Ransomware: Defend the Data, Demolish the ROI

Know more about Ransomware and ROP here

You may have noticed a slight pause in the breathless coverage of ransomware attacks. This is a bad sign: The fact that news of high-profile breaches and other attacks don't dominate the headlines—as they did around this time last year when a global pandemic was already wreaking havoc on business practices—doesn't mean that this odious practice has faded. It might just mean that ransomware is so common that it's no longer newsworthy.

Of course, there are still plenty of attacks, and the targets represent a distressing level of diversity. Consider the island nation of Papua New Guinea, with nine million people struggling through a COVID surge. The country depends on foreign aid. . .which got frozen after a vicious attack on its finance office. This was early in November, just a few days after a very different entity, the National Rifle Association, got hit with a similar blitz.

A single attack can also cause aftershocks and high costs far down the road. For example, it is only now emerging that the ransomware attack on the Baltimore County Schools, which hobbled the system a year ago, will cost nearly $10 million. (Interestingly, the system is reportedly spending big to move data to the cloud.) Besides, there's plenty happening that we don't hear about. A November 2020 survey of more than 1,000 managed services providers (MSP) from Datto found 60% of respondents reporting that their clients were hit by ransomware attacks. . .in just the third quarter.

So this is where we are now. These attacks have faded from the headlines but not from the reality, the global economy is in recovery mode, and a new year is upon us. Isn't it the perfect time to look at the big picture rather than just react to the latest outrage? What can we do differently to handle ransomware attacks better?

First, let's set the table properly. The current IT environment is designed for access and flexibility, even while attackers can plan and execute sophisticated attacks through which the bad guys can gain access and browse at their leisure. New strains are so sophisticated they not only encrypt particular files but are also deleting or encrypt system backups; some variants copy sensitive enterprise and cloud-stored data to the hackers' servers even before the data is encrypted and the ransomware note appears. All of this makes speedy recovery impossible, and the average cost of enterprise downtime can be 50 times greater than the ransom demanded.

It's horrible but true: Paying the ransom offers the best ROI.

So what makes for a defense that's both sensible and strong? Simply moving to the cloud isn't enough, but some Cloud Services Providers (CSPs) say that storing corporate data in a third-party cloud can keep it safe from being found and infected via a ransomware infection. However, precisely because it needs to be accessible, the ransomware will likely find, follow, copy, and encrypt backups in this arrangement. Saving data and backups in a third-party cloud in a WORM (write once read many) storage tiers is better—it stops the infection and encryption of backups, which can be used to restore an infected enterprise.

However, this also leaves the potential for data extortion. Some variants copy all data (in both the enterprise and associated cloud tenancies) and use the release of that data, usually featuring sensitive PII, to force an organization to pay up. If they don't, the hackers will report the release of the PII to compliance authorities. Yes, it's a good old-fashioned crime at the nexus of new technology and regulatory agencies—a potent combination.

We can go on about the problems, but it is possible to find solutions. A single piece of software really won't cut it—we need the right blend of data encryption with encryption keys stored on-premises (separately from the data stored in the cloud), the use of homomorphic encryption to enable ongoing data to access while it's encrypted and stored in the cloud, and cloud WORM storage.

When a cloud data security gateway is housed on-premises, it can encrypt data and backups before it's moved to a cloud tenancy. This is the optimal strategy for protecting sensitive data and system backups after cloud migration while continuing to enable data to be accessed in the cloud. By encrypting data on-premises and keeping the encryption keys local, any two-stage ransomware attempt to target and copy cloud repositories—particularly for later release online as a means to get a ransom payment—is soundly beaten.

That said, an encrypted file can also be re-encrypted or deleted. Organizations should take the additional step of writing enterprise backups (and other files) to immutable (WORM) storage, preferably in the cloud. Storing those encrypted backups in the cloud on a WORM tier would ensure that files/backups cannot be deleted or re-encrypted and ransomed. This would also ensure that 'clean' backups are always available to quickly restore affected systems.

In fact, industry analysts have started to accept this defensive ransomware strategy. I first wrote about encrypting and storing backups in a cloud WORM storage tier in 2020. In October of 2021, Gartner Research published "How to Protect Backup Systems From Ransomware Attacks," which highlights the use of cloud WORM storage for backups as a best practice to defend against newer versions of ransomware that attacks backups.

File encryption before cloud migration makes files unusable to all archiving, information management, and eDiscovery applications, as well as advanced data analytics and automation using AI/ML technology. Additionally, archiving encrypted files in the cloud compounds the accumulation of ungovernable dark data. To address this, all data should be encrypted on-premises using homomorphic encryption (HE) technology. HE is different from standard encryption technology in that it allows computation to be performed directly on encrypted data, without requiring access to a decryption key. It enables ongoing management of encrypted data, dramatically reducing problems associated with standard encryption methodologies, even as it ensures ongoing data indexing, search, and broad management and governance processes. Homomorphic encryption of backups and files before moving to a cloud repository guarantees data security in transit, at rest, and while in use. (Remember, many cloud archives only encrypt data while at rest in the third-party cloud archive, while storing the encryption keys in the same cloud system.)

Ransomware is not going away, from the news or our networks. The best defense is to combine on-premise homomorphic encryption and key storage with cloud-based WORM storage. Protecting sensitive data and backups takes strategy, commitment, and technology that uses your security (both on-prem and in the cloud), under your direct control, and managed in your cloud tenancy. That takes away the hackers' ROI.

By- Bill Tolson, VP of Global Compliance & eDiscovery, Archive360