The three strategies for ransomware resiliency
Ransomware attacks were proliferating long before 2020’s various crises manifested. Now, however, the desperate environment that societies find themselves in, has acted as a perfect breeding ground for scams and ransomware attackers. Organisations are subsequently under an ever-increasing threat of attack. The question is no longer if you'll be attacked, but when. Fortunately, Veeam is here to help your organisation protect against ransomware attacks by utilising three strategies: education, implementation and remediation.
Each of these strategies have their own disciplines which each possess ongoing requirements for re-assessing and adjusting implementations in order to increase resiliency. Many organisations will also have entities and personas spread across multiple departments, which use different tools and have different stakeholders that all need to be involved. To operate successful resiliency, an holistic approach should be undertaken: one that encompasses all entities spread across the entire organisation and is supported by management.
The education journey starts after the risks of the threat actors are identified. This, on its own, should provide motivation to implement IT practices that will help you avoid being in a reactive position should ransomware attack. Measuring the investment in education and comparing it with the risks, costs and pressure of dealing with a ransomware incident while unprepared, will inevitably provide a positive cost-benefit analysis.
There are two major audiences that will benefit from education: IT staff and organizational users. It’s important to target both groups, since threats can be introduced from either one. Once informed of the basics, the next step involves preparation. This involves becoming familiar with different restore scenarios. Familiarising IT support engineers with the relevant processes – before and attack occurs – and enabling them to provide an accurate time frame to users and stakeholders, will pay dividends.
Implementing a backup solution is similar to performing a compliance audit. However, it’s important to remember that a product is not compliant or non-compliant based upon its feature set. When it comes to a ransomware incident, resiliency is based upon how the backup solution is implemented.
Veeam offers the following implementation recommendations for ransomware resiliency:
- Protection of the backup & replication servers and components – Backup & replication servers are critical parts of your solution. It is important that there is much separation as possible to provide ransomware resiliency.
- Ultra-resilient backup storage and the 3-2-1 Rule – Ensure you have backups on tape; Immutable backups in S3 or S3-compatible object storage; Air-gapped and offline media (i.e., removable drives, rotating drives); Backups in Veeam Cloud Connect with Insider Protection.
- Multiple recovery techniques configuration – In the process of implementing backup & replication, you inherently connect to various other systems. These include virtual environments like VMware vSphere, Microsoft Hyper-V or Nutanix AHV, physical environments such as Windows, Linux, AIX and Solaris and storage array systems. The practical advice in this situation is to have all recovery options available at your disposal.
- Endpoint protection – The Veeam Data Integration API should be considered for endpoint backups.
- NAS protection – NAS systems are also a frequent target of ransomware attacks. Coupled with insider threats or accidental deletion, there are many reasons as to why file data needs to be considered as a threat target as well.
- Encryption of backup data – In the war against ransomware, it may seem counter-intuitive to recommend encrypting backups. This however is a good type of encryption!
Despite all of the education and implementation techniques that are employed to be resilient against ransomware, organisations must still be prepared to remediate a threat if introduced. In all situations, if a ransomware incident occurs, Veeam believes there are two imperatives: 1) Do not pay the ransom. 2) The only option is to restore data.
Data loss is not an option.
Organizations should be prepared to have layers of resiliency to defend against a ransomware incident. Here are some important things to consider:
Communications first: In disasters of any type, communication becomes one of the first challenges to achieve. Have a plan for how to communicate to the right individuals out-of-band. This would include group text lists, phone numbers for all organisational IT operatives.
Experts: Have a list of security, incident response, identity management experts that are ready to be contacted if needed.
Chain of command: One of the hardest parts of recovering from a disaster is decision authority. Who makes the call to restore, to fail over etc? Discuss this beforehand.
Ready to restore: When the conditions are right to restore, implement additional safety checks before putting systems on the network again.
Restore options: Depending on the situation, maybe a whole VM recovery is best. Possibly a file-level recovery makes sense. Familiarity with your recovery options will help greatly.
Restore safely: Scan backup images for malware before restoring. Use the latest anti-virus and malware definitions and perhaps an additional tool to ensure a threat is not reintroduced.
Force password resets: Users don’t like this but implement a sweeping forced change of passwords. This will reduce the threat propagation surface area.
Last year, a Veeam survey found that 57% of ransomware attack vectors came via a remote desktop protocol (RDP) compromise, 26% were via phishing attacks and 12% were from software update vulnerabilities. Focusing investment on these three mechanisms for entry is best practice in for a resilience strategy.
Ultimately, the threat is real, and the opportunity to prepare is upon us. With the right preparation, the above steps can increase your resiliency against a ransomware incident to avoid data loss, financial loss, business reputation damage and more. You can find more information about Veeam ransomware resiliency resources at: http://vee.am/ransomwareseriespapers