Fighting Ransomware with Cloud Backups and Data Immutability

One of the biggest cybersecurity threats facing organizations today is ransomware. Ransomware is a scourge affecting governments and businesses of all sizes. It wreaks havoc on computer systems and can cost organizations millions to repair the damage. The global crisis that has emerged due to COVID-19 has spawned examples of the most insidious behavior as cybercriminals and scammers have targeted the weak and vulnerable. Mobile apps that appear to be COVID-19 tracking maps turn out to be spyware. Ransomware attacks on hospitals, health agencies, and medical research firms are increasing. The global crisis has created a sense of urgency for those combating COVID-19, so they are seen as more likely to pay the ransom. There are no signs that these attacks are slowing down any time soon, so what’s the best way to keep your organization’s data safe from harm?

What is ransomware?

Before we address any potential solutions to ransomware we should provide a definition of what ransomware is. One of the most common forms of ransomware is known as “crypto ransomware.” A crypto ransomware attack typically encrypts valuable files or the contents of an entire disk to prevent users from accessing it. The organization affected is told that they have to pay a ransom to regain access to their data. If that data hasn’t been backed up somewhere, or worse, if the backup is also encrypted, the victim has to face losing their data or paying the cybercriminal. Imagine having the lives of sick and dying patients in your hands, or working on an antiviral vaccine and having your data held hostage? I can’t. Would you pay to restore access? We are told not to pay, but can you fault those that do, especially in a global crisis?

The impact of downtime

The impact of downtime to enterprises under a ransomware attack are typically financial due to the loss of revenue or idle time for employees. But when the attack is on governmental, medical and emergency responders, the cost of downtime can be calculated in the health and lives of the people that institution serves.

How do I prevent a ransomware attack?

Often, organizations can avoid paying the ransom if they opt to restore affected data from backups. Backup data is not immune to ransomware, but a diligent program of keeping multiple versions, different recovery points (yearly, monthly, weekly, daily), and a geographical separation between backup copies, goes a long way to reduce the impact of ransomware attacks. A common rule of thumb for backing up data is known as the “3-2-1 rule”. This describes keeping 3 copies of your data, 2 on different media, and 1 offsite. Offsite makes sense because if you can “air gap” a backup copy, it can be protected better than if it were attached to your network. Unfortunately, “air gapping” usually means keeping it “offline” and powered down in a salt mine somewhere. That limits your access to the backup and in some cases it can take days to locate it and bring it back online. In the case of a global emergency and where time is off the essence, you’ll want millisecond access, not hours or days.

Ransomware and the cloud

How can you get millisecond access to offsite data? The answer is of course, cloud storage. Many organizations have started using cloud object storage as part of their 3-2-1 backup strategy. Storing data in the cloud is less expensive than on-prem, gives you near-instant access to your data, and adds an additional level of protection. Notice that I wrote “adds”. Data in the cloud can still be affected by ransomware. Although the vast majority of attacks are initiated on-premises from URL downloads, direct files, exploit kits, and infected USB flash drives, those viruses can be uploaded to the cloud in a backup job. They may not be able to affect previous backup jobs, but that recovery point will not be available. Recently we’ve seen examples where cybercriminals have been able to access victims networks through exposed remote desktop services and gain access to cloud credentials and use them to delete previous backups or download them to servers under the cybercriminals control. With the backups either deleted or under the cybercriminal’s control, they then deploy the ransomware. Less common, but also a vulnerability is a cloud object bucket (the basic container that holds your data) that was misconfigured and left open to the public. In these cases the contents of the bucket are exposed. All major cloud platforms operate on the basis of a shared responsibility model when it comes to compliance and security. Of course, the best defense is preventing attackers from gaining access to your network in the first place and to monitor for suspicious activity. Organizations should use network monitoring software, intrusion detection systems.

Fight ransomware with immutable buckets

When you create a Wasabi storage bucket you have the option of making it immutable for a configurable retention period (in increments of days, weeks, months or years). “Immutable” means that any data written to that bucket cannot be deleted or altered in any way, by anyone, throughout its storage lifetime as defined by you. If desired, you can also configure the storage bucket to automatically delete the data after the retention period has expired. Wasabi immutable storage buckets prevent encryption by crypto ransomware. It can also help you comply with certain government and industry regulations like the Health Insurance Portability and Accountability Act (HIPAA), Financial Industry Regulatory Authority (FINRA), Markets in Financial Instruments Directive (MiFID) and Criminal Justice Information Services (CJIS) for securing and preserving electronic records, transaction data and activity logs. By adequately protecting and retaining data you can avoid expensive regulatory fines and penalties, and costly legal actions and settlements.

Wasabi is one of the few cloud service providers capable of providing immutability features. We believe that:

• No one person should be able to encrypt or destroy data that is in an immutable bucket; and
• Nobody should be able to touch a production system anonymously.

This means when using Wasabi immutable buckets, no one can delete or alter your data–not even a systems administrator.

In the case of ransomware, like everything else, a good defense is the best offense. There are a variety of anti-malware and decryption products available to protect your system, but one of the simplest ways to keep your data safe is by performing regular backups, ideally keeping at least one backup copy offsite. Cloud storage providers provide encryption on the fly and at rest, but you should also take advantage of optional immutable features that exist.

Fight ransomware with Multi-User Authentication

Securing your Wasabi account with Multi-User Authentication grants an additional layer of protection to your data: not by securing the buckets but the accounts. Multi-User Authentication gives users the option to appoint up to three individuals who must collectively confirm an account deletion. If any of the designated individuals decline the deletion, the process is automatically canceled. No individual, be it a hacker, a rogue employee, or an inattentive administrator, possess the sole authority to delete the account. The approach is modeled after nuclear launch protocols, where no single person can initiate an attack without the confirmation of others.

This feature gives Wasabi account holders extra security should one of their accounts be breached, and puts the brakes on any would-be hackers from threatening your data with deletion.

What to do if my business is hit by ransomware?

That’s a hard question. Before COVID-19 and the ransomware assault on medical and emergency responders, I would have agreed with the advice of the FBI and never pay. Paying cybercriminals only encourages these types of attacks to continue. When it’s a global crisis and thousands of lives are on the line, the answer isn’t so easy.