[By Andy Hill, Executive Vice President, Nexsan]
No IT professional is unaware of the staggering risk of ransomware. In 2023, recovering from a ransomware attack cost on average $1.82 million—not including paying any ransom—and some organizations get hit more than once.
If you’re hit, you generally have to choose between paying that ransom or restoring your data yourself. Nearly every expert advises you not to pay up, for a variety of reasons, most importantly, the cybercriminal may not honor their promise to release your data. (So much for ‘honor among thieves.’) In some cases, once they know the victim is willing to pay, they increase the ransom amount.
Secondly, criminals can take their sweet time giving victims the encryption keys, meaning you don’t get immediate access to your data even after paying.
In reality, it’s better to restore the locked files from backups. While this has historically been most effective, today, cybercrime rings are technologically sophisticated organizations, capable of rendering backups unusable. Recent research from Veeam said backups were targeted in 93% of ransomware attacks, and this was successful in 75% of cases.
When backups are disabled prior to or during a ransomware attack, there’s not much you can do besides pay the ransom.
If you are relying on your own ability to recover from a ransomware attack, there are some ways you can better prepared, and issues to watch out for.
The fallout from a ransomware attack on City of Dallas in May this year is still making the news. The city was forced to shut down some of its IT systems, with a number of functional areas including the police and fire department experiencing disruption. It has recently come to light that over 26,000 people were affected by the attack orchestrated by Royal ransomware group. Information including names, addresses and medical information is among the data exfiltrated by the threat actors. Some city employees have already reported identity theft, with some of their children also having personal information stolen. In August, it was announced that the Dallas City Council approved $8.6 million in payments for services relating to the attack, including credit monitoring for potential identity theft victims.
Confusing Data Protection Options
Data protection approaches vary, and there are many of them. For an IT generalist—not a storage specialist—there may be some misunderstandings about how corporate data is really secured. Know the difference between different technologies: backup, replication, business continuity, disaster recovery, archive, failover, air gapping, and many more.
Perhaps the most common, and dangerous, confusion is backups versus redundancy. Your backup is a point-in-time copy of your data that is created and stored in a different location. Backups are effective for recovering from a ransomware attack because you can restore a copy of your data that was created prior to your systems being infected by malware. Your only loss will be very recent data that was created or changed since that last good backup.
Redundancy refers to having your core applications in one or more locations in the event your primary systems are disabled. Redundant systems contain identical copies of all data in all locations. Unfortunately, if malware infects your primary copy, that malware will be very reliably replicated to your redundant copy or copies. If a hacker locks your files in one location, your redundant copy or copies are also locked. Many victims of attacks believed they could restore from a redundant copy and found out they were doubly unprotected.
Human Error
The biggest problem is often us. Human error is usually the cause of ransomware attacks (the downloaded malware, the exposed password, the social engineering scam that coerces us to give away information we shouldn’t). Finding out that you cannot recover data following an attack due to human error is a double-whammy.
Human input is still required for most technologies to function properly, including data protection. To ensure you’re in the best possible position to recover, eliminate as much opportunity for human error as you can. That does not mean automate everything; quite the contrary—manual checks are still necessary to verify that backups and security applications like antivirus software are operating properly.
Over the past five years, major ransomware attacks have been attributed to human errors such as these, as well as accidental deletions, failing to add a new server or system to the backup application, failing to update or patch systems, and failing to validate that third-party integrations are functioning.
Cybercrime has evolved to undermine the methods we rely on for keeping data safe, and it’s up to us to understand how we can be our own worst enemy. While we can’t always prevent a ransomware attack, we can certainly implement the proper defenses, and adjust our behaviors, to ensure a recovery.