Fighting the Long Arm of Ransomware

Ransomware infections have declined by about 20% since 2018, but their cost is rising: U.S. ransomware attacks alone reportedly cost an estimated $7.5 billion in 2019. Add to that the need to support substantially more remote workers since COVID-19, and it’s no wonder many companies are bracing for more costly malicious attacks.

Ransomware is a form of malware designed to deny access to a computer system or data, often using encryption, until a ransom is paid. Ransomware often spreads through phishing emails or when users visit an infected website. It’s involved in nearly a fourth (24%) of malware security incidents, according to Verizon’s 2019 Data Breach Investigations report.

It’s a huge and costly global problem. Without the right security practices, companies are vulnerable to ransomware breaches and ripple effects after an attacker has gained access to critical IT systems and data.

What’s at Stake

According to research by Cybersecurity Ventures, a business is attacked by ransomware every 14 seconds and 71% of targeted companies become infected. This level of vulnerability is providing a multibillion-dollar windfall for cybercriminals using ransomware in increasingly sophisticated ways.

In 2019 in the U.S. alone, CRN reported that 948 government agencies, healthcare providers and schools were hit. And Research by the Cyentia Institute found that financial loss from the lingering effects of a ransomware attack is 13 times the cost of a single-party breach.

Besides the immediate economic impact of companies having to buy back access to their own data, customers and patients impacted by a ransomware attack have often had their names, addresses and credit card information stolen. Then they’re at risk for future exploitation.

Brand loyalty disappears among companies victimized by ransomware attacks that involve customer and vendor data. Supply chains can fall apart from missing links crippled by ransomware. Cybersecurity experts point out that ransomware aftershocks can imperil the ability of hospitals, energy grids, police and fire departments, banking and financial systems and even local and national governments to operate.

A possible defense against the data losses that ransomware causes may be indirectly emerging in the form of disaster recovery as a service (DRaaS) options, according to John LaBrie, a portfolio specialist for Nutanix who helps businesses understand the value of products such as Xi Leap, a DRaaS. 

“Companies can recover data from the cloud within minutes, compared to hours, days, or weeks with traditional DR,” LaBrie said. 

He pointed out that relying on DRaaS can also alleviate the need to build and maintain additional infrastructure required by traditional disaster recovery systems.

Attack Surface Expands During Pandemic

With millions of people working from home during the COVID-19 pandemic, the attack surface for ransomware exploits has grown dramatically. People more often use home PCs for business use that are missing passwords or other security measures. Even more responsible workers using business PCs might not realize that they need to patch their systems regularly with new software that addresses constantly evolving security vulnerabilities.

Recently, Wired Magazine reported increased ransomware attacks based on flaws in remote management features for desktops and vulnerabilities in certain virtual private networks (VPNs). In April, Interpol warned healthcare providers about surging ransomware threats.

TCE Strategy cybersecurity consultant and author Bryce Austin, CISM, said he has seen some companies hit by a ransomware attack “get religion” and mandate firewalls, frequent security patches, regular password changes, and continuous system monitoring while other companies do little to mitigate the threat of ransomware. He stressed the importance of stipulating in contracts with vendors that they adhere to industry-standard cybersecurity frameworks ─ like NIST, HIPAA, GDPR, and ISO 27000 ─ and have periodic penetration tests, and run patching scans to check for known vulnerabilities.

Mitigate with the Cloud But Use Caution

Companies can make a backup of their data and store it somewhere safe, and many find it’s easier to do in real-time through cloud services.

“To prevent ransomware, you need a copy of data not compromised by bad actors,” said LaBrie. 

DRaaS can allow companies to recover data immediately from any point from the past, he said. 

“So even if a hacker were able to access and encrypt some of an enterprise’s stored cloud data, you’d still have replicated data available from earlier points in time,” he explained.

However, Austin warned that the proper security ─ such as multi-factor authentication (MFA) ─ must be in place, even in the cloud, or hackers could delete the backups.

“Adequate cybersecurity to protect against ransomware and other types of exploits should be standard,” he said. “However, right now, there is both a lack of awareness by many companies of what cloud security measures are needed and a lack of regulation of cloud services.”

Implementing a traditional disaster recovery plan after a ransomware attack can entail a lot of downtime, Austin explained. Companies must first determine they’ve been attacked, which often isn’t instantaneous. Then they must invoke their disaster recovery plan, including failover and user acceptance testing. All of that can take hours or longer. If a company relies on tape or disk backups, it must reinitialize the data center environment, which can take up to a week. Meanwhile, data can get lost, resources compromised, and downtime stalls productivity.

By contrast, disaster recovery in the cloud allows companies to be back up and running after a ransomware or other malware attack in an hour, said Austin.

“But unless those services are themselves secured properly, the cloud can also be vulnerable to attack,” he reiterated.

That means using the access controls supplied by the cloud provider, which involves a learning curve for security traditionalists. IT teams then need to run endpoint security on systems that access cloud apps and data, including strong authentication, such as MFA that might include biometrics.

Austin pointed to an infamous 2014 ransomware attack on Code Spaces, a code-hosting and software collaboration platform.

“They were using public cloud services and didn’t lock down the admin portal with multi-factor authentication,” recalled Austin. “The bad guys took over the Code Spaces account in the cloud and asked for a ransom. It wasn’t paid. They deleted the virtual servers. The ransom still wasn’t paid. Then they deleted the backups.”

Code Spaces declared bankruptcy within two weeks, he said.

Though the company had data backups, the hackers were able to infiltrate the admin credentials and access and delete both primary and secondary copies. If one cloud service is used for primary storage, it might pay to use a second for DRaaS.  

“Nearly all businesses are doing data backup, and that’s where the main interest in DRaaS lies,” said LaBrie. “However, using DRaaS as a defense against ransomware is an additional use case that puts the cherry on top.”

Gene Knauer is a contributing writer who specializes in IT and business topics. He is also the author of  Herding Goldfish: The Professional Content Marketing Writer in an Age of Digital Media and Short Attention Spans.

© 2020 Nutanix, Inc. All rights reserved. For additional legal information, please go here.