Thursday, October 19, 2017

Ransomware extortion: The fightback starts now

by Jeff Denworth, SVP Marketing, CTERA

Ransomware has risen to global prominence in the past year as simple malware creation programs and encrypted payment methods make it easier and more lucrative than ever for criminals to hold data hostage. With US$1bn at stake this year organisations need to set a strategy for beating ransomware, writes CTERA’s Jeff Denworth.

In 2016 we have seen an exponential spike in ransomware activity. According to the FBI, ransomware attacks have increased 35-fold this year over 2015, resulting in an estimated US$209m paid out to cyber-criminals. If the growth curve continues, ransomware is on track to be a $1bn business in 2016.

Ransomware: a particularly insidious form of malware that holds its victims’ files hostage until a “ransom” –
typically ranging from hundreds of dollars to hundreds-of-thousands of dollars – is paid

Ransomware payments are collected by criminals via anonymous bitcoin transactions – where it can cost anywhere from $500-$2,000 to unlock an average PC. The anonymity makes it’s difficult to know precisely how many anonymous payments have been paid, but no organization is immune, as  attacks have targeted hospitals, schools, government, law enforcement agencies and businesses of all sizes.


The growth is worrying but even as companies seek to combat it, ransomware criminals are developing new approaches. Two especially nasty tweaks to ransomware are starting to emerge:

  1. Certain cyber-criminals are capturing data that ransomware can copy out of your network for the purposes of selling it to interested third parties, enabling industrial espionage.
  2. There have been reports of customers paying ransomware attackers but not receiving the encryption keys for decrypting their PCs in return.

It’s a developing situation but that should not mean that organisations delay putting in place counter measures to fight crypto-malware. CTERA advocates following three key steps:

Step #1. Secure your perimeter to minimise the chance of breach:

  • Patch your operating systems and keep your operating systems up to date.
  • Train employees on ransomware and their role in protecting the organisation’s data.
  • Disable macro scripts from office files transmitted over email.
  • Limit access to critical and rapidly-changing datasets to only need-to-know users.

Step #2. Back up all files and systems to avoid paying ransom to recover from crypto events.

  • Back up your endpoints, back up your file servers.
  • Implement lightweight, optimised data protection tools that minimise recovery points.

Step #3. Roll back to most current data using sync.

Steps #2 and #3 are intertwined; the most effective way our customers have found to mitigate a ransomware attack is to combine enterprise-grade data protection tools with file sync technology.

This combination of backup and sync might not seem intuitive at first, especially since file sync and share is increasingly being viewed as a form of backup. While we don’t entirely agree with that view – given the need for backup tools that can protect entire systems and system profiles – sync does play a crucial role in ransomware remediation.

Consider that legacy backup software typically offers backup intervals – that is, the amount of time between backup cycles – of 12 to 24 hours. Essentially an entire business day or more becomes subject to loss when an organization “rolls back” to a non-infected state using traditional backup tools. Even the most efficient modern backup solutions have default backup intervals ranging anywhere from four to eight hours, which is nearly a full business day. Therefore, the same problem could essentially persist.

This is where sync technology provides an “event-based” data protection component that mitigates the blast radius of a ransomware attack. Enterprise File Sync and Share (EFSS) tools create incremental versions of files as they are changed and updated, and are protected on an event basis (a file save) as opposed to a scheduled basis (a pre-defined backup interval).

CTERA Enterprise File Sync and Share can publish and version file updates in less than five minutes. In the event of a ransomware attack, customers can recover systems and workstations with CTERA Backup and then recover to versions of folders that were stored in CTERA EFSS to easily and quickly recover to the most recent file state.

So, yes – back up everything you can: your systems, servers, databases, etc. But by adding file sync into your ransomware protection strategy, you can minimize your business outage while saving hundreds of thousands of pounds in ransom.

The only way we can put an end to the further spread of ransomware is by building the right safeguards that eliminate enterprise vulnerability and end the need to pay cyber-criminals to access our data and our systems. Whether you choose CTERA tools or any number of other approaches to safeguarding your organisation, decide to be prepared and please don’t delay.