Ransomware changes tactics, targets backups first
Advanced ransomware attacks are changing tactics. They are targeting organisations’ backups first in an attempt to destroy their ability to recover and make sure they pay the ransom.
This is according to James Hughes, VP SE, EMEA AT Rubrik, who was speaking during a webinar hosted by Rubrik in partnership with ITWeb this week.
Rubrik reports that the FBI estimated that extortionists earned more than $1 billion last year. The company says that while backups are the most important defence against ransomware, advanced ransomware is now targeting these, modifying them or completely wiping them out. This compromises the last line of defence, maximising the chances of ransom payout.
“This year, there has been an increase of over 700% in ransomware attacks globally. It is a terrifying position to be in,” said Hughes. “With the average recovery time around seven days, organisations can’t afford the lengthy downtime and many are paying the ransoms.”
A poll conducted among participants in the webinar revealed that 47% said either they, or a partner, vendor or close subsidiary, had experienced a ransomware attack. In a poll on how long they thought it would take them to recover from such an event, 1% thought it would take up to four hours, 22% said one day, 22% said three days, 22% said a week, and 28% said it would take them more than a week.
Hughes said: “Nine times out of 10, ransomware gets in through social engineering, clicks on malicious links and other human error. Then it will sit there, try to get onto several machines, and start scanning the environment – with all the permissions of the person who first opened it. It first searches for content to encrypt, and then you’ll get the ransom notes. So, you may have lots of layers of defence – and we do advocate for multiple layers of security – but ultimately humans are the weakest link.”
Werner Vorster, country manager, sub-Saharan Africa at Rubrik, said enterprises across the board were being targeted. “It’s no specific industry, we’ve seen it’s everywhere, and no one is safe."
To limit the impact of an attack, businesses need full visibility into the behaviour of their data, so when something anomalous occurs, they can be rapidly alerted to the incident and quickly revert to the last safe point of restore, said Vorster.
Eric Badenhorst, regional systems engineering lead for Rubrik, noted that many data protection and backup models are 20 to 30 years old, employing technologies that haven’t moved with the times.
Data protection should be the last line of defence against ransomware, he says. It needs to be immutable, able to recover rapidly, and use metadata platforms to determine specifically where in the organisation has been affected.
Rubrik’s data management and protection systems are designed to modernise and automate data management, and mitigate data risk through ransomware-proof backups, anomaly detection and data classification.
Rubrik’s ransomware remediation checklist advises that in the event of a ransomware attack, organisations should isolate the infected device from the network, ensure that backups have not been compromised, identify the infection and check retention times.
Once these steps have been followed, the response plan should be activated. This could mean choosing to restore files from backup if possible, locating a decryptor if available, doing nothing and accepting the data loss, or negotiating and coughing up the ransom.
Finally, the company advises to diagnose the scope of the infection and alert authorities and end users.