While ransomware attacks are undeniably difficult to avoid, having an effective recovery strategy in place is a step in the right direction. Gijsbert Janssen Van Doorn, Technical Marketing Director at Zerto, tells us that creating a comprehensive cybersecurity and disaster recovery plan is now a ‘must have’ for any organisation focused on minimising the risks associated with ransomware.
Ransomware has become one of the most dangerous and high-profile cybersecurity problems facing CISOs worldwide. While not a new concept, one of the major reasons behind its recent growth has been the ability of attackers to cripple the IT systems of their victims and extort huge sums of money from those desperate to recover – all with a relatively cheap and simple toolset.
A successful ransomware attack can bring normal operations to a standstill for days, weeks, or even permanently. Without the right mitigation and recovery strategy, efforts to get back to normal can become extremely time-consuming, labour-intensive and costly. And even if a business does recover its data, the damage can be severe and even existential in nature.
In June, for example, the University of California San Francisco reportedly paid nearly £1 million to hackers, following a ransomware attack that encrypted vital data. And back in January, Travelex, a well-known foreign currency business, was disrupted for a month as it grappled with the effects of a ransomware attack. Numerous media outlets reported that Travelex eventually paid US$2.3 million to its attackers, with the incident subsequently contributing to major financial problems that forced the business into administration in August, with the loss of 1,300 jobs.
Criminal opportunism fuels ransomware risk
Currently, there is also the added dimension of COVID-19, which has given opportunist cybercriminals another angle of attack. Indeed, the risks of pandemic-themed incidents became so acute that in early April, UK and US security agencies took the unusual step of issuing a joint COVID-19 cyberthreat update.
In the advisory statement, the UK’s National Cyber Security Centre (NCSC) and US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) warned of the dangers of COVID-19 email scams and the increasing possibility of cybercriminals targeting people working from home.
One of the emerging areas of risk, the update says, targets remote working tools and software. Hackers are looking to exploit ‘the increased use of video conferencing software, where phishing emails with attachments naming legitimate video conference providers aim to trick users into downloading malicious files’.
The risks don’t end there. As recently reported by PwC, cybercriminals also seem to be increasing their attempts to steal data, which they then threaten to post on public ‘leak sites’ in an effort to coerce victims into paying a ransom. The study revealed that ‘by May 20, over 150 organisations globally have had their data published on leak sites; the majority of these (60%) have occurred after March 11, when the WHO first declared the COVID-19 outbreak to be a pandemic. Of these, the overwhelming majority (80%) were leaked after March 23, when the lockdown commenced in the UK’.
It’s clear, therefore, that hackers are becoming ever more sophisticated in their use of ransomware. As attacks on IT systems become more common, the likelihood is that it’s not a matter of if an organisation will be targeted by cybercriminals, but when. While it’s not possible to stop all attacks, creating a comprehensive cybersecurity and disaster recovery plan is now a ‘must have’ for any organisation focused on minimising the risks associated with ransomware.
The road to recovery
In the aftermath of an attack, recovery has become one of the most challenging issues, not least because so many organisations have to resort to a day-old or even week-old backup to restore their data. The inevitable gaps and data loss this incurs can be highly disruptive and add significantly to the overall recovery cost.
Instead, organisations need to rethink their approach to recovery and resilience strategy to deliver continuous data protection, with enough granularity to recover to a point in time precisely before the attack took place, and without time gaps and associated data loss.
To recover to the exact point before an attack, companies must be able to pinpoint exactly when it occurred. With effective Disaster Recovery plans and the tools in place, organisations can use network, journal and IOPS statistics to determine the precise moment the ransomware became active and recover to within seconds before it. Businesses should also ensure their technology can enable them to quickly perform a failover test to see if they have the right point in time. If not, they can easily failover again to a different point with minimal effort and recovery time.
In pre-pandemic circumstances, the ability of organisations to cope with ransomware attacks was already under severe scrutiny, but the onset of COVID-19 has added significantly to the risk every sector faces and no organisation, public or private, is off limits to those carrying out attacks. The impact of an incident now is amplified by the general pressure organisations face in dealing with the consequences of lockdown and economic downturn.
Although most will not be able to avoid being targeted by a ransomware attack, developing a more effective recovery strategy can have a transformational effect on the ability of victims to ignore demands for payment and quickly return to business as usual.