Just ask Maersk, who pulled the veil back on their attack earlier this year. “That recovery operation really relied heavily on human resilience: we went about rebuilding our IT infrastructure over a period of about 10 days, during which time we were doing all we could to maintain normal business operations,” said Head of Cybersecurity Compliance, Lewis Woodcock. This disruption, according to ZDNet, likely cost the company upwards of $300 million.
Maersk is far beyond the average organization, but ransomware attacks can happen to anyone. For small to mid-sized businesses, which are on the receiving end of 71 percent of attacks, a typical scenario is receiving an email that appears to be from a customer, a coworker, a business associate, or a website/app the recipient uses. The employee innocently opens an attachment, or clicks on a link, thereby downloading malicious code. This spreads throughout the network, encrypting or deleting data. While the financial impact may not be $300 million, many of these organizations are faced with a daunting choice: fight or pay.
When the data is held hostage, the cyberattacker demand tens of thousands of dollars—or more—to return it. Even victims that pay the ransom (and experts say you shouldn’t) don’t always recover the data!
When it comes to how to prevent a ransomware attack, cyber security firms focus on stopping the malicious action from occurring but do little to address what happens after infections. That is where a solid data management and protection protocol can prevent making a bad problem worse.
In that regard, the best offense is a good defense, and a great way to defend against ransomware is an effective backup and long term retention strategy. So how to stop a ransomware attack? Here’s are some words of wisdom from our IT governance experts:
An air gap provides a layer of inaccessibility to data. Duplicating files to the cloud—or even multiple clouds or offline, offsite secondary storage—are common ways to create an air gap between files and primary production systems, which are easy for a cyberattacker to infiltrate and infect. While some may distrust cloud services, these providers are far better equipped for online security than all but the largest commercial enterprises. Data is duplicated and allows for versioning at no additional cost.
Before you start building copies of data, know where your sensitive data is by using intelligent data management. This will not only save you on storage space but will also give context to executives when making decisions about cybersecurity. Employ a software that leverages classifications on content and metadata to gain a better understanding of your data and your exposure to potential threats.
If your primary data is infected, you might think you can simply restore from a current backup. However, cybercriminals can infect both primary data and backups. That copy of your files in the cloud not only serves as a backup to data kept on-premises, but also serves as a backup to any backups kept on-prem. Managing versions and duplicate copies is key in maintaining an air tight plan against cybercrime.
Ransomware changes your data by accessing and encrypting or deleting it, and most backup software is tuned for an incremental forever approach which will see that change, copy it and move it to your secondary storage, overwriting good backups with bad ones. Use software that not only tracks and reports on the volume of changes, but gives you action items before anything is actually copied. Aparavi allows administrators to set a threshold that alerts IT staff and can prevent good backups from being overwritten with bad ones. For example, if 80% of your data changes, do not copy anything and alert key personnel.
Many best practices for complying with data privacy regulations are equally useful for ransomware defense. For example, any data stored offsite should be encrypted; a platform should use source node, AES 256-bit encryption, with keyring0style encrption. In this scenario, data is encrypted before and during transit but also at rest, all the way down to metadata, ensuring that only your organization and its highest levels of administration will have access to sensitive data.
When it comes to how to avoid ransomware, basic training is critical. Since most ransomware originates from emails, it’s critical that employees learn to identify suspicious messages and attachments. Cybercriminals are adept at making emails look legit and important, even as if they come from your own HR department. Hold regular, mandatory trainings on cyberthreats, and if your coworkers grumble about it, bribe them with treats. That always works for us.