Better solutions for ransomware recovery
The March SamSam ransomware attack against Atlanta disabled more than a third of the city’s 424 “necessary programs,” encrypting close to 30 percent of the workload and data deemed mission critical. As of June, the bill for the recovery phase that followed had topped $11.5 million -- considerably more than the $51,000 ransom originally sought by the hackers.
This recent encounter with ransomware ironically came on the heels of reports from ISACA and other cybersecurity groups that the pace of ransomware attacks had slowed from the preceding year. Atlanta’s experience re-energized concerns about attacks on local, state and federal government entities.
Ransomware tends to be delivered as a payload by other types of malware. Many attacks are enabled by phishing, or social engineering wherein users are tricked into either opening email attachments or clicking on links that direct their browsers to download ransomware code. At an appointed time, the malicious app encrypts all data in the system. To decrypt the data, the victim must obtain a key from the hackers via a ransom payment.
In response to these attacks, business and government organizations have largely focused on two approaches: user training to prevent successful phishing and detection scanning to identify malware code already in systems so that it can be removed before it activates. Both approaches have their problems.
Training is limited in efficacy because users tend to lose interest over time. Hyper-vigilance can be exhausting, especially when no threats are apparent.
Intrusion detection systems also have limits. DHS’s EINSTEIN, ALBERT and other cybersecurity intrusion detection and prevention systems offer varying degrees of capability in identifying malware, but the changing nature of attack vectors (variants of malware) render most detection methods less than airtight. The old adage about security remains true: Attacks are asymmetrical -- security folks need to be successful all the time, while the bad guys only need to succeed once to breach security and do their damage.
Agencies need technologies that can limit the impact of ransomware in those instances when preventative measures fail. A class of enterprise storage called object storage offers two functions that could provide an answer: versioning and “write once, read many” (WORM) capabilities.
Versioning, a feature of object storage systems that retains a copy of a file every time a change is made, refers to a process wherein data is never overwritten. Rather, whenever the data is updated, a new “version” is created. The old version remains in storage and can be retrieved at any time. When a ransomware attack encrypts data, the information can be restored from a unencrypted version. This protection is not 100 percent iron-clad. In theory, malware could delete the old versions, though no known ransomware does this.
WORM technology provides even more security because once written, data cannot be deleted or modified until a pre-specified time has elapsed. Like a timer-lock on a vault, the data is protected from all attackers, even a malicious employee. Since ransomware works by encrypting data, placing data in storage that does not permit any alteration thwarts a ransomware attack.
WORM storage can help with malware detection, as well. Other approaches, such as data replication, might copy the malware code too, setting the stage for a recurrence of the attack in the protected infrastructure. With WORM storage, data is not replicated, so that possibility is effectively negated.
More work is required to design a truly ransomware-proof storage environment. But the WORM and versioning capabilities found in many object storage systems suggest the beginning of a practical response to the ransomware threat. Object storage can be readily deployed as a backup target with popular enterprise backup and archiving solutions, such as VERITAS, Commvault and Rubrik, making it a straightforward addition to an agency's data protection workflow.
Without more robust data protection, agencies may have to prepare for the worst – even setting up a bitcoin account from which to pay ransoms, as one security consultant joked at a recent conference. The quip failed to elicit even a nervous laugh. The audience understood the desperate need for more practical solutions than capitulation to the bad guys.
Jon Toor is chief marketing officer at Cloudian.