Ransomware is all over the news. School districts, local governments, hospitals, and countless companies are greeted with a dreaded message reading, “Your files are encrypted.” Following this message is an explanation, a bitcoin address, and instructions for making the ransom payment and recovering the files. Organizations are then left with a decision, either pay the ransom and get the files back or ignore the ransom and lose the contents forever.
Furthermore, ransomware has evolved. While countless variations of WannaCry continue to crawl through the web, significantly more sophisticated versions of ransomware are succeeding in extorting millions of dollars from companies of all shapes and sizes. In fact, the average ransom payment increased in 2019 from $12,762 (Q1) to $36,295 (Q2) according to the Coveware Q2 Ransomware Marketplace report. Fortunately, there are key measures organizations can adopt to minimize the likelihood of having to choose between the rock and the hard place.
Six Stages of a Ransomware Attack
A typical ransomware attack goes through 6 distinct stages. Before creating a mitigation strategy, it is important to understand what takes places at the different steps of ransomware attacks.
- Campaign – The attacker chooses a method of delivery for the ransomware. Necessary reconnaissance is completed, and the attack is launched. The majority of attacks are launched through phishing emails.
- Infection – The attacker gains access to the system. Most of the time this happens by tricking employees into clicking on malicious links in phishing emails. At this point the attack has begun, even though no files have been encrypted.
- Fortification – The malicious code performs necessary system changes, and a connection is made with an attacker-controlled server. Attackers will attempt to hide evidence of their entry and establish a stronghold in the compromised system.
- Scanning – The malware scans the device for potential files to encrypt. Ransomware is opportunistic and will attempt to move across the network and find cloud data, file shares, and backups.
- Encryption – The scanned files are encrypted, and archive data is wiped. Some attackers will steal data from the files to sell or use in additional attacks.
- Ransom – The attacker demands payment in exchange for the decryption key.
There are a few key takeaways to gather from the ransomware attack landscape. The first is that ransomware attacks most commonly begin by clicking a malicious link within a phishing email. What is the best way to avoid the chaos of ransomware attacks? Don’t allow them to happen in the first place.
Professional security awareness training plays an important role in minimizing the chances of falling for social engineering scams. Additionally, security awareness training helps mitigate the risk of many kinds of attacks, not just ransomware. However, mistakes happen, and it is necessary to prepare recovery methods in case ransomware does find its way into the system. Thus, the second key takeaway is to ensure that a method of recovery is properly planned and can be reliably executed.
Ransomware thrives on individuals and organizations that do not prioritize backups. Conversely, reliable and safe backups eliminate the need to pay the ransom. Getting hit with ransomware means that all affected devices will need to be wiped. However, users can restore the files from backups instead of paying to unencrypt and recover them. Ransomware attackers know that backups can foil their plans, so they have responded by engineering advanced malware that will try to locate and destroy backups.
The question now becomes how can one create a reliable, secure backup solution? Many businesses operate with solutions that are inadequate and undertested, resulting in a false sense of security and a potentially rude awakening. In order to avoid this organizations must:
Create and Maintain a Backup Strategy
A backup strategy includes the creation of a policy and procedure. The function of the policy is to highlight the high-level strategy while the associated procedures describe more detailed execution. A great baseline reference is the 3-2-1 backup strategy. The 3-2-1 stands for 3 copies of the data (the primary and 2 backups), 2 different storage media (external drive/digital tape/cloud), and at least 1 offsite backup copy. 3-2-1 removes the risk of having a single point of failure and remains a solid benchmark for backup solutions. Procedures should be designed to detail the steps required to maintain the backup policy. Procedures include setup, testing, and backup execution supporting the backup strategy.
Avoid Common Backup Mistakes
A backup solution that looks great on paper must also meet expectations in practice to successfully mitigate risk. Listed below are a handful of mistakes that often undermine the effectiveness of backups:
- Configuring backups with the same/similar authentication credentials – As mentioned earlier, ransomware is opportunistic. Advanced ransomware may use compromised credentials to gain access to backups and encrypt them as well.
- Assuming mounted cloud services are safe – Many cloud backup solutions are mounted 24/7. Although convenient, mounted cloud backup services allow ransomware to move to the cloud using the infected user’s account and access rights. Additionally, there are cases of ransomware that use shared files in the cloud to spread to other users that have access. Make sure that the cloud provider offers strong versioning to allow for possible restoration from a previous state.
- Ignoring air-gapped backups – Air-gapped backups are only connected to the system during the specific backup time. This significantly reduces the opportunity for attackers to access and encrypt the backups.
- Insufficient backup tests – Organizations test backup solutions routinely to ensure their effectiveness at restoring files. A backup solution that doesn’t perform the way it needs to is as good as no backup solution at all.
- Ignoring attack vectors – Training employees to better detect malicious emails weakens ransomware’s most common method of entering systems. Once inside the system, ransomware may utilize trusted file shares to infect additional systems. Security awareness training greatly reduces the risk that ransomware gains access to systems.
Defending against ransomware should be and will remain a high priority for companies and individuals everywhere. Attackers are steadily increasing the sophistication and impact of such attacks, and a robust backup strategy can be a lifesaver in the event of an attack. Maintaining a strong backup plan and avoiding common backup mistakes is a solid foundation to defend against ransomware. True Digital Security offers consultation to assist in the development and testing of backup solutions as well as Security Awareness Training to reduce the chances of attack due to human error.