How to Mitigate the Risk of Data Loss Due to a Ransomware Attack

Ransomware attacks are a nightmare for business executives. Within the last couple of months, hackers were able to shut down the Colonial Pipeline and disrupt operations at meatpacker JBS Foods, disrupting the economy and inconveniencing millions of customers.

When many enterprise leaders think about ransomware, they see dollars and data loss. While both are reasonable concerns, new research from Boston-based Cybereason, which develops attack protection, shows that the impact from ransomware attacks is far greater than a mere money hit, even if the loss of financial resources can be painful.

In fact, the research, which consists of findings from a global ransomware survey of nearly 1,300 security professionals, reveals more than half of organizations have been the victim of a ransomware attack and 80 percent of businesses that chose to pay a ransom demand suffered a second ransomware attack, often at the hands of the same threat actor group.

Titled “Ransomware: The True Cost to Business,” the report also divulged that nearly half (46 percent) of the organizations who paid a ransom to regain access to their encrypted systems reported that some or all the data was corrupted during the recovery process.

But there is more, too. While the report advised organizations not to pay ransomware attackers and to focus on early detection and prevention strategies to end these attacks, there are other impacts that companies need to assess including:

• Loss of Business Revenue: 66 percent of organizations reported significant loss of revenue following a ransomware attack.
• Increasing Ransom Demands: 35 percent of businesses that paid a ransom shelled out between $350,000 and $1.4 million, while 7 percent paid ransoms exceeding $1.4 million.
• Brand and Reputation Damage: 53 percent of organizations indicated their brand and reputation were damaged because of a successful attack.
• Talent Loss: 32 percent of organizations reported losing C-level talent as a direct result of ransomware attacks.
• Employee Layoffs: 29 percent reported being forced to layoff employees due to financial pressures following a ransomware attack.
• Business Closures: 26 percent of organizations reported that a ransomware attack forced the business to close for some period.

While ransomware attacks can’t be fully stopped, there are specific actions companies can take to prevent damage. Start with identifying where attacks are most likely to happen.

Identify Attack Vectors

There are two principal attack vectors in these attacks and both target data, said Jeff Capone, CEO and co-founder of SecureCircle, a Santa Clara, Calif. cybersecurity provider.

1. Encrypted data on the endpoint: This is what is really a denial-of-service attack on the device. The ransom might be paid if enough machines have been impacted and the recovery time costs the victim too much money. An example is a manufacturer who could lose millions of dollars due to downtime.
2. Data exfiltration extortion: Releasing the victims’ data to the public is damaging to organizations’ reputation, especially when the victim has custody of customer data. 

If the first vector is impossible to control, the second is 100% preventable, Capone said. What organizations need is a Zero Trust data loss prevention (DLP) solution.

This is very different from legacy DLP solutions like Symantec and Digital Guardian. Instead of securing data by default, legacy DLP will try to block data from leaving the endpoint. This is a challenge because there are many ways data can move off a device, such as through endpoint applications, SaaS applications, and remote and cloud storage.

Zero Trust DLP secures data on the endpoint by default. The default behavior is that only secured (encrypted) data is accessed. Companies can set up an allowed list of applications, users, devices, network locations and other parameters which are allowed to access the decrypted data. This way there is no need to prevent data from leaving the device because only the encrypted version of the data will leave.

Related Article: Now Is the Time to Replace VPN With Zero Trust

Invest in Multiple Defenses

Successful defense against ransomware, both the disruptive nature of it and the data disclosures, requires extensive risk management and willingness to invest in defense in ways that will be unique to each organization. Already, many organizations carry an insurance policy for security incidents, many of which will pay the ransom.

“This means that what’s good for any individual organization may not improve the general state of our defense against ransomware gangs,” said Jacob Ansari, chief information security officer at Tampa, Fla.-based Schellman & Company, an independent security and privacy compliance assessor.

Ultimately, better legislation that focuses on defending organizations and possibly rules against paying ransoms will start to mitigate some of these attacks. But addressing the vast underinvestment in security practice will continue to require intense focus and effort. That said, there are solutions that can offer some protection. Ansari said the best security solutions to ransomware are:

1. Access control: Adhering to a strict access control model can prevent ransomware and other forms of malware from compromising a computer system outright, and limit its spread across a network after the fact. Malware runs with whatever level of access users have, so if users do not have full control of a computer system or network share folders, ransomware likely will not either. Granting only explicit access to specific share folders across a network rather than full access for everyone is recommended.
2. Endpoint protection: Endpoint protection suites, including anti-virus, can prevent ransomware infections using features like signature matching of known bad malware, behavioral analytics, file reputation evaluation, IPS, download protection and device control. Though no product offers 100% protection, having something is better than nothing at all.
3. Browser settings: There are variants of ransomware that target browsers, locking an image on a page and perhaps showing a warning notice with steps to pay a ransom. While often shocking, browser-based forms of ransomware are usually just an inconvenience for users and less dangerous than the data-locking variety. Disabling scripts in the browser can be a good proactive first step.

Related Article: How to Protect Employee Privacy and Ensure Data Security With a Remote Workforce

You Can’t Stop Ransomware

Ransomware attacks, however, are difficult to stop because they target the weakest leak in the IT security chain – users – most of whom work at branch offices and remote sites, said Saimon Michelson, field CTO at New York City-based CTERA.

Rather than storing files on local storage islands (NAS) at the edge, global file system (GFS) technology stores the authoritative copy of each file in a central location, either a private cloud or secure data center. Frequently used files are cached locally for fast access, while file changes are continuously replicated to the “gold copy” in the cloud.

Since the core is always protected and replicated to the remote sites, data can be recovered quickly in the event of an attack against an edge server, mitigating potential data loss. It is also possible to mitigate ransomware attacks by:

• Using a military-grade encryption model: This limits data exposure in the event of an attack. By using source-based encryption at rest (AES-256) and in transit (TLS 1.2), GFS technology can secure data before it leaves devices, offices and servers. Moreover, even if data is temporarily locked due to an attack, it cannot be read.
• Creating incremental versions of files: This should be done as they are changed and updated, protecting data on an “event basis” as opposed to a “scheduled” basis. This real-time file syncing provides the highest levels of granularity for file and folder recovery.
• Deploying AI tools: They can be used to analyze what users are doing in real time and can be incorporated into a GFS. As the storage system receives reads and writes, file access patterns can be captured and analyzed over time for purposes of classifying legitimate and illegitimate actions in real time.

Invest in Data Backup and Recovery

Keeping cybercriminals from attacking with ransomware is almost impossible due to the number of security vulnerabilities in our systems and software and the increased attack surface from digital transformation and remote workers, said Sathya Sankaran, COO of  Woodcliff Lake, NJ-based Catalogic Software.

A ransomware attack will often both lock an organization’s data while also stealing a copy of the data. The best recourse, short of paying the ransom, is for a business to have a secure backup of its data for recovery. Further, if the business encrypts all its data and all copies of it, the stolen copy of data will be useless.

Data backup and recovery solutions have been around a long time and have evolved to provide the robust data protection and recovery capabilities needed to recover data and restore services back to a functional and working state.

The “3-2-1 backup rule” is a time-honored strategy for data protection that states that a business should have at least three copies of its data, on two different storage media types, with one of the copies offsite or in the cloud.

Without backups for recovery and an offsite copy that ransomware cannot reach, the only recourse is to pay a ransom to get the data back. The financial loss will hurt, but the reputational loss may be even greater.