[BreachExchange] The anatomy of a ransomware attack – keeping your organisation immune

[Audrey McNeil]

http://www.itnewsafrica.com/2017/06/the-anatomy-of-a-
ransomware-attack-keeping-your-organisation-immune/

Ransomware is a type of malware that, as the name suggests, takes a user’s
data hostage and then holds it for ransom. If users do not pay the ransom,
hackers threaten to delete their information. This type of malicious
software is by no means a new phenomenon. However, the recent WannaCry
ransomware attack, which affected hundreds of thousands of organisations
across the globe has brought it back under the spotlight. While there are
varying degrees of sophistication when it comes to ransomware attacks, and
therefore different ways of protecting against the threat and dealing with
the problem, one thing is certain. In today’s world where data is the
currency of business, organisations need to effectively safeguard
themselves and their data from malicious intent. This requires a
multi-layered approach and effective security, nevertheless it is also
essential to have backup and recovery in place to deal with an attack if
and when it occurs.

The anatomy of a ransomware attack

Ransomware comes in many different forms, from simple attacks that are not
very sophisticated or difficult to reverse, to the more advanced, including
WannaCry. This attack is an example of cryptoviral extortion that encrypts
the files of its victims, which makes recovering the files extremely
difficult without a decryption key; the hackers will only divulge on
payment of their ransom.

Regardless of the sophistication or otherwise of the attack, however,
ransomware itself has a predictable way of taking control of data. It
generally begins with an email that has an enclosed, infected link or
attachment. If a user opens the file or link, the malicious software is
then installed on the computer and creates a vulnerability that exploits
any flaws in the user’s operating system. Including things like a missed
security patch, out of date protection software or generally ineffective
security. Once the ransomware code is running in the system, it quickly
replicates, encrypting data so that only the hacker can unlock it. Hackers
demand payment in untraceable virtual currency such as Bitcoin in order to
unlock the files, and data is now effectively being held hostage. The two
choices affected users are given: pay the ransom or lose your files.

The third option

Neither of these are appealing choices, however, an effectively protected
system has a third option – the ability to recover and restore data on an
uninfected system backup to a point before the attack occurred. While it is
absolutely essential to have security in place, including firewalls, threat
detection and so on, the reality is that it may not be enough, and an
attack may breach your defences. In these cases mitigating the risk and
damage of a ransomware attack becomes critical, and the ability to recover
data is absolutely essential.

In order to achieve this, effective backup and recovery must be in place,
and ways to improve the frequency with which data is backed up and
projected needs to be examined. Recovery points for key systems, files,
cloud environments and end points need to be created multiple times a day,
as this will drastically reduce the potential impact of ransomware on your
data. In addition, the ability to recover hinges not only on making copies
of files, but utilising technology to make backup and recovery more
effective. Storage snapshots and replicated data themselves may be
susceptible to attack, so it is essential to look into combinations of
solutions such as more frequent backup copies, replicas of files and
co-location of backed up data. This helps to minimise the potential impact
of ransomware attacks since the loss of data can be far less severe and
recovery can take place quickly.

Securing what matters

Another important point is to ensure that how and where backup data is
stored is secure, since ransomware can attack not only file systems and
production systems, but also backed up data. If these are not secure they
are susceptible to attack, and ransomware can then attach to these files
and encrypt and infect them. Data protection needs to be secured from
ransomware attacks to ensure that it remains available, whether it is
stored on premises or offsite.

In addition, if ransomware breaches defences, it is essential to have
detection and alerting tools in place to identify when and how the attack
occurred. It is also paramount for businesses to understand exactly when
data needs to be recovered. To neutralise the threat and minimise the
impact of lost data. Watching the data itself can be an indication of a
problem. For example, having an understanding of how data change rates
occur and how systems perform and execute can alert to a problem, or if
unusual activity occurs in either of these spaces is key. Even monitoring
data snapshots can be telling, as if a storage array suddenly consumes far
more data than previously, it can point to a problem.

In summary

Protecting your organisational data from ransomware attacks not only
requires adequate security, but also a plan for if and when a malicious
attack breaches defences. There are three crucial elements to this:
securing how backup data is stored, protecting it frequently, and having
awareness and detection in place. It is essential for organisations to
ensure their backup provider can deliver the very best levels of protection
for data, so that they are able to recover in the event of a ransomware
attack or other data loss event. Some elements to look out for include
secure disk storage, effective encryption, intelligent replication,
detection and risk mitigation. Ransomware is just one of many issues that
can affect data, and organisations need to protect it, back it up and be
able to recover it in order to minimise business impact and mitigate the
risks involved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170627/ebfce3a2/attachment.html>