Without a ransomware recovery strategy, companies sometimes end up paying to retrieve their data after an attack. At the same time, threat actors are growing more sophisticated in their ability to bypass both antivirus and anti-ransomware tools — thus, they’re also growing bolder. To stay ahead of the curve, organizations will need to develop more complete defense systems and recovery plans.
Putting Prevention First
Recent research from the Ponemon Institute found that the majority of responding companies (69 percent) don’t trust antivirus solutions to stop threats, while CIO Dive revealed that 81 percent of cybersecurity experts predict an increase in ransomware attacks in 2018. Furthermore, human error only increases the potential of a successful ransomware attack. So it’s up to security practitioners to take steps to prevent an incident, and the first of those steps should be to focus on IT hygiene, said Christopher Scott, CTO, global remediation lead, IBM X-Force IRIS.
“IT departments should focus on keeping endpoints up to date to reduce the attack surface for ransomware attacks,” Scott advises. “Security groups should look to embrace endpoint detection and response (EDR) technology to detect these attacks earlier to reduce the overall impact.”
Once they have taken the time to fully examine and improve their IT hygiene, companies can start preparing for a ransomware attack. According to Bruno Carrier, IT security strategist at BoldCloud, a layered defense strategy is the best guard. Carrier suggests that a strong defense against ransomware should include:
- Antivirus or anti-malware solutions that are active and up to date;
- Anti-data encryptors, which can prevent malware from locking your data access;
- Anti-spam, which is an essential tool for reducing a business’s exposure to email-borne threats such as suspicious links, malicious downloads, malware-laden websites, etc.;
- Backup storage for your files, whether cloud-based or on-site, including a full disk image with all installed programs ready to be restored; and
- Awareness and security training to help employees recognize what types of emails to avoid and which links are safe to visit.
Ransomware Recovery Without the Ransom
Last month, researchers at Cisco Talos revealed a weakness in the Thanatos ransomware code, making it possible for victims to unlock encrypted files without paying a ransom. ThanatosDecryptor is a free ransomware decryption tool available on GitHub.
Despite these available technologies, companies that have decryptors in place prior to an attack will likely face an uphill battle afterward; forensics and data recovery companies can provide additional assistance to those who need it. Even so, the threats are evolving, which is why antivirus and anti-data encryptor solutions are so important.
“The ransomware problem is truly a problem where prevention is far more effective than a treat-the-symptoms approach,” Carrier says.
In other words, companies shouldn’t get into the habit of waiting for researchers to reverse-engineer decryptor tools for every ransomware strain. The key to recovering from ransomware, without paying the ransom, is having a solid data backup strategy. “Backup systems should be isolated in ways that prevent attackers from encrypting data within this system,” Scott explains.
“A good rule of thumb is configuring backup accounts to be able to access production systems for reading data to back up, while preventing production accounts from having write access of any type to the backup. We have seen cases where the Domain Admin is compromised and is able to encrypt the backups, resulting in difficult and expensive recovery processes.”
Be Prepared — Get Everyone Involved
Many ransomware attacks occur through spear phishing, which brings us back to the people problem. “Companies need to continue to focus on end user education,” Scott says. “In addition to preparing users, companies should be focusing on reducing the attack surface, gaining more visibility into activity and securing the backup systems.”
IBM conducts cyber resiliency workshops to focus on these types of attacks as well as more targeted attackers. “Ransomware attacks are a highly coordinated ‘business,’ which is so developed that what was once acceptable security — like AV/AM/firewall — won’t be enough in today’s threat landscape. You need to do what is expected and then more,” says Carrier.