We live in unprecedented times with the implementation of state and nationwide lockdowns. People across the globe are switching to working from home and collaborating in new ways. Zoom, Slack, VPN, and Cloud are a part of our daily lexicon for work, study, and social events like virtual happy hours, weddings, or graduations.
The surge in volume of users who are new to online collaboration tools are easy pickings for a malicious attack. Bad actors look to take advantage of the situation. Hackers scan for unsuspecting newbies to online collaboration or anxious people who are craving positive news in the midst of the gloom. Email, mobile, and web attacks that start with a juicy news link or even an offer to deliver medication can result in an attack. One of the most severe attacks is a ransomware attack like Revil (Sodinokibi) which targets VPN and remote gateways that are commonly used for online access to corporate data.
With a ransomware attack, a bad actor gets access to data that belongs to unsuspecting individuals or vulnerable systems. Our healthcare systems are at heightened risk of such an attack during these times of COVID-19. In fact, a Corvus report states that ransomware attacks on healthcare IT systems rose a whopping 350 percent in Q4 2019. Ransomware attacks such as Zeppelin infiltrate into healthcare via the supply chain management systems. When such an attack occurs, the attacker downloads code that encrypts the data on the machine of this teacher or any system they are connected to, say the patient information database for the hospital group. This data is locked out and the attacker holds the keys to the encryption. Unless the hospital pays up hefty ransom their data is compromised or lost. Even more sneaky hackers can inject advanced persistent threats that don’t encrypt or lock immediately but crawls its way into data awaiting instructions from a command and control system that the hacker can push the button on at any time.
A ransomware attack can cause days of unplanned downtime that costs businesses billions of dollars, hefty fees, compensation, and loss of brand value for any business. In the case of hospitals, it could be the difference between life and death if critical diagnostic data is not available at the right time to make decisions.
Prevention of such attacks is the best defense against ransomware. Unauthorized access to the data can be prevented in different ways. One of the ways is to reduce the blast radius by converging data into the fewest pieces of infrastructure to ensure better controls. The other is to ensure robust role-based access control securing access for writes into data. The third is to lock down data sources with multi-factor authentication that need a user identity, password, and device or certificate to authenticate. Stored data in production or backups should be protected so that new write operations are restricted and clean copies of data prior to new writes are retained for recovery. Policy-based data isolation to another immutable physical or virtual location can offer additional protection against ransomware attacks.
Prevention is necessary but often not sufficient as attackers find ways to fly under the radar. This is mostly due to carelessness or not being able to take preventive measures at all times, such as during this COVID-19 attack. IT is not able to access laptops to be able to force install the latest security patches, like the one we just got for Zoom, or enforce controls. So, it is required to complement prevention with early detection of a potential attack and enabling quick response to an attack.
There are many different ways of detecting a ransomware attack. Most enterprises have a robust backup strategy where data from servers and filers are backed up at least once a night. Any large change between two adjacent backups might indicate a red flag. Data ingested into backup solutions are typically compressed or de-duplicated—if there is a huge change to ingested data, that’s another red flag. Any changes to entropy or randomness of stored data can indicate encryption of data stored, a typical signature for ransomware. Once detected, all key players in the enterprise IT and Infosec teams need to get notified immediately via multi-channel alerts: mobile, email, and UI or API.
Once these anomalies are detected and users notified, it is key to be able to enable the business to minimize downtime. This is done by restoring data to a known good point in time. Depending on the size of the deployment, recovery, testing, and bringing systems back up could normally take a while and heighten the losses to a business. So, it is crucial to invest in a disaster recovery or backup solution that can restore production systems quickly, correctly, and efficiently. Post recovery, it is crucial to present evidence of an attack including the signals, dataset made inaccessible and data access logs presented to law enforcement to report the bad actors for cyber-crime.
The phrase, “Prevention is better than cure” rings true today more than ever. Getting attacked with ransomware can be very stressful. However, with the three-pronged strategy of prevention, early detection, and recovery, we can avoid extended downtime, hefty ransoms, and customer SLAs.