In the past decade, ransomware has gone from being a relatively obscure crime to a multi-billion dollar industry, with the largest enterprises and even governments in its sights.
Organised cyber crime groups demand ransoms of six and seven figures or more from their victims. Using a combination of network infiltration, malware and cryptography, ransomware locks firms out of their data by attacking storage, encrypting data and even disabling backups.
Cyber crime groups have also been boosted by the growth of cryptocurrencies, which give criminals a low-risk way to extract pay-outs, and by techniques that go beyond data encryption. These include double and triple extortion attacks and threats to release sensitive data.
Ransomware attacks such as those that hit Maersk, Colonial Pipelines and the Irish Heath Services Executive have dominated headlines because of the disruption they caused. But ransomware attacks are now commonplace, and increasingly hard to prevent.
According to experts at Kroll, a data security company, between 25% and 45% of the firm’s investigations currently involve ransomware attacks.
Laurie Iacono, associate managing director covering threat intelligence at Kroll, says a small number of ransomware groups are now behind most attacks, and as many as 86% of attacks now involve data exfiltration – not just encryption.
“What we see is that ransomware has become a predominant attack vector,” she says.
How do ransomware attacks work?
The conventional path for ransomware into an organisation is through an infected attachment that contains an executable file, or by conning users to visit a website that contains malware. That injected software deploys on the network and seeks out its targets.
Double and triple extortion attacks create backdoors into systems that allow the attackers to exfiltrate data. Increasingly, this goes hand in hand with disabling backups and attacks on core network services such as Active Directory.
The latest generation of ransomware attacks target backup systems, appliances and virtual machines. “They are targeting physical appliances and virtualised appliances,” says Oisin Fouere, head of cyber incident response at consulting firm KPMG.
“A lot of backup systems are hosted on virtual infrastructure. They have started targeting and deleting operating system-level information on those systems as well as going after the bare bones of the of the systems as well.”
And, as Kroll’s Iacono points out, ransomware groups often recruit people with technical knowledge of backup systems.
But first, the ransomware has to enter the corporate network. The conventional – and still most common – approach is to use a phishing attack or other forms of social engineering, to deliver infected attachments or convince employees to click on infected web links.
During lockdown, ransomware groups exploited weaknesses in virtual private networks and remote desktop systems which caused a spike in ransomware cases.
“There was a lot of exposure around poorly protected or inadequately configured remote access systems, which meant attackers didn’t need to spend time trying to solve the intrusion vector problem,” says KPMG’s Fouere. “They were almost being presented with a front-door-left-open scenario, and that was a favourite choice over the past couple of years.”
The hardening of these access points is behind a recent fall in ransomware incidents. However, experts warn this is no cause for complacency.
As Keith Chappell, a cyber security expert at PA Consulting, puts it, we are seeing “more deliberate, more targeted and better researched attacks that actually have a purpose, be that to disrupt operations … or to extort to make money”.
How does a ransomware attack impact storage and backup?
Ransomware attacks set out to deny access to data. Early generation attacks targeted disk drives, often on individuals’ PCs, with fairly low-grade encryption methods. Victims could obtain a decryption code for a few hundred dollars.
However, modern attacks are both more selective and more damaging. Attackers increasingly use reconnaissance to find high-value targets. These include personal identifiable data, such as customer, commercial or health records, or intellectual property. These are the files firms will most fear being released in public.
But attackers also target networks and identity and access management data, operational systems, including operational technology, and live data flows, as well as backups and archives. Double- and triple-extortion attacks that go after backups or disaster recovery and business continuity systems offer the greatest chance of a payout. Without the ability to recover a system or restore data from backups, firms may have little choice but to pay.
And attackers also look for accounts they can compromise and use to escalate privileges, to carry out further, or deeper attacks. So, security teams need to secure not just main data stores, but administrative systems, too.
“Very often, a phishing attack or ransom attack can be used as a masking technique for something else that is going on, or can be masked by doing something else,” warns PA Consulting’s Chappell.
How do storage and backup help in case of a ransomware attack?
Even though criminal hackers actively target backups, they remain the best defence against ransomware.
Firms need to ensure they take regular backups and that these are immutable, stored off-site, or ideally, both. “You should be backing up data daily, weekly and monthly, and you should be storing backups in physically separate, disconnected locations, ideally in different formats,” says Chappell.
Much has been said about the need to “air gap” data from systems that might be attacked, and nowhere is this more important than for storage of backup copies. However, older backup media such as tape are often too slow to allow a full recovery in the timescales the business demands.
“Organisations realised they can’t wait several months for these tape backups to restore,” says KPMG’s Fouere. Instead, he says, clients are looking at cloud-based resilience and recovery, primarily for speed.
In turn, backup suppliers and cloud service providers now offer immutable backups as an additional layer of protection. High-end, active-to-active business continuity systems remain vulnerable to ransomware as data is copied from the primary to the backup system. So, firms need solid backup and ways to scan volumes for malware before they are used for recovery, and ideally, as data is being saved.
But IT organisations also need to take steps to protect backup systems themselves. “They’re vulnerable, too, just like any other software product is,” says Kroll’s Iacono. “You have to make sure that backup systems are patched. We have had cases where threat actors leverage vulnerabilities in backup systems to help them with data exfiltration or to evade detection.”
Some IT teams are going further. With ransomware groups spending more time on reconnaissance, firms are obscuring the names of servers and storage volumes. It is a simple and low-cost step to avoid using obvious labels for high-value data stores, and it might buy valuable time when it comes to shutting down an attack.
What are the limits of storage and backup as protection against ransomware?
Good discipline around data backups has reduced the effectiveness of ransomware attacks. This may explain why cyber crime groups have moved to double- and triple-extortion attacks, targeting backup systems and exfiltrating data.
Using immutable backups alongside disk or cloud storage still minimises the impact of ransomware. But firms need to ensure all parts of critical systems are fully protected. This includes testing. Even if a main data store is backed up, a system can fail to restore if operational or administration data is encrypted, because they have been left off the backup plan.
And firms also need to allow for data restoration where good backups do exist. Even with the latest backup and recovery tools, this is still a disruptive process.
Nor will immutable backups prevent data exfiltration. Here, firms need to invest in encryption of data assets. They can only do this if they have an accurate, up-to-date understanding of where their data is. Organisations should look at monitoring tools that can detect unusual data movements and invest in protecting privileged user accounts.
With most ransomware still spread by phishing and social engineering, firms can take technical steps to protect their perimeter.
But training staff to spot suspicious emails, links and attachments, coupled with multi-factor authentication, are the strongest defences against ransomware. For ransomware, as with other forms of fraud and online crime, security awareness is an essential part of defence in depth.