Over the past decade, ransomware has evolved from a relatively obscure crime to a multi-billion dollar industrywith the biggest corporations and even governments in its sights.
Organized cybercrime groups demanding six and seven or more digit ransoms of their victims. Using a combination of network infiltration, malware, and cryptography, ransomware prevents companies from accessing their data by attacking storage, encrypting data, and even disabling backups.
Cybercriminal groups have also been spurred by the growth of cryptocurrencies, which offer criminals a low-risk way to extract payments, and techniques that go beyond data encryption. These include double and triple extortion attacks and threats to disclose sensitive data.
Ransomware attacks such as those that hit Maersk, Colonial Pipeline and the Irish Heath Services Executive have grabbed headlines for the disruption they have caused. But ransomware attacks are now commonplaceand increasingly difficult to prevent.
According to experts at data security firm Kroll, between 25% and 45% of the company’s investigations currently involve ransomware attacks.
Laurie Iacono, associate general manager of threat intelligence at Kroll, says a small number of ransomware groups are now behind most attacks, and up to 86% of attacks now involve the data exfiltration, not just encryption.
“What we’re seeing is that ransomware has become a predominant attack vector,” she says.
How do ransomware attacks work?
The conventional path for ransomware into an organization is through an infected email attachment that contains an executable file, or by tricking users into visiting a website that contains malware. This injected software is deployed on the network and seeks its targets.
Double and triple extortion attacks create backdoors in systems that allow attackers to exfiltrate data. More and more, it goes hand in hand with disable backups and attacks on core network services such as Microsoft Active Directory.
The latest generation of ransomware attacks targets backup systems, appliances and virtual machines. “They target physical appliances and virtualized appliances,” says Oisin Fouere, head of cyber incident response at consultancy KPMG.
“Many backup systems are hosted on virtual infrastructure. They began targeting and removing OS-level information on these systems, as well as attacking the bulk of the systems.
And as Kroll’s Iacono points out, ransomware groups often recruit people with technical knowledge of backup systems.
But first, the ransomware must enter the company’s network. The conventional – and still the most common – approach is to use a phishing attack or other form of social engineering to deliver infected attachments or convince employees to click on infected web links.
During the Covid lockdown, ransomware groups exploited weaknesses in virtual private networks and remote desktop systems, which caused an increase in ransomware cases.
“There was a lot of exposure around poorly protected or misconfigured remote access systems, which meant attackers didn’t need to spend time trying to solve the intrusion vector problem,” explains Fouere of KPMG. “They were presented with almost an open door scenario, and it was a favorite choice over the last two years.”
The hardening of these hotspots is behind a recent drop in ransomware incidents – but that’s no reason to be complacent, experts warn.
Keith Chappell, cybersecurity expert at PA Consulting, says we are seeing “more deliberate, targeted and better documented attacks that actually have a purpose, whether to disrupt operations… or extort to gain the money”.
What is the impact of a ransomware attack on storage and backup?
Ransomware attacks aim to deny access to data. First-generation attacks targeted hard drives, often on home PCs, with fairly low-level encryption methods. Victims could get a decryption code for a few hundred dollars.
However, modern attacks are both more selective and more damaging. Attackers are increasingly using reconnaissance to find high-value targets. This includes Personally Identifiable Data (PII), such as customer, business or medical records, or intellectual property. These are the files companies will fear most from being made public.
“Very often a phishing attack or a ransomware attack can be used as a masking technique for something else that is going on, or can be masked by doing something else”
Keith Chappell, PA Advisor
But attackers also target identity and access management networks and data, operational systems, including operational technology, and live data streams, as well as backups and archives. Double and triple extortion attacks who track backups or disaster recovery and business continuity systems offer the best chance of payout. Without the ability to recover a system or restore data from backups, businesses have no choice but to pay.
Attackers are also looking for accounts they can compromise and use to elevate privileges, to carry out deeper or deeper attacks. Thus, security teams must secure not only the main data stores, but also the administrative systems.
“Very often a phishing attack or a ransomware attack can be used as a masking technique for something else that is going on, or can be masked by doing something else,” says Chappell of PA Consulting.
How are storage and backup useful in the event of a ransomware attack?
Even though criminal hackers actively target backups, backups are still the best defense against ransomware.
Businesses should ensure that they perform regular backups and that these are immutable, stored off-site, or ideally both. “You need to back up data daily, weekly, and monthly, and you need to store backups in physically separate and disconnected locations, ideally in different formats,” Chappell explains.
Much has been said about the need toair pocket” data from systems susceptible to attack, and nowhere is this more important than for storing backup copies. However, older backup media, such as tape, are often too slow to allow full recovery within the timeframe required by the business.
“Organizations realized they couldn’t wait months for those tape backups to be restored,” says KPMG’s Fouere. Instead, customers are turning to cloud-based resiliency and recovery primarily for speed, he says.
In turn, backup vendors and cloud service providers now offer immutable backups as an additional layer of protection. High-end active-to-active business continuity systems remain vulnerable to ransomware because data is copied from the primary system to the backup system. Thus, businesses need strong backup and ways to scan volumes for malware before they are used for recovery, and ideally as data is saved.
But IT organizations must also take steps to protect backup systems themselves. “They are also vulnerable, like any other software product,” Kroll’s Iacono says. “You have to make sure the backup systems are patched. We’ve had cases of hackers exploiting vulnerabilities in backup systems to help them exfiltrate data or evade detection.
Some IT teams go even further. As ransomware groups spend more time on reconnaissance, companies obfuscate the names of servers and storage volumes. This is a simple and inexpensive step to avoid using obvious labels for high-value data stores, and it can save valuable time when it comes to stopping an attack.
What are the limitations of storage and backup as ransomware protection?
Good discipline around data backups has reduced the effectiveness of ransomware attacks. This may explain why cybercriminal groups have moved on to double and triple extortion attacks, targeting backup systems and exfiltrating data.
“[Backup systems] are also vulnerable, like any other software product. You have to make sure [they] are patched. We’ve had cases of hackers exploiting vulnerabilities in backup systems to help them exfiltrate data or evade detection.”
Laurie Iacono, Kroll
Using immutable backups alongside disk or cloud storage always minimizes the impact of ransomware. But companies need to ensure that all parts of critical systems are fully protected – and that includes testing. Even if the primary data store is backed up, a system restore can fail if operational or administrative data is encrypted because it was excluded from the backup plan.
Businesses should also enable data restoration where good backups exist. Even with the latest backup and recovery tools, this is still a disruptive process.
Also, immutable backups will not prevent data exfiltration. Here, companies need to invest in encryption of data assets. They can only do this if they have an accurate and up-to-date understanding of where their data resides. Organizations should consider monitoring tools that can detect unusual data movement and invest in protecting privileged user accounts.
Since most ransomware is still spread through phishing and social engineering, organizations can take technical steps to protect their perimeter.
But training staff to spot suspicious emails, links, and attachments, combined with multi-factor authentication, is the best defense against ransomware. For ransomware, as with other forms of fraud and online crime, security awareness is an essential part of defense in depth.