Cybercriminals are targeting your data for ransom, but true data immutability and visibility can be your best defense.

Ransomware increased by 715% in 2021. Every 11 seconds, some organization somewhere around the world experiences a ransomware attack.

Alarming statistics… but the sooner we acknowledge this reality, the sooner we can start building our defenses against the inevitability of ransomware.

Ironically, while data is the target, it is also our best defense. To find out how and why, CybersecAsia sought out some insights and tips from Kamal Brar, VP & General Manager, Asia Pacific & Japan, Rubrik:

Kamal Brar, Vice President & General Manager, APJ, Rubrik

When it comes to ransomware, what are the biggest challenges organizations face today?

Kamal: Being hit with a ransomware attack is one of the worst threats IT and security teams can face. Here are the biggest challenges organizations face in terms of ransomware attacks:

Cybercriminals are boosting ransomware attacks. According to studies, on average, organizations fall victim to ransomware attacks every 11 seconds. Even with strong firewalls in place, attackers are still finding a way to get through them. Hackers recognize data is mission-critical to any business and by exploiting vulnerabilities they can force organizations to pay the ransom instead of attempting to recover.

However, paying the ransom doesn’t always guarantee success nor a viable option. In many cases, it may still take days or weeks for the recovery process to happen even when the decryption keys are handed over from attackers. And even then, victims may still find that the hackers hadn’t transferred back all of the data.

Double extortion. As companies bolster their cyber defenses, cyber attackers, in turn, adapt their strategies. Alarmingly, there has been a substantial rise in “double extortion” attacks on companies. That is, attackers identifying and stealing sensitive business information first, then inflicting a ransomware attack and demanding payments for both recovery and prevention of data exposure. 

Cybercriminals know that organizations may be able to recover some of their data from backups. So instead of just encrypting the files or backups, they will also try to first exfiltrate the data, threaten to publish it or sell it to the highest bidder. When organizations face double extortion, they may not even know the contents of the data encrypted by ransomware or what is in the data that may be leaked. Between the panic, scramble, and the race to bring back the business, paying the ransom seems to be the quickest way out.

Ransomware attackers target legacy backups. Legacy backups are a risk to the business. This is because legacy backup systems weren’t built with security in mind from the beginning. Too many companies continue to cling to their legacy IT systems, even when those systems no longer fit the business. Outdated data management solutions require IT teams to spend valuable time maintaining and troubleshooting, preventing organizations from getting the most out of their data.

On top of this time-consuming management, relying on legacy technology especially increases vulnerability to ransomware attacks. The complex patchwork of their hardware and software is notoriously hard to manage, unbearably slow, and in no way ready for the cloud. Off-the-shelf file systems not only leave data exposed to attackers but also provide limited options to restore data. This makes IT recovery difficult to attain in cases of cyber-attacks.

To address the rising challenges organizations face when it comes to ransomware attacks, Rubrik recently announced a strategic agreement with Microsoft to deliver integrated Zero Trust data protection for hybrid cloud environments on Microsoft Azure.

How does a “zero trust” approach to cyber-defense help organizations to prevent data loss or at least recover their data in the aftermath of a ransomware attack?

Kamal: The limitations of perimeter security and traditional data backup are creating a need for Zero Trust architecture which assumes all users, devices, applications are untrustworthy and can be compromised. Only users that have been authenticated using multi-factor methods get access to data — and only to the data they need. Permissions and access are strictly limited, and users are unable to manipulate the stored data with intent. 

In addition to this, the Zero Trust model of security shows a great deal of promise against cyber-attacks. The first line of defense in Zero Trust is preventing intruders from gaining access in the first place. An intruder may be an outsider or someone from within the company. There are multiple methods to reduce intrusion risk:

  • Multi-factor authentication (MFA). MFA validates a combination of factors requested from a user. The most common factor is a user’s credentials. The second factor might be a Time-based One-Time Password (TOTP), biometric identifier, or key card. More factors can be used to increase security further. By combining something you know and something you have, MFA mitigates cyber-attacks and reduces the risk of unauthorized access. MFA should be considered a must-have for accessing backup systems and data.
  • Role-based access control (RBAC). RBAC restricts access based on an individual’s role within the organization or a service’s function. (Service accounts may be created so that third-party tools have the necessary privileges to perform their functions.) Various user accounts and service accounts have different access privileges. Limiting access based upon role can greatly reduce the amount of data affected if a ransomware attack or other intrusion does occur. Using the principle of least privileged access, employees and services only get access to the resources necessary to perform their specific job duties—and nothing more. Even if a user is successfully authenticated, they are not granted access rights if they are not assigned to perform a specific task as defined by policy (based on factors such as authority, responsibility, and job competency).

