or executable code can be identified, and immediate alerts generated when remediation action is needed.

Scanning can also be done after backup, across data stored on physical media or in the cloud, to check for security issues, errors, corruption, or any inconsistencies that may have occurred during the backup process. While real-time scanning is best for early threat detection, post-process solutions may be the norm for operations where performance or cost is an overriding issue.

The ESG study showed that around 80% of organisations already use backup scanning, which is a good basis for ransomware preparedness, although only a third are running detailed scans of backup data and user activity in near real-time.

Air-gapping for ultimate protection

Air-gapping offers the ultimate level of protection for data recovery, with 79% of respondents seeing it as a viable way of mitigating the effects of a ransomware attack.

It is a security measure that physically isolates critical backups from unsecured systems, such as the internet or potentially compromised networks. This is typically achieved by creating a physical disconnect, often referred to as an "air gap". By maintaining this gap, if ransomware infects one network it cannot easily access or compromise the isolated backup system.

To ensure maximum security, air-gap backups should never be available to any applications, databases, users, or workloads operating in production or live environments. Such data should only be accessed during protected and monitored sessions. This is a vital best practice to prevent cyberattackers from stealing, encrypting, or destroying data.

Only 27% are fully prepared

On the plus side, 40% of the organisations surveyed say they protect all their backup copies, which should increase the chances of successful recovery from a ransomware attack. However, of major concern is that, despite recognising the importance of air-gap solutions, the research showed that only slightly more than one in four (27%) organisations have deployed air-gapping. A further 18% are

in the process of testing and implementing a solution, but without this crucial level of security, the vast majority are not fully prepared to cope with a ransomware attack.

Ideally, what’s needed is a combination of real-time, malware detection with air-gapped recovery in place. This would help organisations to build impenetrable defences that go far beyond just protecting data, ensuring business continuity in the event of a crisis whether caused by a ransomware attack, natural disaster, or system failure.

Without a series of preventative security controls to protect backups and a watertight recovery plan in place, the likelihood of full recovery is slim, offering a prime opportunity for malicious actors to make easy money. An organisation’s backup is often the last line of defence so its protection should always be of the utmost priority.

By Ciaran Luttrell, Head of Security Operations Centre EMEA, eSentire.
By Jon Lucas, co-founder and director of Hyve Managed Hosting.
By Emmanuel Routier, VP Smart Industries, Orange Business.
By Niall McConachie, regional director (UK & Ireland) at Yubico.
By Karl Mattson, Field CISO at Noname Security.
By Frank Catucci, CTO and Head of Security Research, Invicti Security.
By Jim Downey, Senior Product Marketing Manager, F5.