Recently, Wired Magazine reported increased ransomware attacks based on flaws in remote management features for desktops and vulnerabilities in certain virtual private networks (VPNs). In April, Interpol warned healthcare providers about surging ransomware threats.
TCE Strategy cybersecurity consultant and author Bryce Austin, CISM, said he has seen some companies hit by a ransomware attack “get religion” and mandate firewalls, frequent security patches, regular password changes, and continuous system monitoring while other companies do little to mitigate the threat of ransomware. He stressed the importance of stipulating in contracts with vendors that they adhere to industry-standard cybersecurity frameworks ─ like NIST, HIPAA, GDPR, and ISO 27000 ─ and have periodic penetration tests, and run patching scans to check for known vulnerabilities.
Mitigate with the Cloud But Use Caution
Companies can make a backup of their data and store it somewhere safe, and many find it’s easier to do in real-time through cloud services.
“To prevent ransomware, you need a copy of data not compromised by bad actors,” said LaBrie.
DRaaS can allow companies to recover data immediately from any point from the past, he said.
“So even if a hacker were able to access and encrypt some of an enterprise’s stored cloud data, you’d still have replicated data available from earlier points in time,” he explained.
However, Austin warned that the proper security ─ such as multi-factor authentication (MFA) ─ must be in place, even in the cloud, or hackers could delete the backups.
“Adequate cybersecurity to protect against ransomware and other types of exploits should be standard,” he said. “However, right now, there is both a lack of awareness by many companies of what cloud security measures are needed and a lack of regulation of cloud services.”
Implementing a traditional disaster recovery plan after a ransomware attack can entail a lot of downtime, Austin explained. Companies must first determine they’ve been attacked, which often isn’t instantaneous. Then they must invoke their disaster recovery plan, including failover and user acceptance testing. All of that can take hours or longer. If a company relies on tape or disk backups, it must reinitialize the data center environment, which can take up to a week. Meanwhile, data can get lost, resources compromised, and downtime stalls productivity.
By contrast, disaster recovery in the cloud allows companies to be back up and running after a ransomware or other malware attack in an hour, said Austin.
“But unless those services are themselves secured properly, the cloud can also be vulnerable to attack,” he reiterated.
That means using the access controls supplied by the cloud provider, which involves a learning curve for security traditionalists. IT teams then need to run endpoint security on systems that access cloud apps and data, including strong authentication, such as MFA that might include biometrics.
Austin pointed to an infamous 2014 ransomware attack on Code Spaces, a code-hosting and software collaboration platform.
“They were using public cloud services and didn’t lock down the admin portal with multi-factor authentication,” recalled Austin. “The bad guys took over the Code Spaces account in the cloud and asked for a ransom. It wasn’t paid. They deleted the virtual servers. The ransom still wasn’t paid. Then they deleted the backups.”
Code Spaces declared bankruptcy within two weeks, he said.
Though the company had data backups, the hackers were able to infiltrate the admin credentials and access and delete both primary and secondary copies. If one cloud service is used for primary storage, it might pay to use a second for DRaaS.
“Nearly all businesses are doing data backup, and that’s where the main interest in DRaaS lies,” said LaBrie. “However, using DRaaS as a defense against ransomware is an additional use case that puts the cherry on top.”