Ransomware is top of mind for many organizations’ leaders as their organizations face the potentially disastrous aftermath of successful attacks. The business consequences of downtime caused by ransomware attacks can be devastating, and they drive the need for best practices and capabilities across IT, specifically for data protection. Veeam’s Hyper-Availability Platform addresses these concerns with a combination of technologies and solutions for mitigating the risk of ransomware and improving safe, secure recovery.
The frequent media coverage reflects it: Ransomware has become a focus area for many organizations because highprofile attacks against them have risen dramatically in the past couple of years. According to ESG research, nearly twothirds of surveyed organizations across North America and Western Europe experienced a ransomware attack at some point last year, with 22% reporting weekly attacks. The attacks have helped make cybersecurity a target of IT investment, and spending is accelerating.
Ransomware is not just a technical inconvenience for IT. It is a profitable criminal endeavor pursued by bad actors who will not hesitate to hurt entire public institutions and private businesses. Ransomware attacks are not going away any time soon, either.
ESG research confirms that business and technology leaders are very concerned. The consequences to their organizations can be far-reaching, not only affecting the confidence of employees and consumers about the organization, but also potentially destroying mission-critical data assets that can’t be easily or economically recreated. In addition to the data-loss risk—itself a fundamental, unacceptable business risk exposure—direct and indirect consequences of service and system unavailability can significantly affect an organization in the short and long term.
Ransomware attacks are akin to “logical disasters.” From a recovery perspective, in other words, they aren’t that different from data corruption events or failed hard drives that become unusable. Clearly, though, the cause of these logical disasters sets them apart and dictates the type of effort needed to stop them. Unfortunately, in most cases, data that was held for ransom will still be deemed too risky or corrupted to use—or it will remain unavailable—whether a ransom is paid or not.
What’s needed to fend off this epidemic are best practices and tools to:
- Prevent or at least mitigate attacks.
- Protect data and backup data.
- Recover reliably.
The rate of ransomware attacks over the past 12 months paints a bleak picture of its pervasiveness and reveals why preventing/mitigating the attacks are strategic imperatives.
Earlier FBI data showed ransomware as a $1 billion run-rate operation in 2016.4 While the newest findings have not yet been published, it is likely that this already staggering number will have dramatically increased. And notably, ESG research shows that the retail and telco sectors were twice as likely as other industry verticals to be victimized daily.
Ransomware attacks are constantly evolving efforts leveraging sophisticated tactics, techniques, and procedures. The list is growing and ever-changing, making defense complex for organizations. Attacks also happen on multiple fronts, with email being a common intrusion vector, as culprits bank on “click-happy” end-users to be their unwitting accomplices—they exploit human vulnerability with email attachments and links. Drive-by downloading is also frequently leveraged.
Application Downtime and Data Loss Impact Businesses
As mentioned, data and systems unavailability triggers a domino effect of other technical and business consequences. ESG research recently identified the impact of downtime and data loss. One interesting finding is that 71% of surveyed organizations could not tolerate more than one hour of downtime for their high-priority applications,and those are the same applications that tend to be primarily targeted by ransomware.
ESG also identified that 24% of production servers/services fall in the “no downtime ever” category, meaning that whatever data or application(s) they run must be available all the time—or be made available through availability and recovery processes such as those developed and sold by Veeam.
In addition, from a recovery point objective (RPO) perspective, 51% of organizations surveyed by ESG report that for their high-priority applications, only 15 minutes’ worth of data lost is the maximum loss level they can tolerate without significant business impact.
Best Practices and Technologies Are Needed
To fend off ransomware attacks, ESG recommends several cybersecurity and backup and recovery best practices and technologies. Here is a high-level summary of factors and activities to focus on:
- End-user education, intrusion testing, and mock phishing conducted by a third-party cybersecurity partner are all strong starting points. With less experienced staff, end-user education should not be forgotten.
- Email and web controls are crucial, given the likelihood of infection coming from those vectors. To establish a first line of defense for the infrastructure, use tools that can identify and block illegitimate spear-phishing emails, scan for known ransomware or malware in emails, and isolate attachments for analysis. This effort should encompass native cloud applications such as Office 365. Web controls can be used to analyze a website’s reputation and block known bad URLs, and they can scan for malicious downloads and browser exploits. Additional techniques such as sandboxing also help in reining in the expansion of new or unknown malware.
