What is Ransomware?
The U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) ransomware site US-CERT defines ransomware as: “a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.”
What Is a Ransomware Attack?
A ransomware attack is an attack carried out with malware that encrypts your systems and data, preventing you from accessing your data and rendering many of your critical services offline. Attackers demand a ransom in exchange for decrypting your data, allowing you to access it again. Often, attackers ask for payment in cryptocurrency since it is anonymous and less traceable.
Ransomware attacks from cybercriminals have cost victims many millions of dollars, with one study suggesting the 2020 total cost could ultimately total $1.4 billion in the U.S. Another study found that out of the organizations that reported losses from a ransomware attack, more than two-thirds (67%) said their combined losses reached between $1 million and $10 million (USD), while 4% estimated staggering losses in the range of $25 million to $50 million. Victims of the largest attacks include organizations from every industry, government agencies, IT providers, and educational institutions. No organization is immune, but there are strategies to help ensure your organization is prepared.
…more than two-thirds (67%) said their combined losses reached between $1 million and $10 million (USD), while 4% estimated staggering losses in the range of $25 million to $50 million.
How can I recover from a Ransomware Attack?
There are many solutions out there focusing on Ransomware prevention, but as good as those solutions are there is no solution that can guarantee 100% that organizations won’t suffer an attack, a recent study found out that paying a ransom doesn’t guarantee a faster recovery from an attack so on this blog we will focus on best practices that will allow your organization to recover in the event of suffering a Ransomware attack.
Here are 3 suggested best practices that will help you recover quickly when you need to:
- Air gapped Backups: It is critical to maintain air gapped, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained outside of the impacted area of attack as many ransomware variants attempt to find and delete any accessible backups and sophisticated attackers will try to find any traces of data being backed up in order to prevent you from having access to them and maximizing the chances that you will pay a ransom. Maintaining air gapped, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization.
Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.
- Immutable backups: Conventional data backups may not be effective for restoring data that has been encrypted by an attack, because your backup may also be encrypted or deleted by an attack. In fact, ransomware attacks that specifically target backups are on the rise because attackers know that an organization with good recovery capabilities is unlikely to pay a ransom. How do you ensure that your backup data is not vulnerable? Maintaining immutable backups means you will be able to recover data after a ransomware attack and avoid paying a ransom. In addition to protecting against malicious data corruption, having an immutable backup helps you conform with regulatory data-compliance requirements, ensuring that accurate copies of data are retained for as long as they are needed.
The combination of air gapped and immutable backups is very powerful because it will ensure that your organization will always have access to a copy of the data that you can trust, data that can’t be accessed or manipulated by other parties is the fundamental pillar for a successful recovery.
- Proper testing procedures: In a perfect world, you would run backup and recovery testing every time your system completed a backup. However, this is seldom a practical option based solely on time constraints and your company’s allowance of resources. However, backup testing procedures need to happen on a regular basis to ensure not only that the process actually works, but also that it can handle more and more data as your business grows. Recovery testing is essential because it gives you a wealth of information on how long it will take to get back up and running in case of a disaster, allows you to create processes and guidelines that will allow more people in your organization to carry out recovery tasks thus reducing single points of failure that could prevent you from coming back online in time.
It’s a good idea to test recovery at least quarterly, but ideally every month. Recovery should also be prioritized, and one way to accomplish that is to take the time to classify your applications by RPO and RTO, focusing first and most frequently on those with the most aggressive SLAs.
How should I get started?
Your first step should be to perform an assessment of your current recovery capabilities, they most likely are excellent at operational recoveries, but would they allow you to recover in case of a widespread sophisticated attack? If an attacker takes control of your production environment, would they be able to see and access your backups? If an attacker takes full control of your production environment, do you have the capabilities to recover on a new empty environment? Those are only a few of very important questions that have to be asked, and if you’re not totally confident that you have the capabilities to recover in a worse case scenario perhaps it’s a good moment to ask yourself if there’s a better way of protecting your backups.
There are multiple ways of achieving a better level of security, but the best way for most organizations would be to leverage a solution that already achieves this in a cost effective way such as Clumio SecureVault, Clumio stores backups outside of the customer’s security sphere in an air-gap manner that are immutable and cannot be deleted. This ensures hackers or bad-actors cannot compromise the backup copies. Clumio is easy to deploy so you can start protecting your most critical assets right away to keep peace of mind that you will be able to recover even in a worst case scenario of a widespread sophisticated attack.