The attack vectors for Ransomware—in which malefactors encrypt users’ data and refuse to decrypt them unless they pay extravagant fees—are, on some levels, outrageous.
Ransomware payouts totaled approximately $20 billion in 2021. This form of attack is a significant contributor to the $10.5 trillion cyber crime costs projected for 2025. Additionally, Ransomware-as-a-Service (RaaS) is now a reality, making these attacks equally as accessible, if not more so, than any other service in the cloud.
Most disconcerting, however, is the fact that a growing number of targets are including small and mid-sized businesses. Such entities, of course, have the least ability to pay costly ransoms—or technological savvy to successfully counteract these attacks.
Devising various cyber security measures to ward off such attacks is a risky proposition, at best. The nature of this threat changes daily, if not several times a day. The best defense has always been to issue timely, intelligent backups so organizations will have their valued data no matter what these cyber criminals do, which frequently starts with deleting their backups.
“Detecting ransomware detonation is an important thing, but then what?” Retrospect GM J.G. Heithcock posed rhetorically. “It does you no good if your backups aren’t protected, which is where immutable backups come into play.”
The original immutable backup, of course, involved removable media like tape or disc. Competitive vendors issuing state of the art advancements to modern backup solutions still support this form of backup. “Tape backup is one of the original air gaps,” Heitchcock recollected. “You backup to tape; it comes out of the drive; no ransomware can touch that.” More contemporary methods for backup immutability include backing up data to the cloud. With this approach, users can employ backup solutions while specifying how long their backups are to remain unalterable. “It’s basically object locking,” Heitchcock mentioned.
Object storage is immensely popular for several type of applications. The trick to employing it to defeat ransomware propagators is to utilize backup solutions, like Retrospect Backup 18.5, that enable users to configure object locking in a holistic backup platform with which they’re familiar—instead of trying to figure out the particularities of GCP, AWS, or Azure. “By doing everything inside of Retrospect, by creating the bucket, as an example, and setting the policy all inside of Retrospect, it’s going to make it a lot easier for the user,” Heitchcock said.
Another way smart backup platforms are able to counter the incidence of successful ransomware attacks is by monitoring various aspects of backups and taking charge of them when necessary. For example, backups are issued with what Heitchcock termed “change tracking”, so that only the changes to a dataset or files that have been made since the previous backup are actually backed up. Additionally, when users are engaging with backup immutability options and specify they want object locking for a certain backup to be locked for 30 days, for example, they may be replicating changes to that dataset for the first 29 days. The key consideration is that most of the data was backed up during the first day the policy was acted upon; the subsequent days are only backing up changes and are, therefore, dependent on that initial backup.
“On the 31st day, ransomware can come through and delete that first primary backup that all your 29 other backups were dependent on,” Heithcock warned. “You can get the files that were in those other backups, but that is only a small part of your total backup.” That’s why performing such backup options within platforms dedicated to this service (and implemented in any variety of settings, including the cloud ones referenced above) is so vital to staving off ransomware. “Because Retrospect knows what the policy is, we are going to be able to create this walking window,” Heitchcock explained. “On day 29 or day 30, when it’s time to do that backup, we know that after this day, that first backup is going to be vulnerable. We will do a backup and basically do a transfer and make sure that any files that aren’t going to be covered, are now covered.”
Top solutions in this space also have a number of mechanisms to automate the detection of ransomware. Many of these are based on identifying anomalies in files. Heitchcock described features specifying a threshold in which, for example, if 35 percent or more of a dataset is backed up, alerts, emails, and reporting will signal to users that something aberrational may have occurred to those files.
There are also methods for automating detection of when file names have been changed that are vital early indicators of ransomware attacks. When combined with many of the shrewd backup platform capabilities Heithcock detailed, these measures can protect firms from ransomware attacks. “20 billion dollars is the payout, not the cost, of ransomware [in 2021],” Heithcock denoted. “The costs are way more because people are trying to pay afterwards to shore up their leaky infrastructure.”