Keeping ransomware at bay - the basics

Ransomware is currently the most feared type of cyber attack, with daily incidents ensuring it stays in the headlines, not just in the tech press but further afield too, meaning that CEOs and non-technical business leaders are acutely aware of the threat and the damage that can be done.

This has led to an urgent search for ways to prevent cyber attackers from breaching defences and limiting the fallout from ransomware if they do manage to get though.

We spoke to senior executives, both with long cyber security experience, of two vendors neither of which is a classical anti-malware company, but who say that ransomware is top of mind.

"Ransomware is the number one topic that our customers are asking us about. It's the topic, most people are concerned about today," said Gil Vega, CISO at backup software firm Veeam.

The headlines may be catching the eye, but ransomware is really just the latest iteration of destructive malware, albeit one that's attached to a highly lucrative business model. Attackers still need to get onto the network which they commonly do by phishing or via a third-party supplier. They still need to launch their attack before drawing attention to their presence, and they must stay ahead of efforts to stop them.

"Ransomware is just a new hot flavour of application and data corruption where you need to do a fast and efficient recovery," said Dan Graves, CTO of data automation company Delphix.

In defending against ransomware, therefore, many of the old rules still apply, but the way they are applied is critical.

Concentrate on culture

In a moment of absent-mindedness anyone, even experienced professionals, can be tricked into clicking a link in a well-crafted phishing email, and the key is to minimise the chances of this happening. This makes everyone responsible for cyber security.

There are still many companies security is buried deep within the IT infrastructure organisation, it's considered a technical role - Gil Vega, CISO Veeam

Gil Vega: "The key point is it's around culture. It's around programme governance; it's around making sure that the security function of a company is set up properly and has the right level of access to the decision makers in the company.

"There are still many companies where my function [CISO] is buried deep within the IT infrastructure organisation, It's considered a technical role."

The most important part of instilling a security conscious culture is effective training.

GV: "Gone are the days where you can just hand an employee a laptop, access to a VPN and say go have fun. They've got to be, they've got to be drilled, they've got to be trained, they've got to be tested, they've got to be incentivised to do the right thing, and if they don't, your company is going to be in a lot of trouble. Ninety per cent of these sophisticated successful attacks occur because someone clicked on the wrong email."

Purveyors of malware are always looking for a way in, and some companies make this task much easier with their siloed management structures and a disjointed and dysfunctional approach to cyber security. It's essential that cyber incident response capabilities are regularly tested on an organisation wide basis via wargaming, mystery shopper or other techniques, so that any holes in the armour can be identified before an attacker finds them.

It's also widely accepted best practice to assume the attacker is already on the network and to focus on implementing zero-trust strategies to minimise the damage if and when they decide to press the button.

GV: "There will be breaches, you have to have resiliency plans in place to recover from those breaches. And the most important thing related to all of that is making sure that you've set aside rules on who's making the decision, how those decisions are made, and who's ultimately accountable."

Looking out for anomalies

The main cost of ransomware is generally not the ransom itself (should you decide to pay up in the hope of obtaining a decryption key), but rather the days or even weeks lost to the organisation as it repairs the damage, with the hit to operations, incomes and reputation that this implies, as well as the considerable number of engineer hours required to put things right again.

Even though ransomware can spread across a network with frightening speed, it is still a stepwise process, and spotting an attack in the early stages can save a lot of trouble later on. One method is looking at the rate of data change, which can be monitored by systems that maintain a continuous copy of the data. A sudden change in the amount of changed data in an application that normally writes a few per cent of data daily is a sure sign there's something wrong.

Dan Graves: "If the rate of change suddenly spikes to 50 per cent in a production application that could be a sign of ransomware encrypting data. So we raise a flag saying something bad is happening with that application."

Similarly, a sudden change in the volume or type of network traffic is a warning sign. With realtime visibility into the network, automated systems may be able to isolate and quarantine affected systems before too much damage has been done.

GV: "Understanding what good looks like, so that if something anomalous happens you can quickly respond to is really the only way to give yourself a fighting chance in today's threat environment."

Mind your backups

It goes without saying that important and sensitive data needs to be backed up, but at least some of these backups need to be disconnected from the network or write-protected, otherwise could be encrypted online.

Veaam recommends what it calls the 32110 approach.

GV: "We call it the ‘data protection zip code'. The strategy involves keeping at least three copies of your data stored on two different media. One of those is either off site or immutable. One is offline and you're able to back up with no errors.

