Changing ransomware trends cause for concern

Read time 4min 20sec
Fred Lherault, field CTO EMEA/emerging markets, Pure Storage.
Fred Lherault, field CTO EMEA/emerging markets, Pure Storage.

Emerging trends in ransomware indicate that attackers are becoming more brazen and that most organisations will be hit. This is according to Fred Lherault, field CTO EMEA/emerging markets at Pure Storage, who was speaking during a Pure Storage webinar on ransomware this week.

Lherault noted that IBM’s Cost of a Data Breach Report 2020 had indicated a rise in data breaches, with the average cost of an attack in South Africa in the order of $2 million. This cost includes the costs of not being able to operate, the costs of mitigation, and reputational impact. The report also said that the dwelling time – the average time to identify and contain a data breach – was over 200 days last year.

“In a typical attack, during that dwelling time, the attackers will perform reconnaissance on the target to understand the organisation and start deploying the ransomware payload silently into multiple systems," he said. "They will also create additional backdoors for later, when they may also exfiltrate critical data for a secondary attack, and will then start the encryption phase. Backups are targeted – typically the most recent files are targeted first. The victim’s files are then encrypted and a message is displayed informing the victims of the attacker’s demands – often in bitcoin. The attackers will then provide keys required to decrypt or recover the files.”

However, he noted that decryption could take weeks and that the attackers might also use the exfiltrated data in a secondary attack, in which they demand payment to not post the files on the public Internet.

He said a Sophos study last year had found that only 24% of attacks are stopped before the data is encrypted, saying it was a matter of ‘when’ not ‘if’ an organisation would be attacked.

He outlined several real-world ransomware attacks suffered by customers in the past year, including an MSP which recovered in three days due to preconfigured snapshots allowing them to recover fairly quickly. 

A manufacturer who did not have that snapshot type protection took around three weeks to restore around 80% of production using traditional backups – which are not capable of restoring the entire production environment in a day.

A local government entity attacked on Christmas Eve 2020 had its source data and backup data encrypted in under three hours, chose not to pay the ransom and had to restore data from offsite backups, a process which took over two months. 

A university in the US had not only source data encrypted, but attackers also started deleting all the snapshots on their primary backup system. This customer disconnected the disaster recovery system from the network fairly quickly and so was able to preserve some of that data.

We haven’t yet seen a competitor buying the data, but data being published could mean greater scrutiny or could impact the organisation’s share price.

Fred Lherault, CTO, Pure Storage.

“These cases show that attackers will spend a long time in the environment, mapping it, selecting and preparing targets and compromising credentials. Typically, the attack will be coordinated to hit all targets at the same time, and will execute in a matter of hours. Backups will be targeted at the same time as source data, storage device credentials may be compromised, and attackers will destroy snapshots and backup copies if they have access to them. In addition, the attack will often happen at the worst possible time when few staff are at the office, such as weekends, public holidays, and end of year shutdown periods.” 

There was cause for concern that dwelling times appear to be dropping, Lherault said. “We’ve seen a decrease in dwelling time recently – in some cases to under a month. We think this could be explained by attackers leveraging automation to detect targets and deploy packages faster. It may also indicate that the attackers are becoming more brazen and less concerned about being detected.”

Another concerning trend was the multifaceted extortion taking place, he said. “Now, attackers are also threatening to publish the data, to go public about the breach or to sell the data to competitors. We haven’t yet seen a competitor buying the data, but data being published could mean greater scrutiny or could impact the organisation’s share price,” he said.

“The ability to recover data and speed of recovery are what will matter most when an attack occurs. With a proper data protection plan and architecture in place, a lot of the pain around a ransomware attack can be minimised,” he said.

Lherault outlined Pure Storage solutions to mitigate risk before, during and after an attack, providing always-on data at rest encryption with optional third party HSM integration and eliminating the ability for attackers to modify or delete snapshots. The solutions drive industry’s fastest recovery of backed up data – allowing organisations to restore petabytes per day.

See also