Ransomware – the gift that keeps on taking

Knowing how ransomware is evolving is key to protecting against it, writes Ezat Dayeh, SE Manager UK & I at Cohesity

Technology rarely stands still and, as reported in the Crowdstrike Global Threat Report 2020, the last twelve months have been a very busy time for ransomware gangs. Not only are “ransom demands growing larger and tactics becoming more cutthroat” the criminals involved are finding new ways of breaching corporate defences, while the attacks themselves are becoming a lot more sophisticated and targeted in nature.

Defending against this ever-moving threat is no mean task but a good starting point is an understanding of where the weak points are and how they are being exploited. These can be summarised down to three points.

Human fallibility is still the weakest link

All it takes is one click on an un-screened phishing link and – job done – the network defences are breached and the malware is in!

Hardening those defences against human fallibility calls for a mix of awareness training plus tools to filter out malicious content before it can cause harm. However, it’s a far from precise science and even the best-laid plans need to be kept under review and continuously adapted to cope with the furious rate at which ransomware is evolving.

Take the massive rise in home working during the pandemic, for example, gifting hackers a whole new and very naïve audience, unfamiliar with protecting themselves from threats. According to security vendor Kaspersky, that led to Microsoft RDP (Remote Desktop Protocol) attacks soaring globally in the wake of Coronavirus lockdown. 

They know where you live

Hackers are waking up to the fact that different industries present their own unique vulnerabilities. Something they are now exploiting by moving away from scattergun phishing expeditions towards more targeted attacks. Some, for example, will focus on individual businesses, typically, high profile organisations with the most to lose, while others, target a particular sector using malware tailored to the IT used by that industry.

Or both, as in the recent Honda attack which is widely thought to have involved a variant of so-called Snake ransomware, able to disable backup measures, and target SCADA industrial control systems used in vehicle manufacturing.

Pressure is the perfect driver

Ransomware is becoming a much more diversified “business”. As well as being locked out of critical data, for example, victims are now threatened with the release of sensitive data harvested during the encryption attack. Either simultaneously or as a follow up demand.

There is also growing evidence of ransomware routinely targeting backup and disaster recovery systems as well as live data. Or at least appearing to do so, because it takes time to verify the integrity of these last-ditch defences.

Keeping pace with ransomware

This begs the question: what can a typical enterprise-scale organisation do to protect itself against what is fast becoming the number one threat to its core IT systems?

There are no easy answers or simple tools that will do it all for you. Moreover, its mostly baby steps rather than big leap: delivering better end-user security awareness and training, updating anti-malware tools on the desktop and back-end infrastructure, and making sure backup strategies and tools are robust enough to stifle ransomware threats and enable a rapid recovery.

All are worthy of review but, as the last line of defence, it’s backup that’s the most important. Especially given the widespread use of NAS (Network Attached Storage) appliances to support backup and archiving which, by their very nature, are an easy target.

It’s the “network-attached” bit that puts NAS appliances most at risk, making them easy to identify and, once found, easy to attack. Often without anyone knowing until the ransom demands hit the inbox.

The first line of defence is to lock down the network to which NAS appliances are attached while, at the same time, insuring that NAS firmware is up to date with all the latest security patches applied. Beyond that it’s worth taking advantage of two factor authentication, where available, and the use of SSL to better secure remote access if used.

Other features worth looking for include automatic blocking of IP addresses following repeated failed ‘brute force’ login attacks plus the use of onboard data encryption and NAS-specific firewalls.

A belt and braces approach is the most secure, which means taking frequent and regular backups of NAS storage and storing those copies remotely (preferably off site) and unconnected to the network. This is the only way of insuring there’s a clean, restorable version of your data that’s not too old to be of use. Bear in mind, however, that this should be combined with regular integrity checks and malware scans to ensure data being copied hasn’t been compromised already.

But can the ransomware tide ever be turned? Possibly, but something equally menacing is bound to follow. Hence why many enterprises are looking at disarming the threat of ransomware at the data storage layer, using object storage, versioning, Write Once Read Many (WORM) technology, and immutable file systems.

Gartner predicts that by 2021 some 80 percent of enterprise data will be in scale-out storage based on these technologies, up from 30 percent today. While we may not see the immediate end of the ransomware scourge for the foreseeable future, using such technologies will disarm the most common ransomware attack types, and ensure the light at the end of the tunnel is a little more visible.