If you think ransomware works in the same way as other types of cyberattacks, you may be overlooking important steps for protecting against it. This article provides an overview of defending yourself against ransomware by assessing the current state of ransomware threats and discussing the latest developments in ransomware design.
By the end of 2019, ransomware attacks had caused massive disruptions in completely different fields. The number of users targeted by ransomware every six months is estimated to range from 900,000 to 1,200,000.
The growth in types of ransomware means that MSPs should be prepared to distinguish various types and defend against them.
Types of Ransomware
Below we will discuss the latest modes of attack that ransomware programs use to compromise systems and data. This is not a comprehensive list of ransomware attack types, but an overview of the most recent developments in ransomware design.
A polymorphic ransomware program is one that is designed to modify itself constantly. In other words, it takes multiple forms.
Because polymorphic ransomware changes constantly, it is difficult to detect using the pattern-matching techniques on which antivirus scanners typically rely. Antivirus tools may have “signatures” that enable them to identify some forms of the ransomware, but not all of them, because the signatures change constantly.
Wiping ransomware, also sometimes called data wipers, does what its name implies: It wipes out all data on your storage drives by deleting the data or otherwise making it unreadable. Attackers typically demand a ransom to recover the data, which they will have backed up before wiping it.
Publishing Ransomware (Doxware)
Rather than deleting data or preventing you from accessing it, this type of ransomware takes sensitive data and makes it available for anyone to read. In most cases, the attackers will demand a ransom before publishing the data. Essentially, publishing ransomware (also called Doxware, because the attacks often involve stealing sensitive data from Word documents) is a type of extortion.
Ransomware with a time-bomb feature is designed to delay the execution of an attack. Instead of stealing, wiping or extorting your data as soon as your computer or server is breached, time-bomb ransomware hides on the system and can wait weeks or months before activating its attack.
The greatest danger posed by time-bomb ransomware is that it can affect backed-up data as well as production data. If the maximum age of your data backups is less than the time that the ransomware waits before carrying out its attack, you won’t have any “clean” copies of your data that you can use to restore your system to a ransomware-free state.
Use backups to stay safe
#1: Perform backups
New strains of ransomware are able to attack data directly, inject various changes and encrypt or even delete data. To protect against these risks, we recommend doing backups so that you always have clean copies you can restore.
We also recommend using the 3-2-1 backup approach. Some families of ransomware are specifically targeting backup storage. Thus, having backups stored in two locations, rather than one, lowers the risk of losing your whole dataset.
#2: Use Encryption
Usually, ransomware works by encrypting files with specific extensions. To add another layer of defense you can encrypt your cloud backup data to encode the contents of a backup set. This limits ransomware’s ability to identify the backup set as a target, which is a key step in enabling the ransomware to delete or encrypt the data.
#3: Establish Retention Policies
Retention policies establish how long backups should be kept, whether multiple versions of files should be retained and when to purge retained data. When you think about backups of critical data sets, it is obvious that you need to determine how long the data needs to be available to ensure a proper recovery.
File versioning retention policies allow organizations to store multiple copies of files that they modify. In this way, they provide the ability to go back in time to a specific file revision to find the desired file to recover. In this way, you can revert to a version that was created before the ransomware attack.
#4: Establish Lifecycle Policies
Retention policies exist to determine which data needs to be available, and for how long. But, assuming you’re using a cloud backup solution, the amount of data you retain can grow to a point where it is no longer cost-effective to keep all of your backups in a storage tier designed (and priced) for high-speed, instantaneous access to backup sets.
With cloud storage providers such as AWS providing multiple tiers of storage that decrease in speed as well as price, cloud backup solutions (like MSP360 Backup) can take advantage of these many tiers of storage. Policies can be established to move backup data automatically to a lower-cost tier after a specified period. This allows MSPs to maintain backups indefinitely and cost-effectively to protect against ransomware.
Conclusion: Backups 1, Ransomware 0
The trick to being able to protect your data from a ransomware attack is no trick at all; it’s simply a matter of having the data you need available for recovery, the moment you need it. With ransomware strains becoming more focused on reducing your ability to recover, following the four best practices above will maximize the likelihood of your organization recovering successfully and rendering ransomware ineffective.