The war against ransomware is real. In recent years, this form of attack has become a valid threat to businesses. We have witnessed massive attacks that have made multinational organizations, including governments, vulnerable and unable to continue critical operations. In 2017, WannaCry brought IT departments to hospitals across Europe, with over 200.000 computers affected, demonstrating the destructive potential of ransomware. Although WannaCry and Petya remain the most notable ransomware attacks, this form of cyberattack continues to rise, according to Europol's 2019 Organized Crime Threat Assessment (IOCTA) report. Organizations must recognize this threat and take steps to prepare, defend, and be ready to meet it. This is an essential step to avoid an unexpected and possibly ineffective response later in a ransomware incident. A robust, multi-layered cybersecurity strategy and defense to address ransomware consists of three key elements: education, implementation, and remediation. Additionally, having an ultra-resilient approach to backing up, recovering, and restoring data is vital to protecting business continuity in the event of an event.
Educate the business
From an educational perspective, two primary audiences should be targeted: IT staff and users in the organization. It's important to target both groups, as both characters can introduce threats. The main entry points into a business for ransomware are Remote Desktop Protocol (RDP) or other remote access mechanisms, phishing, and software updates. Simply put, in most cases, cyber attackers don't have to work as hard as they should to win big prizes. Knowing that these are the three main mechanisms is very helpful in determining where to invest the most effort to be resilient from an attack vector perspective. Most IT administrators use RDP for their daily work, with many RDP servers connected directly to the Internet. The reality is that RDP connected to the Internet needs to stop. IT admins can get creative with special IP addresses, RDP port forwarding, complex passwords, and more; But the data does not lie that more than half of ransomware arrives via RDP. This tells us that exposing RDP servers to the internet is not a cutting-edge ransomware resistance strategy. The other frequent mode of entry is phishing mail. We've all seen emails that don't seem right. The correct thing is to delete this element. However, not all users handle these situations in the same way. There are popular tools to assess the risk of a successful phishing threat to an organization like Gophish and KnowBe4. Combined with training to help employees identify phishing emails or links, self-assessment tools can be an effective first-line defense. The third area that comes into play is the risk of exploiting vulnerabilities. Updating systems is an age-old IT responsibility that is more important than ever. While not a glamorous undertaking, it can quickly seem like a good investment if a ransomware incident exploited a known and patched vulnerability. Make sure you stay current with updates to critical IT asset categories: operating systems, applications, databases, and device firmware. Several ransomware strains, including WannaCry and Petya, are based on previously discovered vulnerabilities that have since been patched with appropriate patch management software. Even organizations that follow best practices to avoid exposure to ransomware are at risk. While cybersecurity education and training is an essential step, organizations must prepare for the worst-case scenario. If there's one thing business and IT managers need to remember, it's to have some form of ultra-rugged backup storage. At Veeam, we advocate the 3-2-1 rule as a general data management strategy. The 3-2-1 rule recommends that there be at least three copies of important data, on at least two different types of media, with at least one of those copies offsite. The best part is that this ruler doesn't require any particular hardware and is versatile enough to address almost any failure scenario. The "unique" copy of the 3-2-1 strategy should be high strength. By this we mean an empty, disconnected or immutable space. There are different forms of media in which this copy of data can be stored in an ultra-resistant way. These include tape media, immutable backups to S3 or S3-compliant object storage, free space and offline media, or software as a backup and disaster recovery (DR) service. Despite these education and implementation techniques, organizations must still be prepared to remediate a threat if it arises. At Veeam, our approach is simple. Don't pay the ransom. The only option is to restore the data. Additionally, organizations must plan their response when a threat is discovered. The first action is to contact support. Veeam customers have access to a dedicated team with dedicated operations to guide them through the data restoration process in case of ransomware incidents. Don't put your backups at risk because they are essential to your recoverability. In disasters of all kinds, communication becomes one of the first challenges to overcome. Have a plan for how to reach the right people outside of the band. This would include group text lists, phone numbers, or other commonly used mechanisms to align communications within an extended team.Recovery decisions
There are also conversations about decision-making authority. Businesses need to decide who requests the restore or failover before anything goes wrong. Once a rollback decision has been made, organizations must implement additional security controls before bringing systems back online. A decision must also be made as to whether recovering an entire virtual machine (VM) is the best solution or whether file-level recovery makes more sense. Finally, the restore process itself must be secure, run full virus and malware scans on all systems, and require users to change their passwords after recovery. While the threat of ransomware is real, with proper preparation, organizations can increase resilience to an incident to minimize the risk of data loss, financial loss, and reputational damage. A multi-tiered approach is essential. Empower your IT teams and employees to minimize risk and maximize prevention. However, implement solutions to ensure data security and backup. Finally, be prepared to remediate data systems with comprehensive backup and disaster recovery capabilities if your old lines of defense fail.- Rick Vanover, Senior Director of Product Strategy, Veeam.