According to the National Cyber Security Centre’s 2021 annual review, there were three times as many ransomware attacks in the first quarter of 2021 than in the whole of 2019. Consultancy UK’s survey of business leaders illustrates many anticipate a rise in cyber-attacks in 2022, with 61% stating that ransomware, in particular, will pose a mounting threat.
As our lives have become increasingly digitally focussed, so has crime. With the pandemic accelerating the shift to working from home, what can organisations do to safeguard themselves from being held hostage by online trojans? Nimbus Ninety members were given a step-by-step guide to understanding ransomware recovery by Stefan Ehmann, Business Lead Object Storage Solutions EMEA and Tom Christensen, Global Technology Advisor & Executive Analyst from Hitachi Vantara.Step 1: Protect your data against ransomware
There are primarily 3 major types of cyberattacks: malware, phishing, and ransomware attacks. Malware is a general term for malicious software. Phishing refers to the process of deceiving recipients into sharing sensitive information with an unknown third party. The most harmful of this dark triad is ransomware which specifically refers to being denied access to your files or computer until you pay a ransom. Using a combination of methodology and technology, organisations are able to protect their data from ransomware access, which is the preferable first point of call. It is important to protect the core data centre. This is even more paramount in remote working environments and the current complexity of today’s multi-cloud environment. So safeguards such as second-factor authentication, utilising WORM (write-once-read-many) drives, and not only backing up the data but backing up your back-ups, are a must. Implementing this multi-layered strategy will create barricades for those pesky trojans.
Step 2: Recover your data from ransomware
Ensuring that you can quickly recover for business continuity and disaster recovery in the wake of a potentially devastating cyber-attack, which can not only damage an organisation's finances and reputation but can have devastating effects on end-users if sensitive data is either stolen or modified. It is also important to ensure that the data recovered is the latest up-to-date information. How often have you attempted to recover a file to discover the last salvageable version is days, even weeks, old? Again, in certain circumstances or industries, such as healthcare, this could result in irreparable damage. Successful implementation of both steps 1 and 2 allows for immutability by both default and by design.
Now participants were invited to reflect upon the efficacy of their organisation’s ransomware resiliency plans. It was noted that when implementing these plans, it is not only necessary to organise them but to rigorously test them. It is no good having a stellar ransomware attack strategy without identifying the cracks in the defences internally. However, it was noted that there is frequent hesitancy in doing so despite what is at stake. Altering or capturing data is not merely inconvenient, but dangerous, and can result in much larger issues than internal discord.
The COVID-19 pandemic accelerated both the threat and focus on potential ransomware attacks. The new working-from-home culture has made data more vulnerable by removing it from the safety hub of the corporate environment and placing it into the hands of many who are ill-equipped to deal with its sensitive nature. Within this new distributed environment, participants agreed that successful ransomware strategies include a methodological as well as a technical angle. Training employees and the organisation itself was paramount, with the old corporate adage of “security by design” no longer making the cut. However, the core principles of data security remain the same. Employing the multi-layered approach of access and identity management, understanding the principles of cloud and IOT, and utilising analytics to identify anomalies all contribute to the methodological and technical blockades.
One participant noted that the tech is there - so why are ransomware attacks still such a problem? It was concluded that organisations need to really understand the severity of the threat of ransomware attacks. Once they spend time doing this, they need to implement adequate levels of safeguards and processes and ensure they are tested to their limit - because if they don’t, attackers will. Preparation was identified as key to the point that organisations develop muscle memory in their capacity to respond to attacks. Once this is developed, organisations can respond to threats they did not even anticipate. The discussion concluded with a resounding agreement that there is indeed a third pillar to be added to the guide to recovering from ransom recovery: methodology, technology, and also culture.
A lively debate ensued about how ransomware attacks are no longer merely the concern of “techies”. There was resounding agreement that it is now a greater issue than the technological sphere and should be analysed from a strategic and operational level. Organisations frequently end up in a state of “board paralysis” during these attacks unable to make decisions on whether to negotiate with attackers and if so, how this is done and who by. The organisation as a whole needs to be educated on, and prepared for, ransomware attacks to allow for rapid decision making and adequate disaster mitigation planning by removing the silos between IT teams and executive decision-makers.
It was acknowledged that security experts are always in crisis mode, with their primary state being that of a state of alert and defence. This makes innovation difficult as organisations are usually one step behind the attackers. Currently, 64% of organisations are paying to get access to data again which evidences the inefficacy of current ransomware strategies. Organisations should not have to invent new solutions each time there is an attack. In order to mitigate this constant state of paranoia, it was noted that preparation needs to be drilled into the organisation as a whole in the same way that the technology is prepared and drilled. This can be done by creating a playbook of ransomware recovery that becomes second nature during crises, by running through and testing these disaster recovery strategies. However, recovery should not be the primary focus, but rather prevention and disaster mitigation.
To finish, participants concurred that you have to get the basics right. The backup solution at the end of the chain is your last safety net, but there is much to get in place before then. There should be a focus on mitigation rather than recovery with a holistic view of an organisation’s ransomware strategy. This includes operational security, keeping hardware up-to-date, not using default passwords, and the organic side of things. Until the basics are in place, security leaders cannot build on cyber resilience strategies.