With high-profile cyber-security breaches continually in the news, it’s common for small and medium-sized companies to be left wondering how exposed their business is to a ransomware attack.
The unfortunate reality for many is that they are significantly ill-equipped, and could easily fall prey to an attack that would make an ATO audit feel like a nice Sunday brunch by comparison.
While there is no such thing as a 100% full-proof system, there are many steps you can put in place to reduce the likelihood of an attack and the severity of the impact should an attack occur.
That’s what we’re going to unpack in this article.
Before you start wondering how you can protect your business if the likes of Optus and Medibank have been exposed, I’m sure it will all become clearer by the end of this article.
If you’ve already suffered a ransomware attack, you have a different set of priorities and should follow our Ransomware Attack Response Checklist as your most pressing next step.
Cyber-security / anti-ransomware preparation
Like anything, prevention is better than cure, which is why you need both a cyber security plan and ransomware-safe backups.
These two elements work in tandem with one another and when you build strong capabilities in both areas, you get a cumulative benefit in protection in the event of an attack.
Cyber Security Plan
The Blackhat’s (the hackers) are becoming increasingly sophisticated, and even the most IT-literate, tech-savvy amongst us can fall victim to a scam attack.
Therefore, businesses must develop and deploy cyber security plans that encompass:
- staff training
- e-mail screening
- web filtering
- password management
- patch management
- and other such components
We’ve put together a checklist and video support guide that you can use in developing your plan.
Ransomware safe backups
Your server backups can be thought of as an ‘insurance policy’ for your organisation’s servers.
If your server backups remain intact, then they will allow you to recover from any “disaster”, and will allow your organisation to recover from data loss or data corruption due to any of the following scenarios:
- User errors.
- Physical disaster:
- Software updates with unintended consequences (i.e. software bug).
- Hardware faults.
- Cyber-security breach (including a ransomware attack).
In the remainder of this article, we will discuss how having a ransomware-safe backup system in place can aid in recovering from a cyber-security breach and how it can prevent you from having to consider paying the ransom in the event of a ransomware attack.
How are ransomware attacks carried out?
Essentially, there are two kinds of attacks. A ‘bot’ attack or a ‘human’ / remote-control attack.
Ransomware – ‘bot’ attack
The “bot” attack was how ransomware attacks were first carried out against organisations:
- The Blackhat’s (the hackers) would send an e-mail that contains a malicious attachment or a link to a malicious payload.
- Or the Blackhat’s would use a web site, possibly promoting access to a free version of a commercial software application (or some other enticement), to persuade an unsuspecting user to click on a link to download their software.
- When an unsuspecting user opened the attachment or clicked on the malicious link, if that malicious program was not detected by the organisation’s anti-virus software.
- Then the ransomware ‘bot’ would launch and would proceed to encrypt data both on the infected computer and as many other computers that were accessible on the organisation’s computer network.
Depending on how the victim organisation’s backups were configured, sometimes their backups were not detected by the ransomware ‘bot’. And sometimes the backups would not be accessible to the bot.
While these ransomware attacks were still disruptive, and in some cases, were very costly to the victim organisation; what the Blackhat’s soon realised, was that if the victim organisation’s backups remained intact, then the organisation would be able to restore their data from their backups.
And if an organisation was able to recover their data from their backups, then they would be unlikely to consider paying any ransom (unless the Blackhat’s had been able to obtain a copy of confidential / sensitive information, which the Blackhat’s could threaten to release publicly unless a ransom was paid).
So, the Blackhat’s realised that to receive more ransoms from victims, they needed to not only encrypt the organisation’s data – but also the organisation’s backups.
If organisations could not rely on their backups to recover their data, then they would be more likely to consider paying the ransom to recover their data.
This has led to the ‘human’ / remote-control ransomware attack becoming more prevalent in recent times.
Ransomware – ‘human’ / remote-control attack.
While there are some similarities between the ‘bot’ and ‘human’ attacks, there are also some important differences.
