Disruption of this scale ranks as one of the worst case scenarios for an organisation struck by ransomware, but it also is likely to be the first of many more attacks. The attack on Garmin was not only a big payday for cybercriminals, but it also proved that big corporations are not immune to large-scale cyber attacks. In fact, the Garmin attack shows that enterprise targets are ideal for cyber criminals looking for payouts.
The plague of ransomware
One of the most common types of ransomware is called “crypto ransomware.” Once it infects systems, crypto ransomware moves to encrypt business-critical information: this could be just a few valuable files, or the contents of an entire disk. Once encrypted, the data’s rightful owner is unable to access their files, and the ransomware operator demands the victim pay a ransom to gain access to the decryption key. If your data isn’t backed up somewhere, you risk losing all of it or being forced to pay a hefty ransom to regain access.
In Britain, nearly three out of every five companies struck by ransomware choose to pay their attackers, with the average ransomware payout being $84,116 in Q4 2019. However, when it comes to damage done, the payout is just the tip of the iceberg. Through locking users and organisations out of their data, ransomware can grind business operations to a halt for days or weeks. When you look at the damage done to regular business activity is the true danger of ransomware, it’s easy to see why companies are tempted to pay up - before the pandemic, the total cost to business operations inflicted by ransomware attacks globally was projected to be $11 billion.
Backups tackle ransomware
If attacked by ransomware, the fastest way an organisation can bring an end to downtime while also avoiding paying a ransom is to use backups to restore the affected data. However, this begets the problem of ensuring your backups are secure and safe since no one backup is necessarily immune from being struck by ransomware.
However, your organisation can use backups to build resilience through making sure you have multiple redundant backups at hand. This means storing multiple versions of your data, and ensuring that backup copies are kept separate from one another. A common rule to help guarantee you have adequate redundant backups is the 3-2-1 rule: you should keep three copies of your data, with two on different media formats, and one of those should be off-site.
The last part of the 3-2-1 rule - the need to keep a backup off-site - is important as it allows you to put distance between your day-to-day operations and your backup copy, creating what we call an “air-gap”. Such an air-gap allows you to protect the backup more stringently than if it were bound to your own network.
However, air-gapping can present problems of its own. If you do need to restore data from an air-gapped backup, you traditionally would have needed to wait a significant amount of time to receive the data from that backup - a wait that could have been in the order of days. Those several days of business downtime spent restoring a lost backup could represent a death blow to an organisation.
The cloud is best suited to air-gapping
Thankfully, the rise of object cloud storage has changed this paradigm. Cloud data centres are online and staffed 24/7, meaning that organisations can have near-instant access to their data. In addition, storing your backup in the cloud also allows you to benefit from an independent layer of protection, in the form of constant on-site surveillance and modern security protocols.
However, data in the cloud can still be affected by ransomware. This is because most ransomware attacks arise from within an organisation’s own premises, such as through infected USB drives, email attachments, or misclicked URLs. Once this ransomware is in your system, it can easily be accidentally uploaded to your cloud via a backup. This means that if recovery points aren’t available, then your cloud backup can be rendered useless.
Many ransomware operators are aware of the centrality of cloud backups to an organisation’s cybersecurity strategy, and intentionally work to target cloud backups before deploying their ransomware packages. An example of such a strategy is through gaining access to a company network via an exposed remote desktop service, discovering the organisational cloud credentials, and then proceeding to delete the company’s cloud backups.
Immutability for your cloud backups
One of the best ways you can stop cybercriminals tampering with your backup - whether intentionally or unintentionally - is through ensuring you work with a vendor that provides an immutability option for your data. When you enable data immutability, you ensure that data you store with your cloud provider cannot be deleted or altered by anyone during a specified retention lifetime.
Immutability helps to prevent ransomware rewriting your backup via encryption, while also stopping remote access and deletion by an attacker who’s gained access to your cloud credentials. In addition to the security benefits, a data immutability option also helps organisations comply with regulatory requirements like GDPR, which require organisations to ensure that data regarding external stakeholders is carefully handled and disposed of.
Preparation is the best weapon against ransomware
While there is a burgeoning market of decryption and anti-malware tools available to fight ransomware operators, these cybercriminals are very adaptable and their tactics are continually developing. The best way to keep ransomware operators at bay is to have redundancy and resilience when you are hit.
That's why frequent backups are necessary, with at least one safe off-site backup being crucial to bouncing back anytime there is an attack. If time is the concern, you should make sure that off-site backup is located in the cloud. To ensure that you secure the air gap between your active data and your backup, you should then take advantage of immutability capabilities offered by your cloud provider.
Although you can’t control ransomware operators, you can influence how you plan and react to them when they do strike. By following through on the above, you can make sure a ransomware attack - if and when it happens - is a minor annoyance, and not a debilitating crisis.