Ransomware
What is Ransomware?
Ransomware is a type of cyberattack designed to gain access to a system and encrypt the files stored there. The files cannot be decrypted without a private key, which the attackers hold for a ransom.
Why is ransomware becoming more common?
Ransomware is becoming more prevalent as organisations increasingly focus on making data-driven decisions and see enterprise data as valuable intellectual property (IP). In addition to encrypting data, some attackers will also steal information and threaten to make that information available to other bad actors, adding to the pressure on an organisation to pay the ransom.
How are ransomware attacks resolved?
Unfortunately, the attackers seldom provide the decryption key even after the ransom is paid, depriving victims of both the ransom amount as well as their data. Ransomware will cost its victims an estimated $265 billion (USD) annually by 2031, with a new attack against a business, consumer or device happening every two seconds.
Examples of ransomware
Some ransomware attacks begin by enticing a user to open a file, often an email attachment that then downloads malicious code, which infects the network. Others take advantage of vulnerabilities in operating systems, weaknesses in physical security systems, or software exploits to gain access to a network and take root within the system.
The first large-scale ransomware threat began in September 2013 with the emergence of CryptoLocker, a Trojan horse malware that lured users to download a file that then infected their network. In May 2014, as a result of a joint operation by law enforcement and security agencies, the CryptoLocker Trojan was shut down. However, many imitations of it are still circulating.
Many other families of ransomware have been developed since CryptoLocker was shut down. Some of the most common of these families are Conti, Maze (Egregor), Sodinokibi (REvil), TorrentLocker, WannaCry, Petya (NotPetya), Ryuk and MegaCortex. Regardless of the name, their aim is the same – to extort money from victims in return for decrypting their data and files.
New ransomware-as-a-service (RaaS) schemes that allow anyone with basic computer skills and internet access to get into the ransomware business are helping fuel significant growth in this type of attack. The ransomware author makes resources – such as encryption tools, communications with victims and ransom collection – available to other cybercriminals in exchange for a percentage of the ransom payment.
What can you do to protect yourself from ransomware attacks?
Many of today’s ransomware attacks can be difficult to detect because they are increasingly hidden from system administrators and endpoint protections. Thus, attackers gain long-term persistence on the device and, in turn, the ability to inflict damage at will. The average ransomware dwell time is 24 days, giving attackers ample time and opportunity to access and tamper with an organisation’s data.
And all it takes is just one user to practise poor password management or to click on a link in a phishing email to put an enterprise network at risk. Implementing security awareness training for employees is an important step for many enterprises to help lower the risk of ransomware’s entry to their networks. This training should be refreshed on a regular basis as attack techniques evolve.
The best way to protect against malware that exploits software vulnerabilities is to keep operating systems and critical applications current with all patches and updates. Network monitoring, password protection, multi-factor authentication (MFA) and endpoint security measures are all useful technologies and tactics to help lower an organisation’s threat profile.
Because it is impossible to eliminate the threat of a ransomware attack completely, having a robust backup strategy in place can help to accelerate recovery for an organisation under attack, with minimal interruption to operations. These backups should be separated from the network to prevent malware access, as most ransomware will also attempt to encrypt backups.
How is ransomware spread?
The ransomware threat landscape looms larger as users increasingly access critical enterprise applications and workloads from a growing number of locations – home offices, field installations, retail storefronts, manufacturing plants, hospital rooms and other edge locations. And more connected devices making up the Internet of Things (IoT) are sharing data with each other over enterprise networks with no human interaction required. As digital transformation efforts expand, security vulnerabilities become more apparent – and a greater threat to enterprises.
While ransomware variants are extensive and evolving, they will generally use one or more of three primary attack vectors to gain access to a network.
Email phishing
A popular ransomware vector is known as email phishing. Attackers will send emails to targets that appear to come from a trusted source. These messages will typically try to get the recipient to enter personal credentials on a spoofed web page or to download a file containing malware.
Remote desktop protocol (RDP)
Remote desktop protocol (RDP) is a Microsoft protocol that allows users to remotely connect to and carry out commands on a system. Unfortunately, RDP security relies heavily on users having strong, unique passwords, which is often not the case in practice. Attackers can easily crack RDP credentials or purchase hacked usernames and passwords on the dark web to gain access to a system.
Software vulnerabilities
Software vulnerabilities provide another common ransomware delivery method. Software that has not been updated can create gaps in security architectures and provide an open door to malware intrusions. These vulnerabilities provide a relatively easy target for attackers as there is no need for them to crack or otherwise harvest credentials.
How can HPE help protect you from ransomware?
Unfortunately, even the best security systems and practices cannot fully protect against ransomware attacks. A comprehensive data backup and recovery plan is critical for restoring operations and minimising potential data loss in the event of an attack.
An HPE SimpliVity hyperconverged solution consolidates the IT infrastructure and simplifies both the data protection strategy and the recovery process, particularly for businesses with multiple remote offices to support. These solutions offer integrated functions, such as built-in data protection, to help ease the burden and provide better protection across the company, whether at remote or branch offices (ROBOs). Data efficiencies enable more frequent backups for near-continuous data protection, longer retention periods and faster recovery. In the event of a ransomware infection, a VM and all its data can be restored quickly and easily, minimising system downtime, business disruptions and revenue loss.
HPE StoreOnce is a purpose-built backup appliance (or virtual machine) that includes HPE StoreOnce Catalyst stores to effectively isolate critical data from ransomware attackers. As a result, attackers cannot impact the data without resorting to direct physical interactions that ultimately destroy some or all of the hardware itself. Even if hardware is destroyed at a single location, whether from malware or a natural disaster, the more advanced implementation of HPE StoreOnce Catalyst stores (distributed implementation) would protect mission-critical data by effectively isolating it from traditional lines of communication and command sets leveraged by ransomware attackers.
Zerto, a Hewlett Packard Enterprise company, delivers journal-based continuous data protection (CDP) and unrivalled recovery for virtualised and containerised apps and data from edge to cloud. Zerto’s platform provides the flexibility to protect to, from and between clouds of all kinds – whether private, public or cloud-native deployments. Its scale-out architecture can protect petabytes of data and thousands of VMs. The software-only solution copies every data change, regardless of underlying hardware, without slowing down production systems.