By: Rick Vanover, Senior Director of Product Strategy, Veeam
The war on ransomware is real. In the past few years, this form of attack has become a valid threat to businesses. We have seen huge attacks that have rendered multinational organizations, even governments, vulnerable and unable to continue mission-critical operations. In 2017, WannaCry brought hospital IT departments across Europe to a standstill, with over 200,000 computers across affected, demonstrating the destructive potential of ransomware.
While WannaCry and Petya are still the most notable ransomware attacks, this form of cyber-attack is still on the rise, according to Europol’s 2019 Internet Organized Crime Threat Assessment (IOCTA) report. Organizations need to acknowledge this threat and take steps to prepare, defend, and be ready to remediate. This is a critical step to avoid an unplanned and likely ineffective response later during a ransomware incident. A strong, multi-layered defense and strategy to address ransomware is composed of three key elements: education, implementation, and remediation. Furthermore, having an ultra-resilient approach to backing up, recovering, and restoring data is vital to protect business continuity in the event of an event.
Educating the business
There are two major audiences that should be targeted from an education perspective: IT staff and organizational users. It’s important to target both groups as threats can be introduced from both personas.
The main points of entry into business for ransomware are through Remote Desktop Protocol (RDP) or other remote access mechanisms, phishing and software updates. Put simply, in most cases cyber-attackers are not made to work as hard as they should to fetch big prizes. Knowing that these are the three main mechanisms is a huge help in focusing on the scope of where to invest the most effort to be resilient from an attack vector perspective.
Most IT administrators use RDP for their daily work, with many RDP servers directly connected on the Internet. The reality is that Internet-connected RDP needs to stop. IT administrators can get creative on special IP addresses, redirecting RDP ports, complex passwords, and more; but the data doesn’t lie that over half of the ransomware comes in via RDP. This tells us that exposing RDP servers to the Internet does not align with a forward-thinking ransomware resiliency strategy.
The other frequent mode of entry is via phish mail. We’ve all seen the email that doesn’t look right. The right thing to do is delete that item. Not every user handles these situations the same way, however. There are popular tools to assess the threat risk of phish success for an organization such as Gophish and KnowBe4. Combined with training to help employees identify phishing emails or links, self-assessment tools can be an effective mode of first-line defense.
The third area that comes into play is the risk of exploiting vulnerabilities. Keeping systems up to date is an age-old IT responsibility that is more important than ever. While this is not a glamourous task, it can quickly seem a good investment should a ransomware incident exploit a known and patched vulnerability. Be mindful to keep current with updates to critical categories of IT assets: operating systems, applications, databases, and device firmware. A number of ransomware strains, including WannaCry and Petya, have been based on previously discovered vulnerabilities that have since been corrected.
Implement and remediate
Even organizations that follow best practices to prevent exposure to ransomware are at risk. While education is a critical step, organizations must prepare for the worst-case scenario. If there’s one takeaway for IT and business leaders, it is to have a form of ultra-resilient backup storage.
At Veeam, we advocate the 3-2-1 rule as a general data management strategy. The 3-2-1 rule recommends that there should be at least three copies of important data, on at least two different types of media, with at least one of these copies being off-site. The best part is that this rule does not demand any particular type of hardware and is versatile enough to address nearly any failure scenario.
The ‘one’ copy in the 3-2-1 strategy has to be ultra-resilient. By this, we mean air-gapped, offline or immutable. There are different forms of media in which this copy of data can be stored in an ultra-resilient manner. These include tape media, immutable backups in S3 or S3-compatible object storage, air-gapped and offline media, or software as a service for backup and Disaster Recovery (DR).
In spite of these education and implementation techniques, organizations must still be prepared to remediate a threat if introduced. At Veeam, our approach is simple. Do not pay the ransom. The only option is to restore data. Additionally, organizations need to plan their response when a threat is discovered. The first action is to contact support. Veeam customers have access to a special team with specific operations to guide them through the process of restoring data in ransomware incidents. Do not put your backups at risk as they are critical to your ability to recover.
In disasters of any type, communication becomes one of the first challenges to overcome. Have a plan for how to communicate to the right individuals out-of-band. This would include group text lists, phone numbers, or other mechanisms that are commonly used to align communications across an extended team. In this contact book, you also need security, incident response, and identity management experts – internal or external.
There are also conversations to have around decision authority. Businesses must decide who makes the call to restore or to fail over before an incident takes place. Once a decision to restore has been made, organizations need to implement additional safety checks before putting systems back online. A decision also has to be made as to whether an entire virtual machine (VM) recovery is the best course of action, or if a file-level recovery makes more sense. Finally, the restoration process itself must be secure, running full anti-virus and anti-malware scans across all systems as well as forcing users to change their passwords post-recovery.
While the threat of ransomware is real, with the right preparation organizations can increase resiliency against an incident to minimize the risk of data loss, financial loss, and reputational damage. A multi-layered approach is key. Educate your IT teams and employees to minimize risk and maximize prevention. However, implement solutions to ensure data is secure and backed up. Finally, be prepared to remediate data systems through full backup and DR capabilities should your previous lines of defense fail.