Courtesy - Paloalto Networks
The conventional definition of ransomware has been - a form of malicious software that infiltrates a computer or network and limits or restricts access to critical data by encrypting data until a ransom is paid. Over the course of the past few years cyber criminals have evolved their practice of taking data hostage to creating havoc by deleting data to prove a point and or exfiltrating the data and releasing sensitive information in the public domain.
The spread of the ransomware epidemic and its variants continues to be a disruptive force in the cybersecurity industry, affecting everything from financial institutions to higher education. Because of the increase in remote work — prompted by the COVID pandemic — Ransomware detections in Q1 2022 doubled the total volume reported for 2021, according to new cybersecurity research done by WatchGuard Technologies.
Unfortunately, no company is immune to ransomware, and there is no specific vaccine against the threat.
This means the most effective remedy all comes down to training staff about the threat and raising awareness around security best practices, for instance, not clicking on links or opening attachments in emails from unknown senders.
There are security tools that can protect against known ransomware variants and or stop the spread of the malicious software within your network to limit the damage, but with the threat evolving so quickly, employee education is always the first line of defense. It is essential to carry out continuous backups and segment the network so that even if ransomware does get in, it can’t travel very far. The principle of least privileges should be employed such that employees should only be given access to the network areas they need to perform their job. This is especially important for employees working remotely or connecting to the company network via non-corporate devices.
Why is SaaS Backup the best suited as a Ransomware Antidote?
Cloud-delivered backup solutions provide data protection capabilities that are more powerful, reliable, and secure than their on-premises counterparts, while also offering the ease of use, cost savings, and agility benefits of SaaS. In addition, by virtue of having infrastructure and storage that lives in the cloud, SaaS backup and recovery solutions create an “air-gap” that can prevent a ransomware attack on primary data from infecting secondary backup data in the cloud, which may not be true for on-premises backup solutions. Thus providing a more secure offsite backup solution which cannot be impacted by ransomware.
In today’s economy, even a few minutes of downtime for a company’s digital services can result in customer dissatisfaction and lost business. SaaS backup and recovery solutions allow companies to recover data not only in a granular fashion but can cut the time it takes to bring back affected services online exponentially quicker than their on-premises counterparts – transforming a ransomware attack from a business catastrophe into a minor inconvenience.
Let's now review some of the best practices that can help you mitigate the impact and or reduce the likelihood of a Ransomware incident.
Ransomware Mitigation Best practices
Make regular backups of your data
Up-to-date backups are the most effective way of recovering from a ransomware attack, the following steps would help you recover back from such an attack.
- Make regular backups of your organization's critical data - it will be different for every organization - check the restoration process for your backed-up data, and regularly test that it is working as expected.
- Ensure you create backups that are kept separate, cloud based SaaS backup service.
- You should ensure that your cloud service protects previous versions of the backup from being immediately deleted and allows you to restore to them. This will prevent both your live and backup data becoming inaccessible - cloud services often automatically synchronize immediately
- Ensure that backups are only connected to known clean devices before starting recovery.
- Scan backups for malware before you restore the data back. Ransomware may have infiltrated your network over a period of time, and replicated to backups before being discovered.
- Regularly patch products used for backup, so attackers cannot exploit any known vulnerabilities they might contain.
Ensure backup accounts and solutions should be protected using Privileged Access Management (PAM) solutions with Multi-factor Authentication (MFA) enabled.
Prevent malware from being delivered and spreading to devices
You can reduce the likelihood of malicious content reaching your devices through a combination of:
- filtering to only allow file types you would expect to receive
- blocking websites that are known to be malicious
- actively inspecting content
- using signatures to block known malicious code
- sandbox and isolation techniques to allow for an environment which provides limited access to malware delivered via the network
- enable MFA at all remote access points into the network
- use a VPN for remote access to services; Software as a Service or other services exposed to the internet should use Single Sign-On (SSO) where access policies can be defined
- use the least privilege model for providing remote access - use low privilege accounts to authenticate, and provide an audited process to allow a user to escalate their privileges within the remote session where necessary
- patch known vulnerabilities in all remote access and external facing devices immediately, and follow vendor remediation guidance including the installation of new patches as soon as they become available
Prevent malware from running on devices
A 'defense in depth' approach assumes that malware will reach your devices. You should therefore take steps to prevent malware from running. The measures required will vary for each device type, OS and version, but in general you should look to use device-level security features. Organizations should:
- centrally manage devices in order to only permit applications trusted by the enterprise to run on devices
- consider whether enterprise antivirus or anti-malware products are necessary, and keep the software (and its definition files) up to date
- provide security education and awareness training to your people
- disable or constrain scripting environments and macros
- disable autorun for mounted media (prevent the use of removable media if it is not needed)
In addition, attackers can force their code to execute by exploiting vulnerabilities in the device. Prevent this by keeping devices well-configured and up to date. We recommend that you:
- install security updates as soon as they become available in order to fix exploitable bugs in your products
- enable automatic updates for OSs, applications, and firmware if you can
- use the latest versions of OSs and applications to take advantage of the latest security features
- configure host-based and network firewalls, disallowing inbound connections by default
Prepare for an Incident
Malware attacks, in particular ransomware attacks, can be devastating for organizations because computer systems are no longer available to use, and in some cases data may never be recovered. If recovery is possible, it can take several weeks, but your corporate reputation and brand value could take a lot longer to recover. The following will help to ensure your organization can recover quickly.
- Identify your critical assets and determine the impact to these if they were affected by a malware attack.
- Plan for an attack, even if you think it is unlikely. There are many examples of organizations that have been impacted by collateral malware, even though they were not the intended target.
- Develop an internal and external communication strategy. It is important that the right information reaches the right stakeholders in a timely fashion.
- Determine how you will respond to the ransom demand and the threat of your organization's data being published.
- Ensure that incident management playbooks and supporting resources such as checklists and contact details are available if you do not have access to your computer systems.
- Identify your legal obligations regarding the reporting of incidents to regulators, and understand how to approach this.
- Exercise your incident management plan. This helps clarify the roles and responsibilities of staff and third parties, and to prioritize system recovery. For example, if a widespread ransomware attack meant a complete shutdown of the network was necessary, you would have to consider:
- how long it would take to restore the minimum required number of devices from images and re-configure for use
- how you would rebuild any SaaS applications, virtual environments and physical devices
- what processes need to be followed to restore your data back from your backup solution
- what processes need to be followed if onsite systems and cloud backup servers are unusable, and you need to rebuild from offline backups
- how you would continue to operate critical business services
- After an incident, revise your incident management plan to include lessons learnt to ensure that the same event cannot occur in the same way again.
How can Revyz help?
Trusted by more than 100,000 organizations, Atlassian’s Jira Software is a powerful work management tool for all kinds of use cases, from requirements and test case management to agile software development. Revyz helps protect your Jira Software data by automatically backing up all the data into secure offsite location and enables for an on-demand granular recovery of the data. The Jira backup & restore solution offered by Revyz helps customers protect their Jira data from ransomware and account take over type of attacks.
Blogs from Revyz