You are here
How to safeguard your company's data against ransomware
BACKING up your data may be the best way to take control of your defence against ransomware, but they need protecting as well.
Ransomware has had a banner year so far. Two major attacks - WannaCry and NotPetya - have caused, conservatively, hundreds of millions of dollars in damages, while cybercriminals continue to target users' systems and data.
As countries like Singapore pursue smart nation initiatives, the risk of such attacks on devices with remote access beyond computers becomes an increasing concern as technology permeates every aspect of one's life. It is imperative that organisations ensure adequate security.
But proactive companies do have options. The most consistent defence against ransomware continues to be good backups and a well-tested restore process. Companies that consistently back up their data and can quickly detect a ransomware attack should be able to restore data and operations with minimal disruption.
In some cases, we have seen wiper malware such as NotPetya pretending to be Petya ransomware while serving a similar ransom note. In these attacks, the victims would not be able to get their files back even if they paid the ransom - making the ability to restore data from a backup even more critical.
For that reason, the cybercriminals behind ransomware have begun targeting the backup processes and tools as well. Several ransomware programs, such as the recent WannaCry (WannaCrypt0r) and the newer version of CryptoLocker, delete the shadow volume copies created by Microsoft's Windows operating system.
Shadow copies are a simple method that Microsoft Windows provides for easy restoration.
On the Mac operating system, cybercriminals target backups from the get-go. Researchers have discovered incomplete functions in the first Mac ransomware that targets the disk used by the Mac OS X operating system's automated backup tool called Time Machine.
The strategy is straightforward: Encrypt the backup and individuals or companies are unlikely able restore data and are more likely to pay a ransom. Cybercriminals are increasing their efforts beyond infecting single workstations with the aim to destroy the backups, too.
Here are four recommendations that help companies protect their backups against ransomware attacks.
BE CAREFUL WHEN USING NETWORK FILE SERVERS
Network file servers can be easy to use and are always available. These are two attributes that make network-accessible "home" directories a popular way to centralise data and make it easy to back up.
However, when exposed to ransomware, this type of data architecture has serious security weaknesses. Most ransomware programs encrypt connected drives, so the victim's home directory would be encrypted as well. In addition, any server that runs a vulnerable and highly-targeted operating system like Windows could be infected, leading to the encryption of every user's data.
Thus, any company with a network file server needs to assiduously back up their data to a separate system or service, and specifically test the system's restoration capability if faced with ransomware.
Cloud file services are not immune to ransomware either. In 2015, Children in Film, a business providing information for child actors and their parents, got hit with ransomware. The company extensively used the cloud for its business, including a common cloud drive.
Within 30 minutes from an employee clicking on a malicious e-mail link, more than 4,000 files stored in the cloud were encrypted, according to an article in KrebsOnSecurity. Fortunately, the company's backup provider was able to restore all of the files albeit taking almost a week to complete it.
Recovering data in the cloud could be more difficult than an on-premises server, depending on whether the cloud service provided incremental backups or easily managed file histories.
GET VISIBILITY INTO YOUR BACKUP PROCESS
The earlier a company is able to detect a ransomware infection, the more likely it can prevent significant corruption of data.
Data from the backup process can provide early warning of a ransomware infection. A program that suddenly encrypts your data leaves signs in your backup log. Incremental backups will suddenly "blow up" as every file is essentially changed and the encrypted files cannot be compressed or deduplicated.
Monitoring vital metrics such as capacity utilisation from the backup process every day can help companies detect when ransomware has infected a company's internal system and limit the damage from the compromised data.
CONSIDER YOUR OPTIONS
If ransomware can directly access backup images, then it will be very challenging, if not impossible, to stop it from encrypting corporate backups. For that reason, a purpose-built backup system that abstracts the backup data can prevent ransomware from encrypting historical data.
By separating backups from your normal operating environment and making sure the process is not running on a general-purpose server and operating system, your backups can be hardened against an attack.
Backup systems based on the most commonly targeted operating system, Microsoft Windows, are prone to being attacked, making it much harder to protect your backup data.
REGULARLY TEST YOUR RECOVERY PROCESS
Backups are pointless unless you can recover your data quickly and reliably. Some victims of ransomware have had backups but still had to pay the ransom because the backup schedule either did not perform backups with enough granularity or they were not backing up the right data.
Part of testing the recovery process is determining the window of data loss. A company that does a full backup every week will lose up to a week of data should it need to recover after its last backup. Doing daily or hourly backups greatly increases the level of protection.
To fend off damage, organisations require more granular backups and they have to detect ransomware events as early as possible.
Ultimately, companies should aim to detect ransomware attacks early through monitoring or anti-malware defences, use a purpose-built system to maintain a separation between the backup data and a potentially compromised system, and regularly test the backup and restore process to ensure data is properly protected.
These efforts will keep backups at the top of the list of ransomware defences and will reduce the risk of losing data in the event of an attack.
- Rod Mathews is senior vice-president and general manager, Data Protection Business, for Barracuda. He directs strategic product direction and development for all data protection offerings, including Barracuda's backup and archiving products, and is also responsible for Barracuda's cloud operations team and infrastructure.