Cyber criminals are increasingly turning to ransomware as a form of blackmail to exploit public and private enterprises. It’s estimated that the cost of ransomware attacks will total over $1bn this year – and researchers warn that the problem is only going to grow. Hackers are not only increasingly sophisticated, but also getting bolder in their approach and so the most insidious computer crime today doesn’t involve viruses or stealing credit card numbers but comes in the form of ransomware. These rogue programs have the ability to hold an entire organisation’s data hostage with unbreakable encryption, while the cybercriminals demand a ransom for the decryption key.
These attacks are becoming increasingly common. In the past few months alone, new and more powerful ransomware has appeared, with criminals targeting sensitive entities such as NHS hospitals and local councils. In fact, almost 30 NHS trusts admit that they have been the victims of ransomware attacks in the past 12 months, while 30% of UK councils were victims of ransomware in 2015.
The reasons for ransomware flourishing are two-fold.
Firstly, basic economics. Stealing credit card details and selling them on the black market can be time-consuming with a potential payoff of less than a dollar per card, so cybercriminals are turning to ransomware to sit back and wait for victims to pay up. Less work for greater returns!
Secondly, ransomware is very difficult to avoid. A single click within an email or website is all it takes for an unsuspecting employee to activate the code that encrypts an entire system and triggers a ransom demand. Even if an enterprise has the most updated anti-virus software or access restrictions on sensitive files, it remains vulnerable to ransomware via just one unsuspecting user.
However, all is not lost. Organisations can take steps to mitigate the effects of attacks and recover normal operations in minutes or hours – if the proper precautions and recovery plans are in place. The most important recovery element is real-time protection of data, which means backup copies of all files and data are stored securely off-site rather than on local servers. In order for this to be effective, it needs to be accomplished automatically, whereby a copy is made every time a file is edited or saved. Backups like this let a business “roll back” to the moments before a ransomware attack and recover all its files – even in cases where the ransomware has migrated across the local network and servers.
To do this, the software or service a business uses to create the backup must be capable of excluding all encryption files known to be associated with ransomware. Businesses need to avoid restoring the files that delivered the ransomware in the first place.
Last but not least, businesses need an effective retention policy – whether that is to retain deleted files forever or for a specified time period. Establishing a retention policy will allow the business to retrieve the original files after the ransomware attack. This is an integral part of any recovery plan as it removes the need for costly recovery processes, which are often time-consuming, meaning the business can be up and running again with the least disruption to the operation.
In today’s technological age cybercriminals are an unfortunate reality. Businesses therefore should think ‘not if, but when we are attacked’ and take all the necessary precautions to ensure that the attack causes the least amount of damage to the business. By being aware and maintaining the right backup strategy, your company can minimise the damage from these attacks and turn the tables on this latest generation of attacks.
Written by Brian W. Levine, Syncplicity Security Officer