Protecting your data from ransomware

Supported Well, there’s a surprise. The National Audit Office’s report into the WannaCry ransomware and its effect on the NHS came out in late October. It points the blame at – wait for it – the NHS. Despite warnings, trusts had not prepared themselves with the basic patches necessary to avoid what ended up being an unsophisticated attack.

NHS Digital, the national provider of IT systems for UK public sector health and social care, had conducted voluntary cyber-preparedness assessments for 88 trusts before the ransomware hit. They all failed. “Trusts had not identified cyber-security as being a risk to patient outcomes, and had tended to overestimate their readiness to manage a cyber attack,” the report said.

How can you avoid protect yourself against ransomware? It’s an urgent question as organizations face a clear and present danger. The Metropolitan Police has joined the NHS and the UK Local Government Association in fingering ransomware as the biggest cyberthreat facing the public sector in 2018. The threat is so great that the Met now has 300 officers looking at the issue, the Register reported.

Ransomware is now attacking desktop and mobile operating systems in two ways. It will either encrypt the data on a device and demand a ransom to descramble it, or it will lock up systems altogether, rendering the entire device inoperable, along with its data and applications. In both cases, the effect on enterprises or government bodies can be huge. Ransomware can bring organizations to a grinding halt.

Protect yourself

Protection begins at the endpoint, with proper patching. Still one of the most overlooked tasks (as evidenced by the NAO report), it’s also one of the most basic aspects of cybersecurity hygiene. We know that in many cases, poor patching isn’t the result of laziness, but is more to do with change management and testing policy.

Organizations may be nervous about updating software without thoroughly testing it across their infrastructure, forcing them to wait until they are able to test it themselves, or until they are confident that that there are no reports of adverse effects from elsewhere.

In the interim, they can take advantage of ‘micro-patching’ systems now offered by some vendors, which protect software applications without making changes to the binaries. It’s not a permanent solution, but it can at least provide a stop gap until something more permanent can be done.

Most endpoint protection systems now feature ransomware protection, and Microsoft is also building its own anti-ransomware measures. Windows 10’s Fall Creators update includes a feature called controlled folder access, which blocks off access to specific folders from any applications other than those on an authorized list. It’s a form of whitelisting for folder access, and will go a long way towards helping protect your files. Researchers successfully tested the feature against the Locky ransomware. Protect yourself some more

These are all great protections, but true protection against ransomware requires the same, approach as protection against any serious cyberthreat: defence in depth. A survey of 832 IT pros by Druva this year painted a vivid picture of sustained and repeated attacks on organisations by malware writers employing different a variety of vectors. It emphasised the need to defend in depth.

More than half of survey respondents said their organisation had been hit more than four times, a third of attacks targeted servers and 60 per cent the end point, while 70 per cent had targeted multiple devices.

Illustrating the varied nature of the attacks were the examples of University College London and hosting company Nayana in South Korea. The latter found 153 of its Linux servers had been infected by the Erebus ransomware variant. UCL suffered a sustained and damaging ransomware attack in 2017 after a user on its network was thought to have released the code contained in a phishing attack.

Multi-layered protection will secure your data in these kinds of scenarios, so that if endpoint or server anti-ransomware protection fails, you can still recover your data. Regularly scheduled backups are crucial.

The temptation is to assume that services replicating endpoint data to the cloud will automatically protect your data. Nope. If ransomware encrypts data on your hard drive, then the encryption will also be replicated to your cloud-based data store. Kaboom. There goes your cloud data.

It’s true that some cloud-based services like Dropbox offer versioning, but all it takes is ransomware designed to repeatedly encrypt files and the versioned files will blow up, too.

Here’s one company that lost thousands of files when ransomware-scrambled files were replicated to its cloud-based data store. Luckily, its cloud-based service provider had the good sense to back up its clients’ data, but things could have been far worse.

Simply backing up your data to your own network can be dangerous, as some ransomware strains are programmed to seek and scramble files on network drives. You could back up manually to removable media, but this becomes less attractive as the data volume and frequency grows. It also doesn’t provide a clear method for backing up mobile devices that may be travelling outside your office network, or for backing up data stored in cloud applications.

That last point should worry Office 365 users. Last year, Microsoft was hit with Cerber, a ransomware strain delivered via a phishing attack that hit a proportion of the firm’s 18 million users, locking up their files. It took Microsoft several hours to respond to this attack and block it, by which point the damage had already been done for many.

Cloud-based backup

Cloud-based backup is a potential solution here, providing regular backups online to something other than network drives. Its advantages include the ability to program high frequency snapshots, so that you can maintain a narrow recovery point objective should you need to restore after a ransomware attack. Some of these solutions can also be programmed to provide backups across multiple devices, including mobile devices that may be away from high-speed connections for periods of time.

It can also be far easier to test a cloud-based backup solution than it is to test restoration from removable storage, because the cloud-based data will be available online. You don’t have to locate, load and transfer the removable media and hope that the physical formatting is still good. This is all well and good, but it's vital to ensure that your cloud backup service is equipped with proper encryption.

The move to cloud, means data is stored on shared storage and you have no control over the physical storage, so no chance to shred the disks when they are retired. This makes encryption of the critical data essential. That means working with a cloud backup provider that doesn’t have access to your data by controlling your encryption key on your behalf.

Organize your files

Once you’ve established a solid backup workflow, it’s time to establish your need-to-restore list. Look at how you’re organizing and tagging individual files, perhaps related to business processes or sensitivity. Is there an easy way to identify and gather all the files that you can’t live without, and include them in the backup process automatically? Is storing them in a specific location workable?

It may be prudent to look at types of data here – perhaps files created in specific formats, or with other key characteristics such as those created since a certain date, or by a particular person or group. This is where file metadata comes into its own, Make this easier by using a file tagging system, along with a complementary file discovery tool to gather and categorise your existing files.

Let’s not forget virtual machines in this equation. With ransomware growing increasingly smart and aware of server-based infrastructures, protecting both physical and virtual machines is increasingly critical.

Equally important is the capacity to root out any malware that has succeeded in penetrating your organisation. It's one thing to recover from an attack but you don't want the code knocking about your network, resident on end points or buried in your data from where it might spring back to life. You'll therefore need a comprehensive search capability that lets you find and remove code from end points, cloud applications and backed up snapshots.

Finally, use a monitoring solution to ensure that this strict new file management regime you’ve put in place stays in place. Agent-based endpoint monitoring can help you check that files are being stored in the right place and therefore that the appropriate files are being backed up properly.

A critical part of this solution is anomaly detection - the capacity to spot things that are out of the ordinary. Of course, to achieve this you need to get a picture of what constitutes "ordinary", so it's important to map the behaviour of the data in your system. Once you have that map, you can spot anomalies such as large amounts of data changing on a device that might be down to encryption and therefore suggest an attack is underway. IT can use this information to start backing up and restoring data from the point when an attack began.

Ransomware is getting nastier, and more pervasive. So you have to get smarter, and more resilient. Don’t be like the 88 NHS trusts who were convinced that ransomware wasn’t a threat. The most destructive problems are the ones hiding in plain sight. By putting multi-layered defences in now, you’ll save yourself some serious headaches in the future.

SUPPORTED BY: Druva