The surge in ransomware attacks during the COVID-19 pandemic has been well documented. There has scarcely been a sector that has not fallen foul of ransomware attacks, with pipelines unable to deliver fuel to hospitals unable to treat patients.
Indeed, the number of attacks grew by an incredibly 93% during the first half of 2021. The expansion in attacks has coincided with increased ambition from attackers themselves, with demands made growing by 518%.
With the ransomware insurance industry growing, there is a tendency to simply pay up and regard it as an operational cost of doing business. As I argued in a recent article, this is often the worst strategy, as swift payment merely emboldens criminals to continue targeting organizations, especially given the poor conviction rate law enforcement agencies are able to secure.
Of course, paying up is often the only option for many organizations, especially those who have not adequately prepared, but organizations should beware that it is sadly not uncommon to pay the ransom and still not reclaim your data or access to your systems. As the Colonial Pipeline case illustrates, however, there is a strong motivation to enact a swift resolution to a problem that causes huge operational and reputational damage. Indeed, swift payment is often enacted by executives who don’t really understand the true extent of the breach on their system or the damage it’s causing, much less what might be required to regain control and operational normality again.
The best defense
When dealing with a loss of data, providing the concern is not that sensitive information will be leaked then the best weapon in your armory is to have an effective system of backing up your data. Often the best chance organizations have of beating the ransom demands of attackers is to understand the importance of time, or in other words, the speed with which systems and data can be recovered.
To do this well requires effective and thorough planning, with a good first step being to conduct a thorough audit of the data and apps used across your IT systems and attempt to order them according to their priority to your business. This will be crucial if an attack is made as it will allow you to focus on the parts of your system that need to be restored first to ensure business continuity. These will be apps that have a recovery time objective of minutes.
You should be aiming to ensure that your backups are both comprehensive and robust, with this taking on particular importance during a pandemic in which remote working has become the norm. The best practice here will be the 3-2-1 rule, which posits that there should be three copies of your data, that is stored across two different forms of media, with one copy kept off-site. This offsite backup should ideally be isolated from your business network to help protect against ransomware.
While air gapping is by no means foolproof, it is also something that should be considered in an age where cloud storage systems can be seen as an attractive approach to make backup data and systems straightforward. While cloud-based approaches do indeed provide protection against various physical disruptions, they're not complete protection against ransomware, especially as attackers have become more willing to target cloud services. The best approach, therefore, is to combine cloud backups with mechanical backup media so that you create an air gap from any attack.
As data is increasingly the lifeblood of modern businesses, it's vital that backups are made on a regular basis to ensure there is a minimal lag between what is contained in the backup and the current state of your data. The frequency of data backup is especially important for off-site backups, and if the risk of attack is high then more frequent backups might be a sensible precaution.
Ransomware attackers often rely on time delays to help them infiltrate a system and avoid detection. As such, IT teams may need to go back through a number of generations of backup in order to find clean copies. This will require data to be retained for longer than might otherwise have been the case but is crucial for business-critical systems to aid recovery in the event of an attack.
Hopefully, it goes without saying that organizations need to ensure that the backups they make are themselves free from malware. Robust air-gapping policies can help with this, but so too can effective patching so that systems have as few holes for attackers to exploit as possible. Organizations might also consider approaches, such as WORM, which are increasingly offered by cloud storage vendors, or data access controls to limit who has access to critical data and systems.
Lastly, these approaches should be tested to ensure that they are effective. Organizations might choose to simulate an attack to put their processes through their paces and examine how quickly they can regain control. While ransomware attacks are on the rise, there is no reason why organizations should be held captive by attackers. Reliable backups offer a fast and effective way of minimizing the risk and fallout of any attacks that are made.