By: Edwin Weijdema, Field CTO EMEA and Lead Cybersecurity Technologist, Veeam
Last year, 85% of organisations were hit by at least one ransomware attack, according to the Veeam Data Protection Trends Report 2023. With almost all organisations suffering these attacks, it’s clear that the problem is not only widespread but almost inevitable these days. Though this might sound daunting, it’s by acknowledging this fact that we can manage this ever-present threat. So, let’s look at what solutions organisations can utilise to be able to live alongside ransomware.
Insurance only goes so far
It’s clear that ransomware attacks are a very real and present threat – we see this every day, whether we’re watching the national news or sitting in the boardroom. Considering the ubiquity of these attacks, organisations need to be aware that a ransomware attack is no longer a case of ‘if’ you’ll be the target of an attack but ‘how often.’ While a vast number of organisations experienced at least one attack last year, the Veeam Data Protection Trends Report also showed that just under half (48%) suffered two or three attacks. This can feel like an overwhelming prospect for an organisation of any size, and the natural consequence is that many turn to cyber insurance in search of some peace of mind.
Cyber insurance may pay for the damage caused by a ransomware attack, but it’s important to remember that it can never prevent or undo this damage or the ripple effect it creates like loss of customers and customer trust. Education and transparency, however, can help prevent ransomware damage, but this is sometimes curtailed by cyber insurance policies.
As ransomware threats have increased, so have the stipulations of cyber insurance providers. The recent Veeam Ransomware Trends Report also found that more than 20% of organisations indicated that ransomware attacks were not covered by their cyber insurance provider, and even when they are covered, some providers stipulate that companies cannot speak publicly about the breach. The unfortunate consequence of this is that it keeps the reality of ransomware attacks – something so common – hidden away as a secret. Hopefully, this will change over the next few years, as it’s through educating others by sharing our learnings and mistakes that we can become stronger in our defence against ransomware attacks.
This is because talking about ransomware attacks helps to dispel the mystery around them. Despite the frequency of ransomware conversations in the media, many people don’t know how they unfold – it can seem like the flick of a switch or a magic trick, but the reality is much more complicated and drawn out than this. Bearing in mind that almost all organisations will be hit by a ransomware attack (many probably already have been), knowledge of the whole process is essential to the preparation and successful recovery.
Ransomware is the beast that’s visible
Conversations about ransomware rarely acknowledge that a ransomware attack is the culmination of a series of events orchestrated by bad actors. Ransomware doesn’t just appear – it follows days, weeks, months, or even years, of laying the groundwork. Let’s run through what goes on behind the scenes.
Bad actors will first begin with an observation stage. During this time, they will simply watch their target to gather information on people, processes, and technology to identify opportunities. As a burglar would first get familiar with where the entrances and exits are to a building, and who lives there, cyber criminals also like to know what they’re dealing with.
After this, it’s time to enter the building. For cyber criminals, this is achieved by sending phishing links or similar, to enable entry and the creation of a base of operations within the target’s infrastructure. At this point, they remain out of sight, but it enables them to do some significant damage. Attackers will exfiltrate data at this stage and may also destroy backups completely undetected – until they make their presence known when launching the final stage, the ransomware attack and demand.
Discovering this full process is, naturally, overwhelming – security teams not only have to deal with the visible threats but are also dealing with some unknown and invisible foes that could be hiding in the background at any time. However, the saying that ‘knowledge is power’ is once again proven true. Organisations can use this information to develop the strongest possible backup and ransomware recovery strategy.
Don’t leave it down to luck
While ransomware attacks are an inevitability, data loss doesn’t have to be. In fact, 100% resiliency is possible if the right precautions are taken. This might sound too good to be true, but with a few key elements, any organisation can develop an ironclad data protection strategy.
There are three parts to this. First, security teams need to ensure they have an immutable copy of their data so that hackers cannot alter or encrypt it in any way. Then, they need to encrypt their data so that if it is stolen or breached, hackers are unable to access it or make use of it.
The most important stage in really sealing the fortress is what we call the 3-2-1-1-0 backup rule. This means maintaining a minimum of 3 copies of your data so that even if two devices are compromised or fail in any way, you still have an additional copy – and it’s much more unlikely that three devices will fail. Organisations should also store these backups on 2 different types of media – for example, one copy on an internal hard disk, and another in the cloud. Then, 1 of these should always be kept at a secure offsite location, and 1 should be kept offline (air-gapped) with absolutely no connection to the main IT infrastructure. The 0 stage is perhaps the most important of all: there should be zero errors in your backups. This can be ensured through regular testing and constant monitoring and restoration.
If these steps are followed, organisations can keep cool when a ransomware attack inevitably does hit – because they’ll be safe in the knowledge that they’ve locked the doors on hackers.
The bottom line:
Organisations will at some point face a ransomware attack – that’s the reality of the world we live in today, but with increasing awareness comes increasing preparedness. While a cyber- attack will always bring chaos, with the right strategy you can make it controllable chaos, and in the end, this makes all the difference.