It might only be the sixth week of 2020, but already across the globe, we’ve seen a number of sophisticated ransomware attacks on organisations. Sodinokibi, Maze, Megacortex, and BitPyLocker, have all been tools used to deliver attacks, and in France, a very public discussion has begun after comments at the International Cybersecurity Forum (FIC) in Lille, France last week.
Most recently French building firm, Bouygues Construction, has confirmed it was a victim to a ransomware attack, which has forced it to shut down its IT systems. The organisation is actively working to resolve operations and minimise the impact on its customers and partners after 700,000 gigabytes of data were apparently stolen by The Maze Group, a hacker group behind the attack.
I recently spoke to major French radio station RTL about the Bouygues Construction attack. They were keen to know how prevalent ransomware is and what we can expect.
What we’re seeing today is the implementation of ransomware platforms where some budding pirates have the capacity to deposit their ransomware and distribute it on a large scale, as a service. Ransomware as a Service (RaaS) has been around for some years and is frightfully worrying. No longer is an attack based on code written by a group or individual, cybercrime is such an industry that attackers are profiteering from creating kits that can be deployed en-mass by unskilled individuals to harass and extort from victims. There is very much a business behind the business.
So in fact, we can expect to see more and more malicious acts. And now, companies must act fast to put in place solutions to prevent this from happening to their IT infrastructure. But what technologies should you be looking to build resilience against ransomware attacks?
Modern ransomware attack prevention requires a multi-layered defense approach that completely isolates production data from backup copies, and Cohesity offers that with the combination of:
Immutable File System: At its core, Cohesity’s immutable file system, SpanFS, keeps the backup jobs in time-base immutable snapshots. The original backup job is kept in an immutable state and is never made accessible, which prevents it from being mounted by an external system. The only way to mount the backup in read-write mode is to clone that original backup, which is done automatically by the system. Although ransomware may be able to delete files in the mounted (read-write) backup, it cannot affect the immutable snapshot.
DataLock: DataLock is a WORM-like capability that offers another layer of protection against a ransomware attack. This capability enables security officers to create and apply a “Datalock” policy to selected jobs and achieve a higher order of immutability for protected data – something that security officers – and admins – cannot modify/delete. This feature integrates with RBAC, eliminating the need for third-party tools.
CyberScan: Available now on the Cohesity Marketplace, the application works by scanning backup copies (instead of the live production copy) to identify any cyber exposures across an organisation’s production IT environment. This includes the operating system, computer, network devices, and configurations. The application gives a global view of all vulnerabilities through an easy-to-read security dashboard along with actionable recommendations on how to address exposures before hackers exploit them. This includes (but isn’t limited to) helping organisations ensure they are regularly updated with relevant security patches in order to ensure that cybercriminals can’t take advantage of known vulnerabilities to gain access to networks and distribute ransomware.
And, as a matter of course, organisations should ensure they test their systems for resilience and run recovery tests on a regular, at least monthly, basis to ensure processes are in place when the worst happens.
Enterprise-scale organisations need to realise the scale of the job in hand when attempting to restore after a ransomware attack happens. Large scale backup restorations involve a large amount of data. It is unfeasible for some businesses to maintain operations while a project of this scale to restore is underway.
Education on cybersecurity basics is often a tickbox exercise featuring a tedious corporate video, and the learnings are rarely remembered. This is an area every business can improve on, and much more should be done. Awareness movements are being developed, but it isn’t moving fast enough. In France, this Umbrella movement is helping to build awareness, but much more must be done to ensure all staff understand the damage that clicking an infected email link can do.
For Bouygues Construction, the company is taking time to ensure it restore its systems back efficiently and correctly after choosing to not pay the ransom. The average number of days it takes for organisations infected with ransomware to restore networks is now up to over 16 days. It is common for the cost of restoration to be over ten times greater than the price of the ransoms. The average ransom is below $8,000, but the average cost to the business is over $84,000 according to a new report from Coveware. Previous figures from Sophos suggest it was over $113,000 and that over 54 percent of businesses have had a ransomware attack. It is a crisis on a level greater than the common cold.
A statement from Bouygues Construction said, “Our teams are currently fully focused on returning to normal as quickly as possible, with the support of experts. Installations are progressively being put back into service after being tested. Operational activity on our construction sites has not been disrupted to date. All our personnel is working flat out to ensure that our operations continue as smoothly as possible under these conditions, so that impact on our customers and partners is minimised. We are in close contact with them and with the relevant authorities.”
The Maze Group is a particularly challenging group, and it has a website where it lists all of its victims that haven’t paid a ransom, and slowly releases data to force payment. An update from the French construction firm is expected soon.
Risks related to cybersecurity and data governance are now the top concerns of chief audit executives and corporate boards. Something has to give, and either uncertainty around cybersecurity and data handling will seriously impact business performance, or CEOs and business leaders will develop ways of managing this risk better and with more transparency. Those who can achieve growth will view cybersecurity as necessary and (potentially) equal to other fundamental business concerns, such as finance and HR.
To learn about what Cohesity can do to help you prevent ransomware attacks, take a look at these details and get in touch with us.