The ransomware war: avoid the inevitability of ransomware losses


Author: Geoffrey Coley, Director, Strategy and Architecture for Asia South and Pacific region, Veritas Technologies LLC

A hacker group mounts a stealthy, days-long, brute-force attack on your enterprise’s networks but fails to gain access. Cyber criminals test millions of passwords against a corporate sever in a massive credential-stuffing attack but get nowhere. Then, an employee clicks on a convincing link in a homograph attack, and all that hard work falls by the wayside as hackers breach the corporate network.

Despite doing everything right with your security strategy, malware is now in your network and hackers have begun silently profiling your physical, virtual and cloud-based storage in preparation for an attack. Weeks later, confident they’ve infiltrated the most critical IT services, they steal your sensitive data, and then use the original malware to activate ransomware that encrypts data, destroys infrastructure and wipes backups.

Your business is at a standstill, your critical data is being held hostage, and the price tag on the decryption key that will unlock your systems is tens of thousands of dollars, if not more.

This nightmare scenario has become a reality for more and more organisations in 2020. According to the Veritas 2020 Ransomware Resiliency Report, 45 percent of Australian organisations reported that their company had reported at least one ransomware attack. These attacks were extremely disruptive, with 64 percent of Aussie companies estimating that it would take five or more days to fully recover from a ransomware attack, if they didn’t pay the ransom.

Such attacks are also escalating in today’s digitalised setup. The Australian Cyber Security Centre’s cyber threat report shows that it responded to 2266 cyber security incidents in 2019-20, including targeted reconnaissance, phishing emails and malicious software affecting larger organisations, supply chains and government entities.

With more than half (57 percent) of Australian organisations confessing that security measures have not kept pace with IT complexity, experts agree that 2021 will bring even more sophisticated and targeted attacks. Every business should assume that it is a target and plan from there. The key is a belt and braces approach that adds data backup and recovery to IT security to help prevent, contain and recover from ransomware. Furthermore, organisations must understand the notion of data management as a framework or methodology and consider the value and risk of data, including its lifecycle from “cradle to grave”. We’re seeing regulatory and compliance building around this.

Escalating IT complexity

Whilst you can’t stop every attack, prevention strategies can minimise the number of hacking attempts that become successful. Data protection, with multiple layers of defense deployed including firewalls, email and spam filters, anti-malware endpoint protection software, and user education should be every company’s first line of defence.

However, growing IT complexity created by the extensive adoption of multiple different cloud platforms, and greater use of distributed data centers, hybrid cloud operations and multiple storage and data protection suppliers (data fragmentation) makes IT security even more difficult to assure.

As a result, IT leaders should always assume that their IT security measures will inevitably be breached and, as they struggle to defend increasingly complex networks and avoid ransomware, a sound backup and recovery strategy is critical.

It’s no surprise that this IT complexity makes backup and recovery more difficult. Despite experts cautioning against giving in to ransom demands, since full decryption is not guaranteed, many companies are forced to pay at least part of what is demanded, because their backup and recovery measures prove inadequate to retrieve their data.

Veritas’ research showed that companies that paid a ransom in full typically used twice as many cloud providers as those that were able to avoid payment.

Backup and recovery best practices

Backups won’t prevent an attack or stop a hacker from releasing sensitive data, but an effective backup and recovery strategy is a safety net that has saved many businesses from disaster. This requires multiple copies of all valuable and critical data, and these copies must be both complete and current, with one stored offline for airtight security.

Here are five practices for recovery to keep in mind:

  • Execute backups regularly: To limit damage from a ransomware attack, run backups at least daily, and employ continuous data protection on critical data, to shrink your Recovery Point Objective (RPO). This will reduce potential data loss to levels that minimise the impact to the business. Also regularly practise recovering data, in an automated or orchestrated way, to ensure that the right information is being protected, and that systems can be brought back on-line in a timely manner. AI can now also help to ‘selfheal’ backup sets that become corrupted.
  • Store backups in multiple locations: The best practice for backup is to keep three or more copies of your data, on at least two different types of media (e.g. local disk and public cloud), one of which is offsite and offline (the ‘3-2-1 principle’). However, 27 percent of the Australian companies covered in the 2020 Veritas Ransomware Resiliency Report had failed to put off-site backups in place. Keeping backup copies of your data in off-site locations makes it harder for hackers to capture all copies of your data, because ransomware can typically only encrypt the files and data that it can access directly.
  • Harden backup platforms: Ransomware will often encrypt the operating systems and data stores of many backup platforms. Thus, you need backup solutions that are protected against malware and have intrusion detection systems built-in. These hardened systems can often be used to restore other backup environments, further improving network protection. It goes without saying that you must be vigilant in updating backup software regularly, to address known vulnerabilities and improve functionality.
  • Consolidate backup solutions: Many cloud and SaaS providers offer in-build data protection as an add on, and many data protection companies specialise in protecting specific environments or workloads. However, these solutions can add to IT complexity, making it harder to enforce consistent and comprehensive backup policies. Importantly, they can significantly complicate the process of restoring data in the wake of an attack, as administrators grapple with multiple tools and platforms at an already stressful moment, as they try to reassemble the primary data set.
  • Understand your data: Unless and until a business understands what data it has and where, it’s impossible to build an effective backup and recovery strategy. Veritas research shows that 52 percent of business data is ‘dark’, meaning the organisation doesn’t know what it, or its value, is. Once an organisation gets on top of this challenge, they’re able to back up all the data that’s important to them.

We can be sure that malicious ransomware attacks will continue to pose critical threats and are becoming more sophisticated and potentially devastating.  The time to act is now; for security and peace of mind, assess your backup and recovery strategy, and make your backup processes more robust, no matter where your data and applications are hosted.