When paying the ransom is not an option

Yes, yet another article, post, or whatever reminding you about the criticality of taking ransomware very seriously.  Not only is it a real threat that everyone is susceptible to, regardless of what you or your business does or its size[1] and regardless of whether your infrastructure is in the cloud or on-prem, we are all targets if for no other reason than to steal our identities or other privileged knowledge, we may possess which is then used to commit additional crimes.  But there is some honor amongst thieves: Paying ransom more often than not guarantees that you’ll receive the decryption steps since that is literally the entire business model for these organizations and the moment that any one of them reneges to deliver, no victim will pay ever again, anywhere, as that word will spread like wildfire.  But, let’s be honest, the decryption isn’t instantaneous nor is it guaranteed.  On average, only about 65% of data is recovered[2] especially when the decrypters crash or fail, sometimes forcing victims to try to write their own after having extracted decryption keys from the faulty application.

Now that we’ve level-set on a few things, let’s also acknowledge that before Bitcoin started trading at its current levels, one could try to make a fiscal argument for paying ransom in the amount of one or several of that cryptocurrency instead of a solid data protection strategy.  Of course, by no means am I suggesting that aiding and abetting what is tantamount to terrorism, which law enforcement will always advise against, should be in any way be considered as a sound disaster recovery strategy, but the numbers did speak for themselves, then.  They no longer do, so sticking one’s head in the sand is no longer, not that it ever really was, a viable or wise approach to safeguarding data.  It is also important to point out that public entities are, or are about to be, forbidden by statute to pay any ransom or even use public monies to pay insurance premiums so that those companies can then pay the ransom on the agencies’ behalf.[3]

So now let’s realize that the whole paradigm has shifted: Bitcoin value and ransom demands have skyrocketed while the cost of proper measures to combat ransomware has come down and is very much within reach of even the very smallest organizations.  What should we do then?  First and foremost, we need to educate our users to look for the tell-tale signs of phishing (THE most common avenue of compromise[4]) using platforms such as KnowBe4.  Second, we need to make sure that our data is recoverable in the event of obfuscation in our production environment.  A couple of ideas jump out here: The first is the tried-and-true notion of having good backups.  Traditional backup methodology has improved dramatically by using purpose-built hardened backup target appliances such as DellEMC PowerProtect coupled with applications such as Avamar or Dell’s Cyber Recovery further enhances backup resiliency by air-gapping your backups using digital diodes when replicating to a second appliance.  Alternatively, Dell’s APEX Backup provides a cloud-based solution to the same problem. The second idea is leveraging snapshots on a SAN such as a DellEMC PowerStore which can not only natively replicate to a remote site to provide data bunkering or disaster recovery but can run the production environment from writable clones of snapshots leaving the encrypted data unaltered allowing for forensic analysis.  Not only is mounting snapshots is significantly faster than restoring from backups, but it is also reasonable to expect that a bad actor will struggle to compromise properly hardened enterprise storage thanks to their relative inaccessibility, making this a very viable strategy.

Before we part ways, I would absolutely be remiss if I didn’t point out that addressing the low-hanging fruit that is patching, the bane of most sysadmins’ existence, by using a centralized cloud-based platform such as Automox. This is key because exploiting vulnerabilities is very close to the top of the list of common avenues of ingress⁴.  Patching of end-user equipment, first and the foremost target has become a challenge in this increasingly distributed world.  And in the vein of things that we’d rather not do ourselves, we need someone watching and responding to incidents on a 24x7x365 basis, something that our own staffs usually cannot reasonably accomplish thus leaving us to fail mathematically because we’re simply outnumbered and outgunned.  In this case, managed detection and response services such as Secureworks or Dell’s MDR will serve even the smallest of shops, potentially catching a ransomware attack before it even starts.

[1] “Ransomware distribution worldwide”, NordLocker, https://nordlocker.com/ransomware-attack-statistics/

[2] “The State of Ransomware 2021”, Sophos, https://news.sophos.com/en-us/2021/04/27/the-state-of-ransomware-2021/

[3] Ransomware Payments and the Law”, Lawfare, https://www.lawfareblog.com/ransomware-payments-and-law

[4] “2022 Data Breach Investigations Report”, Verizon, https://www.verizon.com/business/resources/reports/dbir/