The next line of defense is to protect backup data to the greatest extent possible — even if ransomware gains access. Multiple methods should be employed:

  • Data encryption. Encrypting backup data ensures that if malware or a hacker gains access to the backup data, it cannot be read, reducing the risk that sensitive customer and employee data or valuable intellectual property (IP) will be breached. Ideally, backup data should be encrypted both in-flight and at rest.
  • Data immutability. Because ransomware can encrypt already encrypted data and make it inaccessible, immutability is necessary to protect backup data from being encrypted by hackers or ransomware. Once data has been written, an immutable backup cannot be modified or deleted — either for a set period or forever. The technologies that underpin immutable data storage are often referred to by the acronym WORM (write-once-read-many).

By combining data encryption and data immutability, you can ensure that even if ransomware gains access to an organization’s data, it can neither render backups unreadable nor exfiltrate data that compromises the company, employees, or customers.

Why does data play a crucial role in defending against potential ransomware attacks?

Kamal: Cyber risk is growing. Ransomware attacks alone jumped by 715% in 2021. And despite massive investments in perimeter, endpoint and application-layer security defenses, attackers are still successfully gaining access to data.

In cases of such attacks, an organization’s data can be its best line of defense. With a robust data security solution, data can be truly immutable and can’t be encrypted after the fact. Once ingested, no external or internal operation can modify the data, thereby making it immune to ransomware attacks. On such occasions, with the help of a reliable data management partner, a company’s data can be, in itself, its defense.

However, should a company be afflicted by ransomware attacks, an analysis of impact is necessary. It requires a high level of data visibility to promptly identify what data was encrypted and where it resides in the business environment to determine the extent of the attack.

Data visibility enables an understanding of an organization’s specific vulnerabilities. Through such understanding, sensitive data is better protected through backup and user restrictions. In fact, according to Gartner, one-third of successful ransomware attacks occur on data located in shadow IT resources, which necessitates consistent security assessment for better visibility and the implementation of a zero-trust approach.

The topic of data protection sounds complicated – because it is. Administrators are often tasked with managing and maintaining hundreds of individual backup jobs. Often interdependent, they create a proverbial house of cards – when one fails, it has a cascading effect.

Please share some tips for organizations looking to cope with the increasing volume and sophistication of ransomware attacks.

Kamal: A thriving ransomware economy has emerged. The consequences of falling victim to ransomware attacks could be detrimental, which is why organizations are increasing their security efforts. As they do so, however, attackers are continually improving their techniques as well. As such, businesses need to rethink their security strategy. Here are some tips for organizations:

  • Perceive ransomware as an inevitability rather than a possibility. IT leaders should be vigilant and be well-prepared for ransomware attacks as if one will happen tomorrow. In that sense, they need to have a proactive mindset that constantly reassesses and maintains their organization’s cybersecurity infrastructure. Doing so includes consistently updating internal systems and solutions to be secure enough to protect company data from the quickly evolving threats of ransomware.
  • Be constantly informed on cyberthreats and cybersecurity trends. It can be tough to keep track of the latest cybersecurity trends, especially considering its rapid advancements. However, being in the know of the latest in the cyber threat landscape helps businesses determine which threats to gear up for and what they are protecting their data against. A clear understanding of these threats enables them to keep up and take the necessary protective measures.
  • Invest in the necessary security measures. With the rising threats of attacks and their impact on business, cybersecurity has moved on from being a problem for the IT department to being an organizational issue. As such, awareness of cyber threats alone is not enough. It is imperative that businesses invest not only in cybersecurity infrastructure but also effective data management solutions to protect comprehensively against ransomware and various cyberattacks. In addition to securing data, the right technology solution will also enable them to instantly get back up to speed on the off-chance that attackers get into their systems. In this regard, it truly pays to entrust IT infrastructure to reliable partners and end-to-end solutions.