Guest Column | January 16, 2023

How To Neutralize The Threat Of Ransomware

By Bret Piatt, CyberFortress

Cyber Security GettyImages-1357139332

Ransomware remains a persistent, dangerous, and costly threat to the enterprise. According to recent research from Veeam, a ransomware attack is launched every 11 seconds, potentially disrupting productivity, services, and revenue. And beyond the potential business risk, a successful ransomware attack can subject the victim to civil and even criminal liability, not to mention the often lengthy or even permanent damage to brand reputation.

For managed service providers (MSPs), ransomware is particularly troubling for a number of reasons. Foremost, no one is immune to attack, and when the business model is built around providing secure, reliable IT services to clients, failure to deliver on those promises is particularly damaging. Business clients have come to look at MSPs as partners, not just suppliers, and implicit in these relationships is the understanding that their data and services infrastructure is safe from harm.

Trusted Partners

At the same time, however, a strong relationship between provider and client enterprise is also one of the most effective tools in building a more secure, protected data environment. By creating a united front, all stakeholders stand a better chance of spotting potential attacks and thwarting them before they cause significant harm to anyone.

Technology certainly plays a key role in defending against ransomware, but even the most state-of-the-art approach is only half of the package. Without a properly trained knowledge workforce – not just the security staff but all employees — an attack will eventually succeed. This training can take many forms, but one of the most effective is the regular dissemination of fake phishing scams and other forms of email-based entrapment schemes.

According to Cisco’s 2021 Cybersecurity Threat Report, phishing is the source of 90% of data breaches these days, and at least one person clicks on a given phishing link in 86% of organizations. To help counter this, organizations should send random fake phishing emails to employees regularly, not to shame those who take the bait, but to create teachable moments that build greater awareness of how phishing works and how to spot the ploys they use.

Of course, there is all manner of technology-based defenses as well, both to prevent ransomware attacks and to minimize the damage of those that do infiltrate data and resource assets.

Many organizations are turning to micro-segmentation and zero-trust authentication models to thwart malware’s ability to affect multiple systems after a breach of the firewall. Zero-trust builds an extra layer of protection for critical systems by requiring authentication and continuous verification for all users, regardless of where or how they are attempting to gain access. Meanwhile, user authentication should rely not just on username/password, which creates a single point of failure but should also incorporate strong multi-factor authentication. Together, these two techniques can significantly reduce the ability of ransomware and other malware forms to infiltrate systems significantly.

Respond And Recover

The last line of defense against cyberattacks is effective backup and recovery – particularly full-scale disaster recovery. Once data and systems have been compromised, attackers know that the most effective form of leverage they have is time. The longer it takes to restore systems to their pre-compromised state, the greater damage to operations, revenue, and reputations.

At a certain point, the time to recovery becomes more costly than the ransom being demanded, which prompts many organizations to simply pay up and get back to business. But though this may get organizations back to business faster, there are plenty of downside risks to consider. First, there’s no guarantee that data and control will be restored completely once cybercriminals get their money. Even worse is the fact that the organization has now flagged itself as one that will pay the ransom, which only invites future attacks. And not only do criminals know how to defeat your defenses, but the original malware or others that remain still hidden may be lurking somewhere in your storage volumes.

An effective backup and recovery (B&R) program can neutralize these threats. The key mistake that most organizations make with their B&R infrastructure is to focus too much on data replication and storage and not enough on recovery. This is an understandable error to make, since backing up data is a daily, ongoing process while restoring it happens infrequently (one would hope, anyway). But just like it is good practice to ensure your spare tire is always inflated and in good working order, so should you conduct regular recovery assessments, including live drills, or else your data might not be there when you need it.

A proper recovery strategy requires five key elements to ensure the process proceeds as quickly and smoothly as possible:

  • A well-constructed plan that prioritizes mission-critical workloads;
  • Complete understanding of application and data dependencies;
  • Frequent updates and optimization;
  • Regular testing, not just internally, but a fully replicated disaster requiring complete failover to another location; and
  • An incident response plan covering lines of communication for all key stakeholders.

Be aware, though, that cybercriminals are fully aware that backup and recovery are the last lines of protection against their efforts. They will do whatever they can to destroy infrastructure and replicas. This makes the protection of B&R and disaster recovery systems a top priority.

Protecting The Goods

Using a few basic design elements, organizations can implement a robust recovery architecture that is both resistant to compromise and easy to manage and operate. First, backup systems should reside in a separate domain or workgroup. This ensures that primary and backup data are not encrypted in the same way, which otherwise would allow the same code to access both data sets and render the entire B&R apparatus useless.

Certainly, having a physical “air gap” between backup and primary resources is the most effective protection, but this will delay recovery operations, which, as mentioned above, is one of the key outcomes cybercriminals are counting on. A more effective approach is to create an immutable backup or soft delete system that places files in the equivalent of a recycle bin where they can be more easily recovered. Of course, access to this data will require more than a simple password but something on the order of multifactor authentication.

Like any complex system, however, B&R and disaster recovery (DR) can only provide optimal service if maintained properly. Regular audits are crucial to ensure that only the data that needs to be protected is coming into the system, and the criteria for determining this data changes over time, as have the resource dependencies built up over the years. The use of virtual machines has complicated this effort, given the frequency with which they are created and decommissioned.

Encryption should also take place for backups at rest, but it is important to keep the key in a safe place that is not connected to the network. Again, this is because it would give a single attack access to the original and replicated data. Also be sure to always maintain a viable restore target, given that a successful attack usually knocks primary resources offline.

To be sure, backup and DR are complex tasks, and they are usually beyond the scope of most internal IT departments. This is why many organizations, even large ones, find a partner with a proven track record of successful deployments and ongoing management expertise. Few IT professionals have had to do a full restore, and when an emergency of that magnitude is at hand it is best to have someone with experience at the helm.

For both MSPs and the enterprise, successful recovery following a ransomware attack, or any other kind of disruption can be the difference between continued success and a steady fall into obsolescence. The prevalence of cyberattacks these days all but ensures that at some point your firewall will be breached and your client’s or your own assets will be jeopardized.

When that time comes, the only way to handle it successfully is to be properly prepared.

About The Author

Bret Piatt is the CEO of  CyberFortress.