Both types of attacks start out the same way:
- The Blackhat’s (the hackers) often send an e-mail that contains a malicious attachment or a link to a malicious payload.
- Or the Blackhat’s use a web site, possibly promoting access to a free version of a commercial software application (or some other enticement), to persuade an unsuspecting user to click on a link to download their software.
- When an unsuspecting user opened the attachment or clicked on the malicious link.
- If that malicious program was not detected by the organisation’s anti-virus software, then this is where the two types of attack differ.
- Rather than launching the ransomware software (in the ‘bot’ type of attack), instead a Remote Access Trojan (commonly known as a “RAT”) is launched on the user’s computer.
- The Remote Access Trojan allows the infected computer to be remotely controlled by the Blackhat’s.
- The Blackhat’s then use this computer as an entry-point into the organisation’s computer network.
- Using a variety of techniques, including exploiting zero-day threats and un-patched known vulnerabilities (which is why Patch Management is so important), the Blackhat’s then traverse the organisation’s network until they obtain remote access to the organisation’s servers.
- The Blackhat’s then study the operation of the organisation’s computer network (sometimes over a period of weeks) and in particular, the operation of the organisation’s backup system.
- So that when the Blackhat’s eventually launch their ransomware attack, they can encrypt the backups (rendering the backups useless) as well as the organisation’s data. Thus, increasing the likelihood that the victim organisation will need to consider paying the ransom.
What is the key to defeating a “human” / remote-control type of ransomware attack?
Answer: Having an off-site backup that is not accessible from your organisation’s servers or office computer network.
In the event of a ‘human’ / remote-control type of attack, if the Blackhat’s are technically competent (and they usually are), then the organisation’s data and any backups that are accessible from the organisation’s servers are going to be encrypted.
This will include:
- all on-site backups and
- any off-site backups that are accessible from the organisation’s servers.
The key is having an off-site backup, that is not accessible from your organisation’s servers or your office computer network.
If there is an off-site backup that is not accessible from your organisation’s servers / office network, then that backup won’t be accessible to the Blackhat’s either.
Putting theory into practice
There are two key areas that need to be reviewed / have appropriate action plans in place:
- You need to have a ransomware-safe backup.
- A ransomware-safe backup, is an off-site backup that is not accessible from your organisation’s servers.
- In the event of a ransomware attack, if you have a ransomware-safe backup, you can use that backup to recover your organisation’s data without having to consider paying the ransom.
- If you’re not sure whether you have an off-site backup; in the first instance, you should consult with your in-house IT admin.
- Your IT admin must be certain that at least one of your off-site backups is not accessible from your organisation’s server, and that this backup is verified from a remote location on a regular basis. The verification ensures the integrity of the backup.
- Off-site backups can be made ransomware-safe by one of the following approaches:
- Ensuring that your off-site backups are read-only (also referred to as being “immutable”). If the backup is read-only, then the backup image cannot be altered or deleted and this makes the backup safe from a ransomware-attack.
- Implement air-gapped backups. Air-gapped backups are backups that are stored on tape, or a detached USB3 drive or NAS. Air-gapped backups, are backups that are disconnected from the network, when the device is not in use. Air-gapped backups are not accessible, when they’re not connected to the network.
- Cloud backups that are created by a “pull backup” rather than a “push backup”. Watch the video below for a full explanation of how “push backups” are stored on a separate network that is not accessible to your servers.
- Off-site backups can be made ransomware-safe by one of the following approaches:
- If there are any doubts or uncertainty about whether your off-site backup meets the requirements for being ransomware-safe, then I would encourage you to schedule a complimentary 30-minute session; where one of our engineers will assist you in assessing whether your existing backup system is ransomware safe or not.
- If you don’t find out that your backup is not ransomware-safe until after you have suffered a ransomware attack, then that will be too late!
- Your organisation should have a comprehensive Cyber Security Plan in place to reduce the likelihood of falling victim to a ransomware attack.
- We’ve put together a checklist and video support guide that you can use in developing your plan. The checklist and other resources are available at no charge.The video support guides encompass: