Veeam: How to say ‘no’ in the face of a ransomware attack
Edwin Weijdema, Global Technologist, Veeam
With more than 236 million ransomware attacks taking place in the first half of 2022, attacks are growing in volume and intensity and now affect nearly every industry sector. This is driven by an influx of new ransomware criminals and bolder efforts to secure greater ransom payments from existing bad actors.
But, while many organisations rush to pay the ransom when attacked, this still provides no guarantee that you’ll get your data back. According to the Veeam Ransomware Trends Report 2022, 52% of global organisations with encrypted data paid the ransom and successfully recovered their data, but one in four who paid couldn’t recover it. As a result, the debate around whether to pay or not continues to be highly contentious. While some pay to try and quickly get back online and resume operations, others who’ve planned for the inevitable can recover without paying.
However, instead, we need all organisations to reach a point of ‘no fear’ where they have the power to refuse payment safely in the knowledge that their data backup is tight enough to ensure that recovery time is low, and data loss is zero.
The dangers of saying ‘yes’
Before organisations can reach this point of ‘no fear,’ there are many steps they need to take, but first, they need to consider why they pay demands and understand the danger of saying ‘yes’.
Fundamentally, they’re scared and trying to avoid several harmful consequences. Reputational damage is a big one, as well as security departments’ concerns about repercussions for their jobs. This drives organisations to make payments in the hope that they’ll stay out of the news, and that the disaster will reach a quiet resolution.
On a more serious note, the methods used by ransomware criminals often make organisations feel that they truly have no choice. Ransomware gangs target backups, leaving organisations in a difficult position: even though they backed up their data, this formed part of the attack. Looking into the mind of a ransomware criminal, you can see why they would target backups – after all, it is the most valuable, sensitive, and business-critical data that is prioritised for backup, so attackers know that what they’re getting is crucial to business function, rather than data that organisations can do without.
Unfortunately, as we know, paying the ransom doesn’t mean data will be successfully recovered and the case closed. In fact, in many cases paying the ransom sets off a chain reaction. If you pay your ransom demands, you’re telling your attackers that you’ll do whatever they ask of you, and this leads them to exploit you even further. Only about one in four organisations suffered just one attack – instead, bad actors came back for more, launching further attacks and making more demands. This is known as double or triple extortion.
Double extortion is also sometimes known as ‘name and shame extortion’, and this very clearly communicates why it is such a threat to organisations, and why they pay in the hopes of avoiding it. This type of ransomware attack entails not only the theft and encryption of data but also its dissemination. Attackers will extort their targets by threatening to share the stolen data, with their competitors for example.
Triple extortion adds more pressure to the double extortion tactic, by also threatening a Distributed Denial-of-Service (DDoS) attack if the payment is not made on time. When this happens, organisations can feel truly desperate: not only have they had their data exfiltrated and encrypted, but they also face its publication as well as the complete shutdown of their business should a DDoS attack come to fruition.
Unfortunately, more often than not this is what happens when you pay your ransomware demands, and the best way to avoid it is to make sure your backup strategy is strong enough for you to be able to say no.
Building an iron-clad backup
Your backup is your last line of defence against ransomware attacks, but not all backups are created equal. It is not enough simply to have a backup – as we’ve seen, backups are targeted by attackers. Backup repositories were targeted in 94% of attacks, and almost 70% of cyber events saw at least some repositories impacted.
This means you can only say no to ransomware demands if you’re protecting the right data in the right way. To be able to do this, you need to be very sharp when it comes to your data classification. These days, organisations have, and continue producing, a lot of data. It sounds simple, but it causes some considerable challenges. Fundamentally, when you’re faced with a seemingly endless amount of data, it’s difficult to know what the important parts are, and where they reside. When it comes to fortifying your data protection strategy so that you can say no to demands, you need to make sure that you know what data you have, and what you need to backup.
Unclassified data is not tagged or identifiable, and this also makes it harder to assign a risk level to datasets. If you’re aiming to protect mission-critical data, first you have to identify it. On top of this, tagging your high-priority data is also a significant part of data recovery. Often, businesses cannot be sure which of their datasets have been breached in an attack, and this is another force driving them to pay the ransom, as they are unable to rule out the possibility that their most sensitive data has been compromised, as well as being unable to locate specific sets to recover.
As well as ensuring data is classified, it’s essential that you follow the golden rule of ‘3-2-1’ backup, but with a twist.
We’ve developed this age-old rule, which insists upon three copies of each dataset, saved across a minimum of two different media, and with one of the copies stored off-site. We’ve added a few more numbers to the end of this rule, making it ‘3-2-1-1-0’. In addition to the usual steps, we view a few other things as non-negotiable.
Firstly, one copy of backup data must be hosted offline, one must be air-gapped or immutable, and overall, there must be zero errors in the testing stage. It may seem a simple point to make, but it’s often overlooked: your backup is only useful to you (in the event of an attack, or more generally) if it is verified to ensure there are no errors at all. Otherwise, you cannot recover as planned. This is achieved by daily monitoring – backups should not be left alone as something saved for an emergency, they should be seen as living and in need of constant attention.
This reflects broader shifts in businesses’ attitudes toward data protection, as well as their changing requirements. Veeam Data Protection Trends report 2022 looked into what enterprises are prioritising these days and found that heterogeneity is crucial. By ‘heterogeneity’, I mean a data protection strategy that is optimised to protect the modern workload, which is spread across on-prem and cloud-based servers. As enterprises are increasingly making this move, they should also ensure they unlock the benefits of this for their data protection strategy.
Becoming recovery-focused
In this day and age, ransomware attacks will inevitably happen. It’s a matter not of ‘if’, but ‘when’. This means that even if you’ve mastered your backup strategy, this is only half the battle.
The other half is concerned with making sure that you’re prepared to optimise your data restoration and recovery time objective (RTO). This is a process that absorbs a lot of time. It takes organisations on average 18 days to complete their data remediation, but for 15% of organisations, this process can take place over a matter of months (1-4 months). Aside from being labour-intensive, this also means that business function is interrupted during this downtime. To avoid this happening, it’s important to make sure that you have the right infrastructure to support rapid recovery.
Again, this can be aided by a modern approach to data backup – if you back your data up on-prem and in the cloud, you give yourself the capability to recover data from both servers at once. Importantly, you also have an additional line of defence, as 40% of servers experienced unexpected outages. If you take this into account and strategize accordingly, you can give your organisation more power to say no to ransom demands, safe in the knowledge you have multiple backups at your fingertips.
Organisations tend to rely on incremental data recovery, as it’s considered a more economical option. Yet, as the cost of ransomware attacks increases, it’s worth undertaking the work needed to support full-scale recovery. This entails the redesign of infrastructure so that it can enable organisations to recover data at speed, meaning they can get back to business as usual in a much shorter timeframe than 18 days.
Once you address the factors which lead to ransomware payments, it becomes significantly easier to generate the power needed to refuse. Moving forward, organisations need to leave behind their fear, empowered by a revamped backup strategy that ensures peace of mind.