Pay up or play different? Five tips for beating ransomware with backups
When it comes to ransomware, sometimes the cost of downtime can exceed the cost of paying up. Companies with frozen data and systems face loss of revenue, productivity, customer departures, damaged reputations, never mind the cost of the ransom itself. Take an organization like Colonial Pipeline, which should have had healthy backups in place to quickly recover from their attack and most likely did. However, they opted to shell out $4.4 million in ransom because they didn’t know how long it would take to get up and running again.
And according to ITIC's 2021 Hourly Cost of Downtime survey, one hour of a server being inoperable costs $300,000 or more for 91 percent percent of mid-sized and large enterprises.
It’s a tough choice to make, but here’s the thing. In a survey by Sophos, those that did pay up only got 65 percent of their encrypted files back -- one-third of their data remained inaccessible. Decryptions can fail, a higher ransom fee can be demanded, and even if all goes smoothly, a willingness to pay could entice the attackers to return.
In fact, malware could already be waiting in the backups themselves, ready to wreak havoc again. That’s because such malware can go undetected in a system for weeks, even months. This makes it highly probable that existing threats will get swept up into regular backups. Then, when an enterprise needs to recover quickly, they get a nasty surprise when the backups they’re relying on contain malware too.
Protect the Net
There’s no way of keeping on-prem, cloud or SaaS infrastructure or applications 100 percent safe from a ransomware attack, so it’s vital to protect the safety net around it all. Whether you’re a standalone enterprise, or a managed service provider (MSPs) serving hundreds of companies, you can play differently by adopting an intelligent, recovery-first and layered defense-in-depth approach, with particular emphasis on malware-free backups.
Potential vulnerabilities are growing in line with the increasing attack surface that now exists across on-premises infrastructure, cloud infrastructure (public, private and multi-cloud), SaaS applications and endpoint devices. Attackers benefit from this expansion because it can lead to configuration weaknesses.
This begs the question, do organizations even know if all their critical data is backed up? Given the complex nature of today's multi and hybrid cloud IT environments, there’s every chance they won’t know the answer until it’s too late. After all, keeping track of data on multiple different platforms and having visibility of it all is already a major headache for IT departments, never mind ensuring everything important is backed up.
For instance, how certain are you that you are protecting the data in all your mailboxes or documents created by new starters or generated in new spaces on SharePoint? If you can’t be sure from the outset that everything you value is being backed up, the chances of a good recovery are not high.
Thankfully, technology exists that can pro-actively highlight gaps in protection. This can go a long way in ensuring the structure needed to maintain business continuity in the event of a cyber-attack is in place.
Backups are different
A recent IDC survey revealed backups are often unsuccessful in helping organizations recover from ransomware. When it comes to resilience and incident response, only 23 percent of respondents said they did not pay a ransom but were still able to recover encrypted data/files from their backup technologies. A staggering 39 percent said they did not pay a ransom at all and were unable to recover data from backup environments.
Backups alone are clearly no longer a perfect solution to ransomware because as well as encrypting data, cyber-criminals are also extorting money from their victims with threats to make sensitive data public online.
This is yet another reason why having a second shot at spotting ransomware is so important.
A defense-in-depth approach greatly enhances the ability to spot zero-day threats, which can make all the difference in avoiding encryption and downtime, as well as exfiltration and extortion. Deploying multiple methods to protect your environment also conforms with guidance recommended by leading government communications and cyber security agencies.
Further, it’s imperative that whatever malware detection is used for live data isn't also used for backups. If the software simply checks for the same signatures, malicious files will be missed in both live and backup data. Deploying a solution that harnesses artificial intelligence (AI) to police backups and detect threats not only verifies the health of backups, it provides yet another chance to spot ransomware before it encrypts everything.
Five Tips to Beat Ransomware
The best way to escape ransomware without paying is to ensure you have healthy backups in place so recovery processes can quickly restore operations. Key to this is adopting layered defense-in-depth, which raises the difficulty of an attack, often prompting bad actors to find a victim that’ll be easier to take down.
The following five tips can help establish an effective recovery-first approach:
- Always Encrypt: Protect both primary and backup data at rest and in flight with encryption. When encrypting with industry standards, data becomes useless to a hacker and can’t be used for exposure, either. Use native arrays for primary data and backup software for backups. Separating in this way, and putting key control under different administrators, further complicates potential breaches.
- Follow the Rule: The 3-2-1 rule has long been the standard for backups. This requires keeping three copies of your data, on at least two different types of media, with one stored offsite. A newer 3-2-1-1 version advises the same except one copy should be online/offsite, while the other should be stored offsite/offline. The offline/offsite copy was created for the purpose of recovering from ransomware.
- No Changes: Tamper-proof data copies can’t be changed. This differs from encryption because, in theory, there’s no key to allow direct access. But this isn’t always the case -- system or policy clock changes can offer a workaround -- so be sure tamper-proof copies are 100 percent secure.
- It Needs Air: There should be a physical disconnect between a primary system and backups. This air gap can keep bad actors from gaining access to backups. Keep the control and data paths separate and you’ll further frustrate hackers. Remember, though, a cloud copy doesn’t always mean there’s an air gap -- you have to make sure the configuration is set up correctly.
- Avoid Reinfection: It’s essential enterprises and MSPs alike have clean backups. A dramatic leap forward has been the use of AI to scan ingested data and detect and remove any threats. This preserves the safe state that a customer needs in the event of an attack for malware-free recoveries. Doing this at scale also offers a particular efficiency benefit for MSPs.
Ransomware’s success has been encouraging bad actors with greater ambition. They’ve introduced Ransomware as a Service (RaaS), a platform that provides aspiring hackers with the code and operational infrastructure to conduct their own ransomware attacks.
That said, the current record-breaking number of incidents will pale in comparison to the volume of attack that will occur in the year ahead.
Considering the likelihood of becoming a target, and the vulnerable position ransomware can put a company in, regardless of if they pay up, maybe it’s time to play different? Adopting an intelligent, recovery-first approach could be the focus that ensures the best protection and outcomes of all.
Paul Evans is CEO of Redstor, the MSP’s backup and recovery platform, offering the simplest, smartest way to serve customers and drive profitability. The solution unifies backup and recovery to protect modern, legacy and SaaS infrastructure with a single app. Streaming provides instant data access and fast recovery, with AI finding and automatically removing malware for safe restores. Learn more at www.redstor.com.