- August 26, 2021
Ransomware attacks have exploded this year. In fact, researchers at cybersecurity company Check Point recently reported that the number of daily ransomware attacks across the globe has increased by over 50% in 2020. In a November 2020 survey of more than 1,000 managed services providers (MSP) conducted by Datto, it was found that ransomware was the most prevalent cybersecurity threat, with 60% of respondents reporting their clients were hit by ransomware attacks - in the third quarter of this year alone!
There is no doubt that ransomware is having a massive cost impact on MSPs and their clients. To put it into context, the average cost of downtime due to ransomware attacks is 94% greater in 2020 than in 2019. Additionally, the average ransom paid has risen to $1.18 million, while the cost of downtime related to a ransomware attack is now nearly 50 times greater than the demanded ransom. None of these statistics, however, reflect the negative impact to corporate reputation/brand, shareholder equity, and future lost business.
With the new, continuously evolving ransomware sophistication that has emerged in the last couple of years, companies are finding it nearly impossible to keep up. Many of the recent varieties of ransomware are purposely encrypting not just individual files but are also deleting or encrypting system backups so that the infected companies cannot recover without paying the ransom.
Gone are the days when quickly restoring a backup tape will solve a ransomware infection. Ransomware will now gain access and infect key targets of an enterprise and lay low for a predetermined period. At the same time, it starts looking for additional areas it can infect over days, weeks, or even months with the intent of infecting associated public cloud repositories while also deleting all backups. Once triggered, the ransomware makes it virtually impossible to recover without paying the ransom. As was previously pointed out, the average cost of enterprise downtime caused by a ransomware attack is now nearly 50 times greater than the demanded ransom. Based on this shocking statistic, the ROI for paying the ransom cannot be disputed.
Just when you thought things couldn’t get worse, cyber-hackers have also adopted a new strategy to ensure the infected company does not simply decide not to pay the ransom. Some ransomware versions now also copy all enterprise and cloud data to the hacker’s servers before the data is encrypted and the ransomware note appears. They then threaten to release all stolen data (data extortion), including PII, to the internet, knowing that this action would put the infected company at a much higher risk for regulatory fines and lawsuits. GDPR and CCPR fines can reach 4% of an organization’s worldwide corporate revenue or 20 million euros, whichever is greater.
In response to increased threats of ransomware, several cloud services providers (CSPs) are pushing the idea that storing your corporate data and backups in a third-party cloud will ensure that the backed up data cannot be found and infected via a ransomware infection. On the face of it this strategy makes sense, but like most cloud repositories, there are most likely relatively straightforward ways for ransomware to find, follow, copy, and encrypt backups and other sensitive data stored in a third-party cloud.
Other CSPs have realized that merely storing data in a third-party cloud does not ensure (or even slow down) ransomware infection, so are now proposing the idea of saving data, including backups, in a third-party cloud in a WORM (write once read many) storage tier as a defense against backup infection/encryption.
In fact, writing data to immutable/WORM storage does stop the infection/encryption of backups so that they can actually be used to restore an infected enterprise. However, it does not address the data extortion issue by the hacker later. This process is also known as Isolated Recovery – recovery using known good or clean backups.
The problem is, how do you know when you have an infected backup? Obviously, after a ransomware infection has occurred, backups of system resources could be useless and will only serve to perpetuate the infection by restoring the infected data/system. The only way to be sure that a company has an uninfected backup is to generate pristine copies regularly so that when a ransomware infection does occur, the company can fall back on the last uninfected backup, i.e., an isolated recovery capability.
Isolated recovery relies on the principles of isolation and “air gaps” - an isolated storage repository disconnected from the network and restricted from all attempts at deletion, changes, infection, etc. This isolation requirement can be successfully simulated in a cloud environment by storing backups on a WORM cloud storage tier, ensuring that they are untouched.
For decades, backup tapes have been positioned as the perfect air-gap technology because tapes were physically removed from tape backup systems and stored individually. As tape autochangers were developed, the air gapping of the physical tapes was bypassed in favor of full backup automation.
