Ransomware is no longer just an IT challenge. Instead, it has reached board rooms and beyond. Today’s sophisticated cyber attacks impact our everyday lives — from attacks on hospitals to disruptions to gasoline and food supplies.
These attacks are not just increasing in frequency and velocity, but cybercriminals are becoming extremely aggressive and have changed their tactics over time. To guarantee a monetary payout, cybercriminals are going beyond encrypting production and backup data… additionally, they are now stealing (or more technically “exfiltrating”) an organization’s sensitive data and threatening to expose it on the dark web, in so-called “double extortion” schemes.
So How Did We Get to This Point?
We can attribute the rise of ransomware attacks to the increased adoption of cryptocurrency, such as Bitcoin, Ethereum, and many more. In many ways, cryptocurrency has enabled cybercriminals to accelerate their criminal enterprise. It has allowed them to launch their attacks anonymously, demand untraceable payments, and easily collect the ransom; hence the rise of the first generation of ransomware or what I’ll call “ransomware 1.0” — the WannaCry era.
Ransomware 1.0 variants like WannaCry targeted and encrypted production data. Backup systems quickly became the de facto solutions to address ransomware 1.0 threats. Organizations that periodically protected their data with solutions like Cohesity could quickly respond to the attacks and recover without paying any ransom.
Cohesity’s security-first architecture helps organizations protect and rapidly recover their critical data from both natural and human-engineered disasters like ransomware. Unique capabilities like fully hydrated snapshots, combined with a distributed architecture with MegaFile parallel ingestion, as well as machine learning-based anomaly detection, allow Cohesity customers to defend against ransomware 1.0. The solution enables customers to quickly discover a potential attack on their production data and instantly recover hundreds of VMs, NAS, and Oracle data to reduce downtime and data loss.
While restoring data from backup tools initially allowed organizations to avoid paying the ransom, it forced cybercriminals to change their tactics. In addition to user and production data, cybercriminals evolved to also start targeting the backup data and systems, leading to the rise of “ransomware 2.0”.
Cybercriminals used ransomware 2.0 variants like DarkSide and Ryuk to aggressively attack the backup data sets stored on various legacy backup providers. Upon analyzing DarkSide’s source code, security researchers found code designed to disable or delete the data on some legacy backup solutions, security services, and critical Microsoft services like VSS, SQL Server, prior to unfolding an attack on production copies of data.
Among many hospitals, Sky Lakes Medical Center, a leading health care provider, and a Cohesity customer, was hit by the Ryuk ransomware variant. The attack impacted 70% of Sky Lakes IT operations, including their legacy backups. Fortunately, as part of their IT modernization efforts, Sky Lakes had deployed Cohesity which successfully withstood the attack and allowed them to recover the data that Cohesity protected without paying any ransom. How?
Cohesity’s next-gen data management platform powered by the Cohesity Threat Defense architecture, which in its first two layers delivers data resiliency (encryption framework, fault tolerance, and immutable backups) and strict access controls (MFA, granular RBAC, auditing, continuous monitoring, and more). Cohesity architecture helps organizations protect their backup data and the platform against ransomware 2.0 variants.
Ransomware attacks are generally disruptive, but data exfiltration takes the threat to another level. According to IBM Security, the average cost of data breaches is nearing $4.24M. In addition to the direct cost of remediating the impact, regulatory penalties, and victim outreach and penalties, this cost includes the damage a data breach would cost to a business’s brand and reputation with customers, suppliers, partners, and employees.
Earlier in 2021, a global computer manufacturer from Taiwan, Acer, was reportedly hit by REvil, a ransomware 3.0 variant. For several reasons, this attack made the news headlines.
To date, this was the largest known cyber ransom demanded: $50M.
The attack went beyond the standard data encryption. Before encrypting a sizable data set, cybercriminals exfiltrated proprietary and customer data.
Acer was faced with double extortion. The organization had to deal with both data encryption and stopping their proprietary and customer data from being leaked.
To help reduce the blast radius of ransomware, Cohesity incorporates zero-trust principles into its underlying architecture — but goes beyond to offer additional value. In addition to data resiliency and robust access control, Cohesity’s threat defense architecture helps organizations converge data security and data governance. Cohesity DataGovern, a SaaS-based solution, will help organizations:
Identify and discover where sensitive data resides across both primary and secondary repositories. The discovery of sensitive data will go beyond relying on metadata and file extensions. The solution will rely on accurate, content-aware classification techniques to minimize false positives when it comes to properly identifying where your most valued data assets reside.
Once classified, the data can be analyzed against various regulatory and compliance frameworks to identify hot spots or over-exposed areas.
Next, the organization can invoke a remediation workflow to address business risk and exposure as a preventative measure against data exfiltration.
And finally, the service offers AI-based user and entity behavioral analytics and continuous monitoring. With near real-time alerts, organizations can detect when and what sensitive data is accessed by bad actors who may have compromised legitimate user credentials — as well as malfeasant insider activity to help stop any attempt to exfiltrate data out of the organization.