Important data should be backed up at regular intervals, although there are cost and resource considerations as to the best sampling durations. The vital metrics are the recovery time objective and the recovery point objective (RTO and RPO). Data should be quickly recoverable to a state it was in a reasonable length of time ago, either by dialling back through immutable copies until you find one before the ransomware hit, or by having parallel sites that can be quickly brought online and switched over.

As always, regularly testing of RPO and RTO to ensure back up and restore is working as it should essential.

GV: "If you're not exercising your restoration, and you're not confident in your ability to completely restore your data to a known good state and bring up your businesses, then the whole point of backing up is kind of useless."

And it's not enough just to protect production data. Ransomware attacks now typically involve data theft with a threat to publish sensitive information. Knowing that production data is likely to be well-protected, attackers may target copies of the data.

The easiest attack vector for stealing data is to go after non-production systems - Dan Graves, CTO Delphix

DG: "You may have intrusion detection systems, maybe your firewalls are in a locked-down room with physical security around the production data. But then if you look at all of the copies that that exist around the network, maybe for QA, on laptops, backup systems, developer systems, maybe there's an analytics copy out in some cloud somewhere where they're running ML against it, those tend to be less well defended. So the easiest attack vector for stealing data is to go after these non-production systems."

To protect data in these copies, organisations can profile it and anonymise sensitive fields such as addresses, ages, credit card numbers and the like. The primary use case for such systems is to ensure compliance with regulations like GDPR and HIPPA, but Graves says masking is increasingly of interest for data theft and blackmail protection too.

DG "The [Delphix] masking product is for regulatory compliance and people are using it for protection against ransomware is relatively new."

Another way that placing crown jewels in a strongbox may give a false sense of security is when the attackers take down another part of the business with a damaging knock-on effect. Vega notes that the Colonial Pipeline attackers targeted the management systems which were actually air-gapped from the industrial control systems, but a lack of visibility into the management system meant the ICS had to be shut down.

Attaining real-time visibility across the whole system is therefore another important measure in defending against ransomware.

Embrace immutability

Another common way for attackers to get onto a network is by phishing, cracking or otherwise obtaining an admin's login credentials. The Colonial Pipeline hackers first breached the system using a compromised password for a VPN account no longer in use. Graves recommends regularly locking down an immutable ‘rainy day copy' which not even admins can delete.

DG: "No one can get in there and shut it off and delete it, that capability is missing on purpose. They don't have the ability to delete or alter that rainy day copy of the data."

The extra resources required to maintain immutable copies are minimal, Graves insists, because of deduplication and compression technologies.

Use collective intelligence

There are a few reasons why the financial sector has suffered fewer high profile ransomware attacks than other sectors. The first is that it spends on cyber security per se, because of the ‘that's where the money is' factor. Another is that as a highly regulated industry, there is a lot of information sharing.

"GV: In the United States we have these bodies called Information Sharing and Analysis Centres or ISACs and the Financial Services ISAC is the most organised membership group with over 5,000 members that are all sharing information related to this topic now. ISACs are growing in these other industries but none of them are as well resourced."

Should you pay up?

No-one wants to pay a ransomware gang for a key that may or may not be delivered and who will dobtless use the funds to launch further attacks, but given that the ransom may be the least expensive part of the ordeal, it may be the least worst option.

Recently the Biden administration came out against a mooted ban on ransomware payments, reasoning that, despite potentially reducing the attractiveness of attacking firms for money, it reduces the options available to the victim as well as the information flowing from ransomware gangs that could be used to disrupt them.

"We heard loud and clear from many that the state of resilience is inadequate, and as such, if we banned ransom payments we would essentially drive even more of that activity underground and lose insight into it that will enable us to disrupt it," said US deputy national security advisor for cyber and emerging technology, Anne Neuberger.

Vega agrees that a ban could be dangerous.

GV: "We've seen many high-profile cases where that's the last remaining option, it's either pay the ransom or we go out of business.

He notes the emergence of a cottage industry of ransom negotiators.

"There's been a rise in the number of companies that that will sit and ride shotgun with you as you negotiate with these hacker groups, and a lot of these companies have established 'trusting' relationships with these attackers, to the point that they're actually marketing the fact that if they're involved in the negotiations with ransomware attackers, that there's a X percentage likelihood that that key will actually work."

But of course this is a risky strategy and the Grief gang has threatened to delete keys if victims contact negotiators, and the Ragnar Locker group warned it would leak all exfiltrated data from victims who contact law enforcement authorities.

In this high-stakes game of chicken the best option is to ensure systems can be restored in the minimum amount of time should the worst happen, which is not such a different strategy to that used to mitigate any other form of cyber attack. But it takes, time, effort, education, the right tools, and importantly imbuing security awareness at all levels.