The threat from ransomware continues to be an unfortunate daily reality for technologists and security professionals. But, before we talk about “doom and gloom” we should recognize how far the industry has come. I would argue in the not too distant past, most companies were susceptible to what we would consider a relatively unsophisticated ransomware attack. Open Email -> Malware -> Network spread -> Ransomware -> 🤬🤬🤬.
With the advancements primarily in the endpoint space, adoption of work from anywhere, and zero trust principles, the industry has made significant advances in protecting against these types of attacks.
Still, every week we see new articles on successful ransomware attacks. Many ransomware report trackers actually show an uptick in 2023. For instance Black Fog’s The State of Ransomware report shows an 8% uptick year over year. In addition, we see actors starting to target data storage outside of what traditionally is attacked, such as cloud storage and cloud databases.
If we truly have made advances against ransomware, why the increase in successful attacks?
In analyzing these successful attacks, I’ve identified two primary categories where the system breaks down, allowing malicious actors to succeed in ransom style attacks.
At the end of day, a threat actor who wishes to hold data for ransom only has to accomplish one task: deny availability of critical business data.
Many companies are more focused on controls for preventing attacks than implementing a holistic strategy to protect availability. In other words, don’t focus only on the ransomware attack, focus on a more general availability protection strategy inclusive of “data encryption for impact” (ATT&CK ID T1486.)
For example, many ransomware playbooks are focused on the idea that an actor could execute a binary payload and encrypt data. But the same effect could be achieved, given sufficient access, by simply swapping encryption keys on a critical database. The degree of difficulty for an attacker to pull this off varies wildly, but for many organizations it is a valid attack path. Don’t be too quick to point out that native DB backups, multi-versioning etc. can solve this. It’s not wrong by any means, but the reality is that due to performance impacts on large databases, these controls are often disabled and you may or may not be informed. In addition, management of these protection methods are often done from the same privileged credentials as normal admin activity, which are the credentials targeted by threat actors.
All in all, it means you should revisit your ransomware playbook and consider making a top-level availability playbook if you don’t have one already (If you do, revisit it with a ransom lens). This should be a cross-functional effort. The security team should take a first pass, then sit down with data owners, infrastructure teams, and DR/BC teams to brainstorm on the most realistic protection and recovery methods. Many protection and recovery methods come with a performance trade off. Security can not ignore this reality, and IT can’t ignore security in favor of performance. There is no one size fits all answer.
The following can be used as a loose starting point for what to think about in this effort:
Threat actors keep evolving to stay relevant and protect their income. Although we have gotten pretty good at protecting against traditional ransomware threats as an industry, every organization likely has a few blind spots.
Clumio focuses on helping customers build resilience into their cloud applications and data. When it comes to ransomware, recovery is a key backstop to maintaining your business application availability. With Clumio’s backup options for databases like Amazon RDS, MS-SQL on EC2, and DynamoDB as well as Amazon S3, EC2, EBS, and Microsoft 365, you can create performant recovery strategies to make both infrastructure and security teams happy.