Ransomware, Storage, and Backup: Impacts, Limitations, Features

Over the past decade, ransomware has gone from relatively obscure crime to multi-billion dollar industryeven the largest corporations and governments are in sight.

Organized cybercriminal gangs Demands a 6 or 7 or more digit ransom from their victims. Ransomware uses a combination of network intrusion, malware, and encryption to attack storage, encrypt data, and even disable it, keeping companies out of their data. backup.

Cybercriminal groups are also being boosted by the growth of cryptocurrencies and technologies beyond data encryption that provide low-risk ways for criminals to extract payments. Double and Triple Extortion Attacks The threat of exposing sensitive data.

Ransomware attacks like those that hit Maersk, Colonial Pipeline and Irish Heath Services Executive have dominated the headlines because of the chaos they caused.However Ransomware attacks are now commonand are becoming increasingly difficult to prevent.

According to experts at data security firm Kroll, 25% to 45% of the company’s investigations are now involved. ransomware attack.

Laurie Iacono, associate managing director of threat intelligence at Kroll, said a small number of ransomware groups are behind most attacks, with 86% of attacks involving data exfiltration as well as encryption. said.

“What we are seeing is ransomware becoming a major attack vector,” she says.

How do ransomware attacks work?

The traditional way ransomware enters an organization is through infected attachments containing executable files or by enticing users to visit websites containing malware. The injected software is deployed on the network and seeks out its targets.

Double and triple extortion attacks create backdoors in systems and allow attackers to exfiltrate data.Increasingly, this Disable backup Attacks on core network services such as Microsoft Active Directory.

The latest generation of ransomware attacks target backup systems, appliances, and virtual machines. Oisin Fouere, his head of cyber incident response at consulting firm KPMG, said:

“Many backup systems are hosted in virtual infrastructures. They are starting to target and remove operating system level information from these systems and track the bare bones of the system. ”

And as Kroll’s Iacono points out, ransomware groups often recruit people with technical knowledge of backup systems.

But first, the ransomware needs to penetrate the corporate network. Traditional (and still the most common) approaches use phishing attacks and other forms of social engineering to deliver infected attachments or persuade employees to click on infected web links. It is to do

During the Covid lockdown, ransomware groups exploited vulnerabilities in virtual private networks and remote desktop systems, resulting in a spike in ransomware cases.

KPMG’s Fouere said: “They were almost presented with a scenario where the front door was left open, which has been their favorite choice over the past few years.”

The hardening of these access points is behind the recent decline in ransomware incidents.

Keith Chappell, a cybersecurity expert at PA Consulting, said, “More deliberate, more targeted, better researched attacks are actually purposeful, disrupting operations and costing money. They will force you to earn money,” he said.

How will ransomware attacks affect storage and backups?

Ransomware attacks are launched to deny access to data. Early attacks often targeted disk drives on the individual’s PC and used fairly low-level encryption methods. Victims were able to obtain decryption codes for hundreds of dollars.

However, the latest attacks are more selective and do more damage. Attackers are increasingly using reconnaissance to find high-value targets. These include personally identifiable data (PII) such as customers, commercial or health records, or intellectual property. These are the files companies fear most being exposed.

“Very often, phishing and ransom attacks can be used as a masking technique for something going on, or masked by doing something else.”

Keith Chappell, PA Consulting

But attackers also target networks, identity and access management data, operational systems (including operational technology), live data flows, and backups and archives. Double and triple extortion attacks What comes after backup, disaster recovery, and business continuity systems offer the biggest payout opportunities. Without the ability to recover systems or restore data from backups, businesses may be forced to pay.

Attackers also look for accounts that can be compromised and used to elevate privileges or perform more sophisticated attacks. As such, the security team must protect not only the main data store, but also the management system.

“Phishing and ransom attacks are often used as a masking technique to hide what is going on, or masked by doing something else,” said Chappell of PA Consulting. increase.

How can storage and backup help in a ransomware attack?

Criminal hackers actively target backups, but they are still your best defense against ransomware.

Businesses should ensure that they take regular backups. immutable, offsite, or ideally both. “Data should be backed up daily, weekly and monthly, and the backups should be stored in physically separate, unconnected locations, ideally in different formats,” he said. says.

Much has been said about the need forair gapData from systems that can be attacked, nothing is more important than keeping backup copies. However, older backup media such as tape are often too slow for full recovery on the timescales demanded by the business.

KPMG’s Fouere said: Instead, clients are turning to cloud-based resilience and recovery primarily for speed, he says.

Second, backup suppliers and cloud service providers now offer immutable backups as an additional layer of protection. High-end active-to-active business continuity systems remain vulnerable to ransomware as data is copied from the primary system to the backup system. Therefore, when storing data, businesses need robust backups and methods to (ideally) scan volumes for malware before using them for recovery.

However, IT organizations should also take steps to protect the backup system itself. “Like any software product, they are vulnerable,” says Kroll’s Iacono. “You need to make sure your backup systems are patched. There have been cases of attackers exploiting vulnerabilities in backup systems to facilitate data exfiltration or avoid detection. ”

Some IT teams go even further. As ransomware groups spend more time on reconnaissance, companies hide the names of their servers and storage volumes. This is a simple, low-cost step to avoid using obvious labels on high-value data stores, and can potentially buy you valuable time in shutting down an attack.

What are the storage and backup limits for protection against ransomware?

Good discipline on backing up data has made ransomware attacks less effective. This may explain why cybercrime groups have shifted to double and triple extortion attacks targeting backup systems and exfiltrating data.

“[Backup systems] It is vulnerable like any other software product.it needs to be checked [they] A patch is applied. In some cases, attackers have exploited vulnerabilities in backup systems to facilitate data exfiltration or avoid detection. ”

Laurie Iacono, Kroll

Using immutable backups along with disk or cloud storage can help minimize the impact of ransomware. But companies need to ensure that all parts of their critical systems are fully protected, and this includes testing. Even if the main data store is backed up, system restore can fail if operational or administrative data is encrypted and excluded from the backup plan.

Businesses should also allow data to be restored if adequate backups exist. Even with modern backup and recovery tools, this is still a destructive process.

Also, immutable backups do not protect against data exfiltration. Here, companies should invest in encrypting their data assets. You can only do this if you have an accurate and up-to-date understanding of where your data is. Organizations should consider monitoring tools that can detect anomalous data movement and invest in protecting privileged user accounts.

Most ransomware is still spread through phishing and social engineering, so businesses can take technical measures to protect their perimeter.

But training your staff to spot suspicious emails, links, and attachments, combined with multi-factor authentication, is your strongest defense against ransomware. With ransomware, as with other forms of fraud and online crime, defense in depth requires security awareness.

https://www.computerweekly.com/feature/Ransomware-storage-and-backup-Impacts-limits-and-capabilities Ransomware, Storage, and Backup: Impacts, Limitations, Features

Show More
Back to top button