Arsgera - Fotolia
Toigo Partners International
Published: 06 Sep 2018
You can't attend a tech conference without encountering at least one presentation covering ransomware -- and for good reason.
The 2017 Malwarebytes annual "State of Malware" report found ransomware detections had increased by 90%. High-profile ransomware attacks, including a much publicized case involving the city of Atlanta earlier this year, have the front office ready to fund almost any strategy IT can come up with for preventing ransomware attacks to protect company data.
Vendors love all this. Google "ransomware protection," and you will get page after page of sponsored posts from vendors offering the latest inoculants against ransomware vectors and the latest scanners to detect infections. Preventing ransomware attacks has spawned well north of a billion dollars of tech sales.
At the same time, a growing fatalism seems to have taken hold regarding ransomware, a sense that it will get you regardless of preventive measures. A former federal law enforcement officer speaking at a Silicon Valley confab a few months back communicated this view. He instructed the audience that preventing ransomware attacks should be a priority. They should take whatever measures possible, but just to be on the safe side, also set up a cryptocurrency account on a stand-alone system to pay the ransom for when primary systems and data become infected. He argued you need to demonstrate due diligence to prevent the secondary result of a ransomware attack: lawsuits from data owners over an organization's poor data stewardship.
Fatalistic views aren't without merit. The idea that ransomware infections can be stopped doesn't square with reality. Most attacks are delivered as a payload of another hacking technique like phishing. These deceptive emails, which appear to come from a trusted source, typically provide a clickable link directing the unsuspecting user to a destination from which a ransomware payload is downloaded. Methods of trickery vary, but most experts claim users are at fault for opening doors into their organization's most protected systems for ransomware and other malware vectors.
User training doesn't solve the problem. Repeated warnings blunt our spidey senses, and as vigilance wanes, malware gets through. It's only a matter of time, as the volume of cyberattacks have increased according to 50% of the 2,300 cybersecurity professionals surveyed in ISACA's fourth annual "State of Cybersecurity" report.
Moreover, the scanning software intended to detect malware signatures is fundamentally limited. Like antivirus software, malware scanners only detect the signatures in their database or library of signatures. Ransomware actors have shown themselves adept at mutating their malware to create different signatures with each wave. Your scanners are only as good as the last generation of ransomware.
What to do?
We could set up bitcoin accounts as a hedge against ransomware. As silly as it sounds, pundits have criticized Atlanta for failing to pay the $51,000 the ransomware author demanded, instead racking up more than $11.5 million, at last report, in expenses to recover from the attack. Of course, this is a specious claim, because the bad guys are reported to have disabled the IP address where the ransom was to be paid before the city could make the drop. Yet, as distasteful as defeatism is, some might have preferred payment to the inconvenience of having more than a third of Atlanta's more than 400 necessary programs disabled by the attack.
Alternatively, storage technology might provide the answer. So say the many storage vendors that have stepped up with technology they claim can ransom-proof data. Some of these claims are silly.
One vendor even said its approach to preventing ransomware attacks is to encrypt data so it can't be ransomed if seized by bad guys. This makes little sense given that ransomware usually attacks by encrypting data so that end users and their applications can't use it until a ransom is paid for a decryption key. Encrypting data may prevent bad guys from exposing or otherwise misusing the data they access, but it doesn't prevent them from re-encrypting that data and the denial of access that hijacking entails.
Another vendor or two have posited using continuous data protection (CDP) methodologies, such as snapshotting, as means of preventing ransomware attacks from hurting your organization. The snapshot and storage of changed data in a separate infrastructure -- a snapshot volume, for example -- may help mitigate the ransomware threat by moving a copy of the data out of harm's way, but it isn't a complete solution. CDP isn't easy to implement. You must establish checkpoints in the process you can fail back to and obtain a valid data or application state. And, of course, some data will be lost in the process of rewinding to a point before the ransomware attack occurred.
Object storage vendors are delighted to point out how their methodology for storing data offers versioning, which provides a natural hedge against ransomware. Versions of objects are stored for a period of time, so when ransomware attacks the latest one, you can substitute an earlier version. Again, this theory of ransomware mitigation requires a cumbersome architecture to ensure all versions aren't consumed by the same attack.
Recently, Jon Toor, chief marketing officer at Cloudian, offered a complementary answer to preventing ransomware attacks. Why not use object versioning in conjunction with write once, read many storage. WORM isn't just available on storage media, he said, but also is a function of Cloudian's object storage system. If versioned data is written to storage infrastructure that uses WORM storage technology, ransomware can't hijack the data. It's worth a look.