- Endpoints are often the attack vector for introducing ransomware, representing a need for a set of robust countermeasures. Endpoint security controls that employ multiple detection technologies to prevent file-based and file-less ransomware, as well as other types of malware, are critical. For fixed function systems, and those with fewer configuration and usage pattern deviations, application control is highly effective. Only allowing known-good software on employees’ endpoints significantly mitigates the risk of an executable wreaking havoc on the endpoint, and then spreading further via the network. Additionally, behavioral monitoring with dynamic analysis via sandboxing to detect suspicious behaviors (encryption, connections to mapped drives, etc.) is a much-needed complement to the endpoint protection effort.
- Network-based controls have a vitally important role to play in preventing the spread of ransomware. The effort begins with establishing protection across all ports and protocols and monitoring all traffic on the physical or virtual network. The effort to monitor the network for known ransomware (using a combination of techniques such as pattern matching and script emulation) can be complemented by detection methods such as sandbox analysis for new and unknown ransomware.
- Servers, especially database servers, have also become targets for ransomware attacks. Servers require the use of technologies to scan for ransomware and other forms of malware and controls to maintain system integrity. Being diligent about maintaining patching discipline is an obvious best practice, but it comes with an operational impact for many organizations and does not prevent zero-day attacks. Virtual patching via host intrusion detection and prevention (HIDS/HIPS) is an effective security layer centered on detecting exploits so that malicious traffic never reaches the server’s application. Server hardening, file integrity monitoring (FIM), and application control are also important server security controls to maintain known, trusted states of server workloads.
Finally, as is the case with any major IT interruption event, a focus on incident response and preparedness must be front and center to thwart and/or recover from ransomware attacks. Organizations should test their incident response plans, including the ability to effectively restore production systems and data in the event of a compromise.
Backup and Recovery
Beyond employing cybersecurity best practices, backup and recovery is an important component to ensuring uptime, and it needs to be carefully examined and optimized. Best practice activities can include the following:
- Training IT staff, an activity that is as critical as training end-users. It might even be more critical, given IT administrators’ proximity and access to critical infrastructure. Pay special attention to educating the backup team, providing them with regular training on security, networking, and storage best practices.
- Following the 3-2-1 Rule, which dictates that three copies of company data are to be saved on two different media, and one of those copies should be offsite. Veeam adds an additional “1” to the 3-2-1 Rule, in which one copy of the storage media is to be kept entirely offline—i.e., air-gapped without a direct connection to the internet, to any IT network, or to any other computer.
- Managing access controls, using different credentials for backup roles and permissions to access the backup application, the data store/repository, and the network. This is an activity vital to “protecting the protector.” Hence, it is an activity vital to recovering data and systems. Using a different file system for backup storage can also help in limiting the propagation of ransomware.
- Looking for a solution with behavioral alerting capabilities. Behavioral alerting is a feature that can be very useful within a backup and recovery application—especially when it alerts an admin about a possible ransomware activity flag, such as the detection of intense encryption activity, very high CPU utilization, or very high I/O activity.
Veeam’s Hyper-Availability Platform to the Rescue
Veeam’s Hyper-Availability Platform and related components of the overall Veeam Availability portfolio offer data availability to enterprises no matter where the data lives—on-premises in the core data center, in remote offices, in individual devices, or anywhere in the cloud. It is perfectly suited for ransomware protection with a keen focus on both data centers and endpoints.
On the data center side of the equation, Veeam allows organizations to restore data infected by ransomware to a known good state using the Veeam Hyper-Availability Platform. End-users can leverage the Veeam Availability Suite to perform quick and granular restore operations for databases, applications, files, and operating systems. In many cases, complete recoveries will be needed to restore systems affected by ransomware. Veeam also provides advanced protection for popular online applications such as Microsoft Office 365.
The Bigger Truth
Ransomware is here to stay, and it will grow as a business threat to organizations around the world. Thanks to ransomware’s broad attack surface—not to mention the combined criminal and technical creativity its instigators possess—we are observing an ever-evolving challenge unfold for cybersecurity and data protection professionals.
Ransomware has truly become a potentially devastating business risk. It needs to be managed with a combination of best practices and tools spanning a wide array of technologies and activities. Even the best-prepared organizations are vulnerable to data and system availability failures caused by cybercrimes, which is making the role of backup and recovery technology and associated best practices even more central and visible.
Optimizing data and systems availability requires careful planning and an iron-clad set of tools to recover precious data assets and services in a timely fashion with very limited data loss. Veeam’s Hyper-Availability Platform does just that. And it has already helped many organizations successfully recover from malicious attacks.