Ransomware

What Is Ransomware?

Ransomware, by definition, is a type of malware that cyberattackers use for monetary gains by blocking access to data or systems until the owner of the data or systems pays the ransom fee demanded. Increasingly, cybercriminals also threaten to publish or otherwise expose sensitive data unless owners pay, which is commonly known as data exfiltration. There are several types of ransomware, but the most common—and disastrous—is when malware encrypts files using cryptoviral extortion. This means files can’t be decrypted without a mathematical key held by the attacker. Even a security expert would not be able to unlock the files. Victims are typically notified about the encryption and asked for a ransom fee to be paid in an untraceable cryptocurrency such as Bitcoin.

What Should I Know About Ransomware?

Ransomware attacks aren’t new, but they have become increasingly popular, sophisticated, and costly to remediate. The target is data, which is both an organization’s most valuable asset and most vulnerable one, if cybercriminals set their sights on it. Attackers tend to choose organizations with troves of sensitive data that they need for daily operations—think financial firms, healthcare institutions, or government agencies, among others. Because more people than ever are working remotely, ransomware threats are rising and attackers are demanding higher fees to unlock data.

Because attackers seek big paydays, in addition to attacking the production system and data, cybercriminals are targeting backup data and infrastructure. They understand what you often consider to be your insurance policy—your backups—can also be a liability.

When it comes to ransomware, here’s what you and your organization need to know:

• Cybercriminals are now aggressively targeting backup data to gain full control of your data, or worse, destroy it and interrupt business operations
• As legacy backup products collect and store more data across silos, this mass data fragmentation creates an expanding attack surface that exposes more infrastructure to ransomware attacks
• Early detection can help control ransomware. Vigilance against external attackers includes using modern backup with machine learning to detect bad behaviors and spot anomalies in real time
• Should the worse case happen, you will need to recover backups quickly but with assurances that your restored data is clean. And lacking both visibility into your data and a snapshot that can’t be broken into makes a clean restore to a specific time more challenging
• Long backup and recovery cycles add to ransomware pain. Less data is recovered, according to recent research respondents, the longer recovery takes.

No matter when or by whom, a successful ransomware attack is a no-win situation. You will suffer some operational impact, and if it’s not taken care of early reputational damage, whether or not you pay the ransom—and expert advice is not to pay, because in many cases you don’t get your data back anyway.

Since it’s now widely recognized that it’s not if, but when, you are attacked, how long and impactful a ransomware incident is on your business can depend heavily on how you’ve architected your backups.

How Does Ransomware Work?

Today’s business success depends on robust digital capabilities. Cybercriminals exploit organizations’ dependency on data by launching ransomware attacks. This type of malware is often released into organizations by way of phishing attacks that get users to click on compromised links and through existing system software vulnerabilities. In each case, ransomware encrypts, or locks up, data and then attackers demand payment for the digital keys to unlock, or decrypt, it. The money organizations pay is called ransom, giving the malware the name ransomware. And cybercriminals are inventive, continually creating new types of malware to penetrate and encrypt systems for financial gain.

How Common is Ransomware?

By most accounts, ransomware is the fastest growing type of cybercrime, growing exponentially year over year. Ransomware in healthcare and financial services is particularly prevalent because the data contained in the systems of those industries is sensitive, and thus, considered more valuable to nefarious actors considering selling it on the dark web or elsewhere.

According to Cybersecurity Ventures predictions, ransomware will attack a business, consumer, or device every 2 seconds by 2031. The estimated cost—$20 billion in 2021 rising to $265B annually by 2031—of successful attacks includes downtime financial losses as well as productivity and reputational damage.

Common ransomware 2021 examples as well as others detected over the last few years include: ​​REvil/Sodinokibi, Hades, DoppelPaymer, Ryuk, Egregor, BadRabbit, BitPaymer, Cerber, Cryptolocker, Dharma, GandCrab, Locky, Maze, MeduzaLocker, NetWalker, NotPetya, Petya, SamSam and WannaCry.

How Does Ransomware Spread?

Like the famed Trojan horse enabling soldiers to penetrate the fortress, ransomware allows hackers to take over another computer, server, or device. Once ransomware is in an IT environment, like a virus, it can quickly spread laterally—with east-west traffic—to other systems.

A newer method of the ransomware virus has been architected to enable “island hopping.” In this scenario, the organization already penetrated by ransomware unknowingly launches the malware from its internal systems into its customer or partner systems, effectively “hopping” to another organization. This approach brings cyber attackers a new victim—without launching a new attack.

Unfortunately, lightning-fast changes in how and where malware appears now make it impossible for enterprises to combat each potential new attack which is why they need a comprehensive, modern data management solution to defend backups against ransomware.

Can Ransomware Be Countered?

Yes. Organizations can pay the ransom to attackers, as many do, and get the “key” to unlock their data. But this is costly and does reputational harm.

Alternatively, IT teams can choose to thwart attackers and not pay ransom if they have a modern, multicloud data management platform for ransomware protection that safeguards their backups from becoming an attack target.

A powerful ransomware recovery solution, such as Cohesity, allows you to successfully recover your data as you stand up clean systems free of ransomware. It includes an immutable file system with read-only state snapshots that keeps data safe by ensuring backup data is never accessible—nor mounted for external applications. Cohesity prevents ransomware from infecting the immutable snapshot.

Write-once-read-many (WORM) like capabilities for backup from Cohesity also allow certain roles to set unchangeable DataLock policies on selected jobs. Each has a time-bound setting, enforcing data protection that cannot be deleted.

How Much Does Ransomware Cost?

Cybersecurity Ventures estimates the cost of ransomware to be $20B in 2021, rising to $265B annually by 2031. These damage estimates include downtime financial losses such as e-commerce revenue as well as negative operational productivity and reputational harm. Because of the high costs of an attack, organizations are now preventing ransomware with modern, multicloud data management solutions.

How Does Ransomware Infect a System?

Cyber criminals count on people to make mistakes, which is why the primary way ransomware infects a system is through email phishing attacks. Emails that contain ransomware, a form of malware, typically contain malicious attachments or a link to a compromised website where infected software is downloaded and installed onto a person’s system or device without that user’s consent or even knowledge. Once into an organization, the ransomware can spread through exploited systems, across networks, and even to other companies—an attack mode now referred to as “island hopping.”

Cohesity’s Modern Approach to Ransomware Recovery

Because cybercriminals know how important your backups are, they are increasingly making them targets of ransomware attacks.

Cohesity has a multilayered way to prevent your backups from being victims of ransomware. Cohesity’s immutable architecture ensures that your backup data cannot be encrypted, modified, or deleted. Using machine learning, Cohesity provides visibility and continuously monitors for any anomalies in your data. And if the worst happens, Cohesity helps you locate a clean copy of data across your global footprint—including public multiclouds—to instantly recover and minimize downtime.

Protect backup – The immutable backup snapshots, combined with DataLock (WORM), RBAC, air-gap, and multifactor authentication prevent your backup data from becoming a target

Detect – Machine learning-driven intelligence establishes patterns and automatically detects and reports anomalies

Rapidly recover – Simple search and instant recovery at scale to any point in time gets you back in business fast. Cohesity’s unique instant mass restore quickly recovers hundreds of virtual machines (VMs) and large Oracle databases to reduce downtime