Of all the cybercriminal threats out there, being attacked by ransomware is among the most devastating. It spreads quickly throughout your network, is a nightmare to remove from your machines, and makes any encrypted files inaccessible until you pay the ransom. Unless you have copies of those infected files that you absolutely know to be untouched by the ransomware (and conventional backup solutions simply cannot assure that), you are basically out of luck.
In a nutshell, ransomware extortionists attack your computer network with malware that encrypts every file, and then demands a large ransom payment to a “darknet” site before the decryption key is provided. If you don’t promptly send payment, the criminals threaten to delete the decryption key and all your
encrypted data will be lost forever. Usually the crooks supply the key after payment is received, but like any other extortionist, they may make further demands or just cut off further communication altogether.
Typically, however, they will send the decryption key, and this is why so many organizations simply suck it up and send the payment. In 2016, the FBI had received reports that American companies paid an estimated $1 billion in ransomware payments, as compared to $25 million in all of 2015. These staggering costs are just the tip of the iceberg compared to the lost productivity and all-too frequently lost data that result from a ransomware attack.
And the situation’s getting worse: With the potential for such massive profits, cybercriminals can afford to pay highly-skilled programmers to create thousands of new types of ransomware attacks every month—which makes detecting them much more difficult. Ransomware has become a major industry, ranking number one in growth rate among illegal enterprises.
Some industry pundits have taken a “blame the victim” attitude, claiming that common ransomware targets (hospitals, schools and police stations) are vulnerable because “they all lack sophisticated cybersecurity like anti-virus, backup, and disaster recovery.” But we think those claims are unwarranted, as virtually all of the customers we’ve spoken to have implemented at least two of these cybersecurity measures.
Here’s the real issue: Anti-malware products are not infallible, and when they fail, conventional computer architectures readily allow data corruption by malware that masquerades as the authorized user. We’re going to talk about several common-sense precautions you can take to combat this, but for cases where those precautions aren’t enough, we’ll show you how Assureon—our hardened archive technology—blocks attempts by malware to delete or corrupt your valuable data.
Simply put, ransomware is a specific type of malware which encrypts your data, then demands a ransom payment before it will decrypt your data. It can vary as to exactly how it infects your computers, whether it communicates with a remote key server or if it generates the key internally, and the specific mechanism for collecting payment. It may have a name like “Locky,” “Cryptolocker,” “Cerber” or “Ransom32” but you shouldn’t be lulled into a false sense of security by thinking that published lists of ransomware names (and their properties) give you a complete picture of all the threats you need to defend against.
In reality, each of those threats may have thousands of variants with distinctly different behaviors; for example, cybercriminals will often capture a specimen of an existing strain of ransomware, make a few changes (including the method of payment demanded) and use it to attack their own list of targets. Often these new variants will elude detection by anti-malware software until a new batch of updates is developed and distributed.
If the ransomware generates or stores its decryption key internally, then it’s at least theoretically possible that an anti-malware software vendor might be able to create a tool which removes the infection and decrypts the data without making a ransom payment. Unfortunately, ransomware is increasingly using a remote key generator that’s stored in a hidden “dark web” location, accessed via untraceable technologies such as Tor and using unbreakable military-grade encryption such as AES-256.
As a practical matter, if you get hit by this latter type of ransomware, the only way to decrypt your files is to pay the ransom (usually at least $1,000, but it can be much more), and hope the key arrives and the decryption process goes smoothly. The mechanics of paying the ransom vary, but usually involve a cryptocurrency such as Bitcoin (which itself may be too technically challenging for many victims).
Of course, paying the ransom doesn’t guarantee you’ll be able to recover your files. The criminals might just take the cash and not provide the key, though this appears uncommon. Because the payment process is deliberately convoluted, there are many opportunities for breakdowns in communications where the payment doesn’t go through or the key doesn’t reach the victim. More common, however, is that some or all of the files will be damaged during the victim’s well-meaning but misguided troubleshooting and repair attempts in the initial confusion of the attack, leading to problems with their decryption attempts after paying the ransom.
Because ransomware gets into your network using the familiar paths taken by previous generations of malware, many of the same preventative measures used to fight those earlier threats can help you reduce risk today:
Even with all these precautions, we know of many organizations that have fallen victim to ransomware and other malware. For example, a hospital with a very careful IT department still suffered a massive ransomware attack that encrypted all of their patient radiology studies. Obviously, no hospital wants to be on the news for losing its patient records and being down for days while it attempts to recover files from backups. In this particular case, the hospital’s downtime was only a matter of minutes because it had previously deployed a Nexsan Assureon hardened archive solution.
Assureon was purpose-built to be a secure, hardened archiver for important, unstructured data. Delivering a higher level of integrity and assurance than conventional servers and storage, Assureon is designed to provide a superset of the storage requirements of compliance regulations like HIPAA, SEC17a-4, Dodd- Frank, FDA 22, Sarbanes Oxley, and PCI. In other words, Assureon enables you to meet these stringent security standards…and exceed them.
When ransomware gets past your defenses, it obtains or generates a secret encryption key which is used to encrypt every file on your local device and any mounted (or possibly unmounted) network shares. Typically, those files are also renamed to something like “mydocument.doc.encrypted.” But any of your files that have been protected by Assureon will remain safely untouched inside its archive.
Potentially new versions of files will start to be ingested by Assureon until the ransomware is detected and removed. Then recovery is extremely fast—Assureon gives you the option to use tiny shortcuts (sometimes called “stubs”) that represent your undamaged files to restore them to your production servers. Assureon overwrites whatever garbage the ransomware has left on those servers, and does so at the rate of thousands of files per second. During the natural course of business, your most frequently-used files will re-inflate for faster access and the rest will remain as shortcuts. Assureon even gives you a unique, higher-performance option called “Virtual Shortcuts” which effectively requires zero time to recover files to your production servers.
Summing up, let’s be clear: Assureon was architected from the beginning around the knowledge that attempts at corruption or deletion can come from anyone, anywhere and at any time. This includes from ransomware. That’s why Assureon simply rejects every such attempt, regardless of whether it’s from a virus, ransomware, spyware, user mistakes, software error – or a new threat that hasn’t even been invented yet.
It’s a simple fact that ransomware threats are getting more damaging and coming faster. If you diligently follow the preventive steps we discussed above you’ll certainly cut the frequency of successful attacks, but the only true protection for your high-value data is to aggressively lock it down using a hardened storage solution like Nexsan Assureon. Considering the huge cost in time and money you’ll face when dealing with a ransomware attack, we think deploying Assureon is the smartest move you can make.
Nexsan® is a global enterprise storage leader since 1999 delivering the most reliable, cost-effective and highly efficient storage solutions. Nexsan’s solution portfolio empowers enterprises to securely store, protect and manage valuable business data with a broad product line of unified storage, block storage, and secure archiving. www.nexsan.com.