Cloud vendors now market the use of their third-party cloud storage as the new “air-gap” protection because the cloud is physically (sort of) removed from the enterprise data center. However, enterprise backup cloud data is still programmatically available from within the enterprise, meaning a ransomware infection could still find its way to infecting a cloud-stored backup – if the backup was not stored on a WORM storage tier.
As I mentioned earlier, the new variants of ransomware will also copy all enterprise data found (in both the enterprise and associated cloud tenancies) and use the release of that data (usually containing end-user PII) as a bargaining chip to force an organization to pay the ransom by threatening to report the release of the PII to the GDPR or CCPA authorities. This is also known as data extortion.
Storing backups and other data in a third-party cloud, even on a WORM tier, does not defeat this new ransomware extortion tactic. Remember, WORM stands for “write once, read many,” so, by default, WORM does stop the infection of the cloud-stored data - but does not stop hackers from copying the data to their servers for later release.
At this point, you may be asking yourself, why not just encrypt the backups and other data either before or after storage in the cloud on a WORM tier. This strategy does make sense to ensure the backup could not be infected and made unavailable to being copied for later ransom. However, this process ignores the need for organizations to manage/search/utilize encrypted data.
Typically, by encrypting data before moving to a cloud account, the data is rendered mostly unmanageable by any archiving/information management application, i.e., the archiving application is unable to open/index the encrypted files for later search let alone benefit from AI or ML capabilities or be used for data analytics. This means the organization would be left with hundreds or thousands of “dark” files with little or no metadata, making it impossible to find specific files or manage the data.
On the other hand, encrypting the files after storage in a cloud by a third-party archiving application would open the cloud-encrypted data to decryption and coping by hackers due to the fact that the ransomware and or hackers could still discover and utilize the cloud-based encryption keys.
To defend against these new types of (copy and encrypt) ransomware threats, a combination of data encryption with the encryption keys stored on-premises, the use of homomorphic encryption to enable ongoing data management while encrypted and stored in the cloud, and cloud WORM storage is the only sure way to address the new risks from two-stage ransomware.
A cloud data security gateway housed on-premises, which can encrypt data (including backups) before movement to the organization’s cloud tenancy, is a proven strategy for protecting sensitive data and system backups after movement to the cloud while still enabling ongoing data management in the cloud. By encrypting data on-premises and keeping the encryption keys local, two-stage ransomware targeting and copying cloud repositories for later release on the internet as a means to force data owners to pay a ransom would be completely defeated.
However, an encrypted file can also be re-encrypted, meaning an organization could still be open to a ransomware attack and forced to pay a ransom to get the hacker’s encryption keys to unlock your data.
To address the threat that files and backups stored on a regular cloud storage tier can be located and encrypted via ransomware, storing those files in the cloud on a WORM tier would ensure the files/backups could not be encrypted and ransomed via the ransomware and therefore protected from a two-stage ransomware attack.
But file encryption before movement to a cloud makes the files unusable to all archiving, information management, and eDiscovery applications as well as advanced data analytics and automation utilizing AI or ML technology. Additionally, archiving encrypted files in the cloud compounds the accumulation of ungovernable dark data. To address this data management problem, all data should be encrypted on-premises using homomorphic encryption (HE) technology. Homomorphic encryption is different from standard encryption technology in that it allows computation to be performed directly on encrypted data without requiring access to a decryption key. HE enables ongoing management of encrypted data, dramatically reducing the issues associated with standard encryption methodologies while ensuring ongoing data indexing, search, and broad management and governance processes. Homomorphic encryption of backups and files before movement to a cloud repository guarantees data security in transit, at rest, AND WHILE IN USE. Many cloud archives only encrypt data while at rest in the third-party cloud archive – while storing the encryption keys in the same cloud system.
By combining on-premises homomorphic encryption and key storage and cloud-based WORM storage, organizations can protect their sensitive data and backups from the encryption threats and release of PII of the newer types of ransomware.
Archive360’s enterprise cloud-based archiving and information management platform is the world’s first and most secure cloud-based solution built to secure and manage your most sensitive data and backups, utilizing your security (on-premises and in the cloud), under your direct control, and managed in your cloud tenancy.
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.