There’s a Gaping Hole in Your Ransomware Protection Plan

Seventy percent of IT organizations have yet to deploy this one simple technology to mitigate the impact of a successful ransomware attack.

Ransomware has become the scourge of the digital economy. Cybercriminals thrive on the fact that many users store valuable and sensitive data on poorly protected devices. Even when systems seem fully secured, they use their well-honed social engineering skills to manipulate people into unwittingly granting them access. While measures can be taken to reduce the chance of a ransomware attack, it is unlikely that your organization will be able to avoid an attack completely.

According to The Long Road Ahead to Ransomware Preparedness, a new Enterprise Strategy Group (ESG) survey of 620 IT and cybersecurity professionals, 79% of respondent organizations reported having experienced a ransomware attack within the last year. If that figure doesn’t alarm you, how about this? Nearly three-quarters of that population admitted to being financially or operationally impacted by those attacks. In other words, of the nearly 80% of organizations that experienced a ransomware attack last year, a whopping 73% of those same organizations reported at least one successful attack, with 32% experiencing more than one successful attack!

The data is clear. It’s no longer a matter of if you will be targeted by a successful ransomware attack, but when.

A complete data protection plan must include ransomware mitigation

The most effective way to mitigate ransomware is to not get infected in the first place. While the data on this score is not promising, you can reduce your risk by following all standard cybersecurity best practices: regularly update and patch software and operating systems, implement firewalls, intrusion detection systems, endpoint and anti-malware security, and train your employees on good data hygiene and cybersecurity awareness. Ransomware attacks often begin with phishing emails that trick users into downloading malware or visiting malicious websites that download malware automatically, so educating users to identify suspicious emails and attachments can significantly reduce the odds of a successful attack.

But what happens when all preventative measures fail? In order to recover your data after a crypto-ransomware attack, for instance, where the attacker encrypts critical files or the content of an entire disk, you will have to obtain either the encryption key or a decryption program from the attackers—which typically means paying a ransom that could range from thousands to millions of dollars, depending upon who you are and the nature of the breach. This is why it's so important for users to have secure backups of all sensitive data: if they are attacked by ransomware, they can simply restore their data from a backup and avoid having to pay a ransom. Or can they?

Your backups are being targeted

Good backup solutions are essential for preventing ransomware attacks from crippling your business. However, it’s crucial that these backups are protected by keeping them in a location where they will not be infected by malware. Once attackers have compromised one of your endpoints, malware can quickly move laterally across your network and encrypt your backup systems. The golden rule of backups states that you should have three copies of your data on two different media types with one stored offsite. Cloud storage has become the de facto standard for that offsite copy, but even clouds are not immune to ransomware.

Although most attacks are initiated on-premises from phishing attacks, URL downloads, direct files, exploit kits, or infected USB flash drives, malware can be unintentionally uploaded to the cloud in a backup job. Considering that savvy criminals now intentionally target backup copies to prevent their ransomware victims from easily restoring their data, the vast majority of IT leaders take extra measures to protect all or most of their backup copies, typically by deploying various security controls and third-party tools to validate their backups. However, according to the ESG survey, only 30% of respondent organizations reported having deployed an air-gapped solution to mitigate the effects of a ransomware attack. Why so few? By air-gapping (or segregating) your backups from the rest of the network, you make it impossible for attackers to access and encrypt them. Is it possible that respondents interpreted “air gap” to mean the traditional, physical air gap, which is highly impractical for all but a few organizations these days, and not the more modern logical air gap known as immutable storage?

Physical air gaps are impractical and not always as safe as you think

As the name implies, a traditional air gap is created when you physically isolate a device from the rest of the system by removing it from the network and placing it in a separate room or building. For backup systems, this often means backing up to tape and shipping it off to a mine or other offsite storage facility. While this is arguably the safest form of air-gapping from a malware standpoint, it is a highly manual and labor-intensive process. It also could potentially take days to get your data back–not exactly the Recovery Time Objectives (RTO) most IT leaders are looking for, especially in a crisis.

Some organizations remedy this by keeping physically air-gapped backups in digital media on premises. Disconnected from the network, it may be safe from malware but not from natural disasters. Further, with so many devices connected to the Internet, oftentimes systems that were thought to be air-gapped end up showing up on network scans. Even when truly air-gapped, on-prem devices are vulnerable to unauthorized access from insiders, malicious or otherwise, since even air-gapped devices need a physical point of access so users can add, delete, or change their data.

Immutable cloud storage is the modern air gap for ransomware protection

Cloud storage providers, such as Wasabi, help solve this problem by creating a logical air gap through encryption, which makes data useless to an attacker, and through hashing, which makes the data immutable. You can think of immutable cloud storage as the spinning-disk equivalent to Write-Once-Read-Many (WORM) tape, with each cloud storage vendor taking a slightly different approach. What is Wasabi’s approach to real data immutability? As our founder, David Friend explains in Immutability Done Right, we have two rules: “ No one person should be able to destroy data that is in an immutable bucket,” and “nobody should be able to touch a production system anonymously.”

In short, any data written to a Wasabi immutable bucket cannot be deleted or altered in any way, by anyone, not even a systems admin, during the specific retention period defined by the user. Combined with role-based access controls, the logical air gap of immutable cloud storage delivers the same, if not better, risk mitigation as a physical air gap. And because it’s cloud-based, it’s offsite but instantly accessible.

Wasabi customers can also set up automatic bucket replication with the target site set to immutability. In this way, you can copy in near real-time from your primary backup in Wasabi to an immutable target in a Wasabi data center in a different region to ensure that you always have a safe copy protected from ransomware, accidents, and natural disasters.

Sometimes the best defense is a good defense

They say the best defense is a good offense, and, of course, you should do everything in your power to avoid a successful ransomware attack from happening in the first place. However, smart money hopes for the best and plans for the worst. While it’s clear that immutability is a key to ensuring cloud security, many organizations haven’t quite caught on to the fact that backing up to immutable cloud storage is one of the smartest – and simplest – things you can do to mitigate the damage caused by a successful ransomware attack. It’s a strategy that will pay for itself many times over.

Next steps

There is a ton of useful and surprising data in ESG’s ransomware report, and I encourage you to download your copy. You can also watch the The Long Road Ahead to Ransomware Preparedness webinar where ESG Practice Director, Christophe Bertrand and I do a deep dive into the raw data to uncover disturbing trends and offer advice on what you can do to better prepare yourself for the ransomware attacks most assuredly to come.