Ransomware Recovery: Maintain Control of Your Data in the Face of an Attack
Imagine the panic and concern that hits as you look at a screen that says: “All files on your computer have been locked. Please pay the ransom within 24 hours to get the key … or else.”
From the days of ransomware being distributed on floppy disks to modern-day attacks like WannaCry and Petya spreading around the world in minutes, this may be your image of ransomware recovery. Ransomware either locks your computer or your data before demanding a fee in exchange for the supposed safe return of your critical assets.
Unfortunately, the actual costs associated with ransomware go well beyond simply paying a ransom. The disruption this form of attack causes can bring operations to a halt — affecting the organization’s bottom line, reputation and brand.
Ransomware: To Err Is Human
Aside from blocking organizations from accessing their own data, cybercriminals also use ransomware to hide the delivery of other malware, steal data or simply cause business disruption. The growing sophistication and proliferation of ransomware over the past few years has led many companies to anticipate an eventual attack.
Recognizing the inevitability of a ransomware incident is a good first step toward mitigating this threat. But the reality is that organizations must immediately assess how their business has been disrupted — whether confidential or proprietary data is at risk and whether their recovery plan is sufficient — in the event of an attack.
Historically, ransomware payloads have been delivered via email attachments, malicious or hijacked websites and adware — just to name a few. But methods of ransomware deployment and execution usually have one thing in common: human intervention. Security training has helped educate users to be wary of suspicious emails from untrusted sources or unusual content, and this is a great start.
However, as more and more ransomware variants spread via broader means, it’s critical to augment ongoing user education with technical controls and processes for optimal protection. For example, it is crucial to update security patches for all operating systems and software, especially antivirus and antimalware tools, for the latest known attack vectors. It is also important to minimize and monitor system and data access permissions based on least privileged access and job functions.
Still, preventative measures can only do so much because, well, humans are human.
Known malware or vulnerabilities aren’t actually known until they are discovered, and protection is not provided until the antivirus and antimalware tools have been updated to detect these vulnerabilities. This recursive cycle of applying protection only after finding the problem requires us to think about additional methods that provide preventative protection and instant remediation in the event of an attack or infection.
As an example, let’s assume that someone (or something) has infiltrated your system or network. In an unprotected environment, data exfiltration is rudimentary once the system or network has been compromised. If the data is encrypted and unable to be decrypted without the proper authentication and authorization, however, data exfiltration is blocked even though the encrypted bits may be accessible to the attacker. This basic layer of protection gives you the peace of mind that even if malware or ransomware gets to your data, it is safe from unauthorized use or disclosure.
Make Backups, Encryption and Cloud Storage Your Priority
Even if your data is protected against theft or unauthorized disclosure, the files may still be locked by the ransomware. How can you regain access? According to an alert from the Department of Homeland Security (DHS) on ransomware and recent variants, it is critical to have a secure data backup and recovery process.
The DHS advised organizations to:
- Implement a backup and recovery plan for all critical data;
- Regularly test backups to limit the impact of a data breach and accelerate the recovery process; and
- Isolate critical backups from the network for maximum protection if network-connected backups are affected by ransomware.
While having a backup and recovery strategy is considered a best practice, the enormous amount of data organizations use every day can be challenging to back up, especially on a frequent basis. However, options for backing up large quantities of data exist today in the form of cloud storage.
The cloud has emerged as a low-cost alternative for backup and archiving, especially object storage where application programming interface (API) connectivity and geographic location choices make isolating backup data from the network relatively easy and inexpensive. But cloud storage comes with its own unique challenges, particularly privacy.
With the right approach, object store dependency and privacy concerns can be alleviated. Organizations must have technical and operational processes in place that allow data to be archived in object stores but stored in a way that explicitly blocks cloud service providers (CSPs) from accessing that data. In other words, the right approach is to copy, move, back up and archive data while encrypted and to make this practice a key part of the organization’s data protection strategy.
How to Simplify Ransomware Recovery
Ransomware is designed to enable cybercriminals to take command and control of your systems and business operations for quick financial gain or other malicious intent. Once a successful attack begins, you no longer have control or access to one of your organization’s most valuable assets: its data.
Conversely, the focus of ransomware recovery is all about maintaining control as efficiently and securely as possible. This necessitates making data protection with secure backup and recovery an essential part of your security processes. To align with new regulations, such as the General Data Protection Regulation (GDPR), security controls must be implemented by design and by default so that your data is protected from the time it is collected until the end of its life cycle.
Organizations need to control the who, what, when and how of systems and data that are accessed based on job function or role. This is good security hygiene at its most basic level. By using a strong, data-centric solution that combines encryption, access controls, key management and monitoring — and linking it to a secure backup strategy — organizations can narrow the attack surface for ransomware and better position organizational operations to continue in the face of an attack.
That sounds complex, but it’s not.
With emerging cloud data encryption tools that feature file and object store encryption capabilities, organizations can significantly reduce the risk and cost of ransomware with a single integrated solution that covers role-based access controls, advanced encryption, key management, access monitoring, object storage security with geographic dispersal and native backup and restores capabilities. In addition, these tools manage data protection consistently, whether you are protecting attached storage at the file or volume level or object storage via API — and regardless of whether it is on-premises, in the cloud or a hybrid environment.
Expanding on the concepts of regular backups with encryption and secure cloud storage takes the best practices of good security hygiene and adds layers of data protection, consistency, automation and control to help organizations become better prepared to weather the storm of evolving cyberthreats.
To learn how IBM Multi-Cloud Data Encryption supports ransomware recovery, join us for our upcoming webinar on June 28, 2018, “Guardium Tech Talk: Encrypting Your Object Store Data Without Giving Your Keys to the CSP.”