News/Trends, Tech/Engineering, Product

How to Undo the Voodoo of A Ransomware Attack

Jennifer Deming Burnham

Ransomware attacks are on the rise, impacting not just Windows systems but Android and Macs as well.  These incidents can leave organizations flat-footed and defenseless, with little option but to pay up or lose access to sensitive data. What many don’t realize is that a solid backup plan is the best prescription to address the threat of ransomware.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” said the CEO of Hollywood’s Presbyterian Medical Center. This unfortunate statement was made following the recent ransomware attack that left the hospital’s systems locked, its files encrypted, and the organization with no good options. Backed into a corner, the hospital was forced to pay $17,000 in bitcoin to obtain a decryption key to recover its precious healthcare data, including patient records, x-rays, and other important files. Ouch. 

While that sounds as bad as it can get, in this case, the hospital was relatively lucky; they were able to regain access by the following Monday. But many victims of ransomware never recover their data, even when they are willing to pay the ransom. The affected files might get altered in the process of decryption, or the attackers might not follow up on their promise to restore the data. And that back-and-forth with your attacker while restoring your data? Awkward.

Even if your company pays the ransom and gets the key to recover, there is a very high risk of data theft. Do you really think you can trust the person who encrypted all your data and held it for ransom to not try and steal it for other reasons?

Incidents of ransomware attacks are on the rise, and attackers are in it for the money. Between mid-March and late-August 2014, for example, more than 600,000 systems were infected with the CryptoWall variant of ransomware, according to research conducted by managed-security firm SecureWorks. Indeed, the FBI estimates that CryptoWall attacks accrued over $18m by June 2015. This past weekend, Apple customers, once thought less vulnerable to malware, were also targeted in an attack. 

Healthcare institutions like Hollywood Presbyterian are believed to be particularly attractive targets, according to the FBI, because their records contain much sought-after PHI and PII (personally identifiable information), which goes for a bounty on the black market. Making matters worse, the bureau warned in a private notice to the industry in April 2014, healthcare providers lag behind the financial and retail sectors in cybersecurity, increasing the likelihood of hacks. The Hollywood Presbyterian incident is not an isolated one; in July 2015, hackers may have accessed as many 4.5 million patient records in UCLA Health System’s computer network.

Is user training able to stop a Trojan Horse in its footsteps?

Given that most malware is often delivered via a payload disguised as an email link or attachment, organizations should simply train employees to stop clicking on suspicious emails, right? Unfortunately, ransomware efforts are getting harder to detect, appearing as well-worded emails from banks or colleagues and often staying dormant like a time bomb after propagating through your internal network, making the original source harder to pinpoint.

An increasingly mobile workforce only escalates the risk. While many companies are protected by a corporate firewall, viruses can be introduced when employees go off the main network or use their systems more casually during downtime. A crafty hacker could easily figure out how to infect a system on an unsecured network.

While end user awareness and training has its role, it relies on the full compliance of busy and ever more mobile employees… and we all know what could go wrong when you rely on your employees as your last line of defense.

Ransomware attackers are capitalizing (literally) from the weak state of data protection in organizations today. In reality it is not a question of if a system will be attacked, but when. Until companies plan for this and take steps to build in resilience to their data protection strategy, they will continue to find themselves in compromising positions, like Hollywood Presbyterian.

Backup is the best prescription to address ransomware

But there is good news. An organization’s negotiation stance increases significantly when a comprehensive data protection plan is already in place; specifically, one that includes automatic and continuous backups of data across servers, laptops, and cloud apps.

A recent article on the Hollywood Presbyterian incident agrees. “Ransomware is, in short, one of the easiest hacks to avoid. A solid backup, even one made a few days before the ransom software is run, is one way to prevent things like this before they start.”

The key is to make client backup so highly efficient and unnoticeable to the end user that they are being protected without even knowing it. Druva’s inSync, for example, ensures that there is always a recent copy of data available for restores, even if the hardware is locked forever. After a ransomware event, an admin can leverage the time indexed view of stored data to revert back to an instance before the corruption happened. From there, an end user can self-restore their data, along with personal settings and bookmarks, from any new device in a few clicks. It is even possible to do a single file restore if that is all that is needed. Thus, what would otherwise cause weeks of drama and headlines becomes, for those using the right backup solution, a resilient and ready response that (relatively) painlessly undoes the voodoo.

Clearly, whether data loss comes in the form of a careless Ctrl-A Delete, malware, ransomware, or human error, this secondary copy of data across the organization will come in handy.

On top of its restore capabilities, Druva inSync also brings increased visibility into the sensitive data residing on devices, such as PII, PHI or HIPAA-related data. In this way, IT admins and security leaders can understand where sensitive data resides, minimize its risk, and take a more proactive approach to incident response. Says Prem Ananthakrishnan, Director of Product for inSync, “Despite all the measures you take, bad things happen. The best you can do is be aware and prepared to respond. We are working on some interesting ideas that will help our customers better understand the security posture of their end user data and take action.”

Unfortunately for Hollywood Presbyterian, this insight came far too late.

For more articles on this topic, we suggest:

Five Things You Need To Know About Ransomware. Read here.
Is IT Ignorant When It Comes To Compliance? Read here.
Cloud and Mobility: a Nightmare for Information Governance? Read here.

To learn actionable tips on how to address the growing risks of dispersed data across your organization, download our latest report below.