Get Protected From Ransomware

Only Done It Again
2nd February 2021

Get Protected From Ransomware

One of the biggest cybersecurity threats facing organisations today is ransomware. Ransomware is a scourge affecting governments and businesses of all shapes and sizes. It wreaks havoc on IT systems and can cost organisations millions, in both disruption and to repair the damage.

The global crisis that has emerged due to COVID-19 has spawned new examples of the most perfidious behaviour as cybercriminals and scammers have targeted the weak and vulnerable. Mobile apps that appear to be COVID-19 tracking apps turn out to be spyware. Ransomware attacks on hospitals and medical research firms are increasing. The global crisis has created a sense of urgency for those combating COVID-19, so the cybercriminals see them as more likely to pay the ransom.  As we continue with the global effort to combat the pandemic there are no signs that these attacks are slowing down any time soon, so what’s the best way to keep your organisation’s data safe from harm?

What is ransomware?

Before we address any potential solutions to ransomware it is important to understand what ransomware is. One of the most common forms of ransomware is known as “crypto ransomware.” A crypto ransomware attack typically encrypts valuable files or the contents of an entire disk to prevent users from accessing it. The organisation affected is told that they have to pay a ransom to regain access to their data. If that data hasn’t been backed up somewhere, or worse, if the backup is also encrypted, the victim has to face losing their data or paying the cybercriminal. Imagine having the lives of sick and dying patients in your hands, or working on an antiviral vaccine and having your data held hostage? Would you pay to restore access? We are told not to pay, but can you fault those that do, especially in a global crisis?

The impact of downtime

The impact of downtime to organisations under a ransomware attack are typically financial due to the loss of revenue or the curtailment of employees’ ability to work,  but when the attack is on governmental, medical and emergency responders, the cost of downtime can be calculated in the health and lives of people.

How do I prevent a ransomware attack?

Often, organisations can avoid paying the ransom if they opt to restore affected data from backups. Backup data is not immune to ransomware, but a diligent program of keeping multiple versions, different recovery points (yearly, monthly, weekly, daily), and a geographical separation between backup copies goes a long way to reduce the impact of ransomware attacks. A common rule of thumb for backing up data is known as the “3-2-1 rule”. This describes keeping 3 copies of your data, 2 on different media, and 1 offsite. Offsite makes sense because if you can “air gap” a backup copy, it can be protected better than if it were attached to your network. Unfortunately, “air gapping” usually means keeping it “offline” and powered down in a secure location somewhere. This limits your access to the backup and, in some cases, it can take days to locate it and bring it back online. In the case of a global emergency and where time can be of the essence, you’ll want millisecond access, not hours or days.

Ransomware and the cloud

How can you get millisecond access to offsite data? The answer is of course, cloud storage. Many organisations have started using cloud object storage as part of their 3-2-1 backup strategy. Storing data in the cloud is less expensive than on-prem, gives you near-instant access to your data, and adds an additional level of protection. It is important to note that data in the cloud can still be affected by ransomware – although the vast majority of attacks are initiated on-premises from URL downloads, direct files, exploit kits, and infected USB flash drives where viruses can be uploaded to the cloud in a backup job. They may not be able to affect previous backup jobs, but that recovery point will not be available. There have been recent examples where cybercriminals have been able to access victims’ networks through exposed remote desktop services and gain access to cloud credentials and use them to delete previous backups or download them to servers under the cybercriminals control. With the backups either deleted or under the cybercriminals’ control, they then deploy the ransomware. Less common, but also a vulnerability, is a cloud object bucket (the basic container that holds your data) that was misconfigured and left open to the public. In these cases the contents of the bucket are exposed. All major cloud platforms operate on the basis of a shared responsibility model when it comes to compliance and security. Of course, the best defence is to prevent attackers from gaining access to your network in the first place and to monitor for suspicious activity.

Fight ransomware with immutable buckets

At Cutter, we have adopted an approach to this element of cybersecurity by working with innovative Cloud Storage provider, Wasabi using “immutable buckets”.

When you create a Wasabi storage bucket you have the option of making it immutable for a configurable retention period (in increments of days, weeks, months or years). “Immutable” means that any data written to that bucket cannot be deleted or altered in any way, by anyone, throughout its storage lifetime as defined by you. If desired, you can also configure the storage bucket to automatically delete the data after the retention period has expired. Wasabi immutable storage buckets prevent encryption by crypto ransomware. It can also help you comply with certain government and industry regulations like the Health Insurance Portability and Accountability Act (HIPAA), Financial Industry Regulatory Authority (FINRA), Markets in Financial Instruments Directive (MiFID) and Criminal Justice Information Services (CJIS) for securing and preserving electronic records, transaction data and activity logs. By adequately protecting and retaining data you can avoid expensive regulatory fines and penalties, and costly legal actions and settlements.

Wasabi is one of the few cloud service providers capable of providing immutability features. A key element of the Wasabi offering is that:

  • No one person should be able to encrypt or destroy data that is in an immutable bucket; and
  • Nobody should be able to touch a production system anonymously.

This means when using Wasabi immutable buckets, no one can delete or alter your data–not even a systems administrator.

In the case of ransomware, like everything else, a good defence is the best offense. There are a variety of anti-malware and decryption products available to protect your system, but one of the simplest ways to keep your data safe is by performing regular backups, ideally keeping at least one backup copy offsite. Cloud storage providers provide encryption on the fly and at rest, but you should also take advantage of optional immutable features that exist.