Ransomware revisited: As attacks worsen, tried-and-true defenses falter
The vast majority of the companies being attacked by ransomware have fewer than 1,000 employees. But with proper backups and local encryption, you can hold attackers off.
It’s come to this: a ransomware attack has come between me and my Wendy's quarter pounder! As much as I'd like to say that there's nothing to this problem for my favorite fast food lunch, I can't. A ransomware attack on the world’s largest meat processor, JBS, forced nine US beef plants to close their doors on June 1.
It’s not a laughing matter. If major companies such as JBS and Colonial pipeline can get hammered by ransomware, there's nothing stopping a low-life hacker from using Ransomware-as-a-Service (RaaS) to take your business out.
Yes, RaaS is a real thing. RaaS attacks are happening at this very moment and ransomware has become the security problem of our day. Indeed, even as I write this story, the US Department of Justice has elevated ransomware investigations to a similar priority as terrorism.
That's why I'm revisiting the topic, even though I recently explained what you can do to avoid ransomware. Another reason, though, is because one of the traditional easy ways to fight the problem—keeping current backups—doesn't work that well anymore.
Back when ransomware first showed up, hackers would lock down systems by encrypting your files and then demanding a ransom, almost always in Bitcoin, for the decryption key. The key didn't always work—spoiler alert: they still don't—but if you had a current backup, you could thumb your nose at the crooks. You'd just clean up your systems, restore from your backups, and be back to work over the weekend.
That was then. This is now.
Starting in 2019, the bad guys figured out that if they could plant ransomware in your system, they could also hoover down your data. That done, they could then threaten you with not only locking up your data but threatening to sell or release it to others. How do you think your customers would react to knowing information such as their social security and credit card numbers were available to the highest bidder? I'm betting they wouldn't like that.
This technique is called "encrypt and exfiltrate." While backups can help you with the first part, they can't do a thing about the second half of the attack.
Worse still, according to the security company Coveware’s first quarter 2021 ransomware report, the crooks are going after small and medium-sized businesses (SMBs) more often these days. Yeah, the big companies may have more money, but they can also— in theory, anyway—do a better job of defending themselves.
SMBs, especially professional service companies such as healthcare and law firms, are especially juicy targets. They have enough money to be worth shaking down but many still don’t have solid security defenses.
How bad is it? While big companies and organizations get the headlines, Coveware found that 73% of ransomware victims have 1,000 employees or less. And 77% of ransomware attacks are now dual-purpose encrypt and exfiltrate. Finally, the average ransom payment increased 43% to $220,298 in 2021's first quarter from 2020's fourth quarter $154,108. (The median payment jumped to $78,398 from $49,450, up 58%.)
The agency warned: "We've seen a number of ransomware incidents lately where the victims had backed up their essential data (which is great), but all the backups were online at the time of the incident (not so great). It meant the backups were also encrypted and ransomed together with the rest of the victim's data."
For example, one of my backup methods—I use several—is to use cloud-syncing services such Dropbox, Microsoft OneDrive, or Google Drive for automatic backups. But that doesn't do you a bit of good against ransomware. That's because your backup is cheerfully syncing up the corrupted encrypted files and your good files. (This is also true of any local automatic backup syncing system.)
The answer? Keep up-to-date backups of important files offline, separate from their network, or in a cloud service designed for this purpose. It's time to bring back the old-school 3-2-1 Backup Rule. In other words, keep three copies of your data on two different devices/mediums with at least one off-site storage media. One or two of these can be online, but one must be offline. I don't care if you use a detachable drive or even tape, but you need multiple copies of your data across a range of days that can't be accessed by even the most devious network attacker.
The best defense is to keep your data encrypted on your own drives. Who cares if the bad guys have a copy of your files if they can't get to them? If you backup your data properly and encrypt it, even the most clever hacker can't keep your business down for more than a few hours or a day or two.
Is this a pain? Yes. That's why ransomware attacks are so common. Every day that passes in which you take time to defend yourself is another day you could end up paying a digital blackmailer a couple of hundred thousand dollars in a forlorn hope you’ll get your data back.