Keeping your data protected from ransomware attack in the new era

As per IBM X-Force Threat Intelligence report, Ransomware was the top threat type, comprising 23% of attacks. In 2019, the U.S. was hit by an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 966 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion (cybersecurity company Emsisoft report). Average Data breach costs increased significantly from $3.86 million in 2020 to $4.24 million in 2021 (IBM’s Data Breach Report 2021). Ransomware attacks cost an average of $4.62 million, more expensive than the average data breach ($4.24 million). Malicious attacks that destroyed data in destructive wiper-style attacks cost an average of $4.69 million.

The number of organizations deciding to pay a ransom has risen to 32% in 2021 compared to 26% in 2020 (Sophos State of Ransomware 2021 report). Even after paying for Ransomware, only 8% of them got all their data back, nearly a third, 29%, couldn’t recover more than half the encrypted data. However, on average, only 65% of the encrypted data was restored after the ransom was paid. Approximately 37% of global organizations (more than one third) said they were the victim of some form of Ransomware attack in 2021 (IDC’s “2021 Ransomware Study). 92% who pay don’t get their data Back (Forbes).

We all know that Confidentiality, Integrity and Availability are the 3 pillars of security. Integrity of Data is an important dimension, which means that data has not been altered in an unauthorized manner when data is “at rest, getting processed, or in transit”. Here we will be focusing only on “at rest” Data related to Ransomware. It’s evident that, while there is a high level of efforts required to prevent “Attackers from getting in” or “escalating their privileges within system” the best bet for an organization remains to “Protect their critical data from unauthorized access and destruction”.

Ransomware attacks focus on encrypting any data to which they could get write access, including the backup system. This may also happen due to poorly implemented permissions that exposed backup data stored anywhere. This makes Ransomware attack more effective because organizations can’t recover data from backup systems.

The big step towards getting data protected is to have isolated, immutable backup of data which is not accessed in general and have very strict administrative access authentication, authorization adjustments for a set of admins. There was a time when data backup on physical tapes were kept off-site to be protected from any Data center physical damage as part of BCP/DR approach. That was one of the best ways to ensure data integrity. We should leverage Cloud offerings which are equally effective to protect data from any Ransomware attack.

Now let’s discuss about immutable backup methods which will be the key ask here. Azure has introduced Blob storage options to operate like an Immutable storage and enables users to store business-critical data in a WORM (Write Once, Read Many) state for a defined time interval. While in a WORM state, data objects can be created and read, but cannot be modified or deleted for a user-specified interval. By configuring immutability policies for blob data, customers can protect their data from overwriting and deletion. Another benefit of Azure Blob storage is having a legal hold, which stores immutable data until the legal hold is explicitly cleared. When a legal hold is set, objects can be created and read, but not modified or deleted. It’s important to understand how immutability is implemented and whether it is truly WORM, even if OS administration accounts are compromised.

Those who are on AWS platform, can use AWS Backup Vault Lock to prevent (accidental or malicious action) any user from deleting their backups or making changes to their backup lifecycle settings. AWS Backup Vault Lock (S3 Glacier) improves customer’s security postures and ensures a mechanism for restore, even in a worst-case scenario like total account compromise. Another service that’s useful for data protection is the AWS object storage S3, where you can use features such as object versioning to help prevent objects from being overwritten with Ransomware-encrypted files, or Object Lock (S3), which provides a write once, read many (WORM) solutions to help prevent objects from ever being modified or overwritten. 

You can use Compliance retention mode if you never want any user, including the root user in your AWS account, to be able to delete the objects during a pre-defined retention period. You can use Legal Hold as an infinite retention period. Once applied it is not possible to delete any object until the hold is released manually (only by users with special permissions). Every backup within the retention period is an immutable backup with point-in-time restore capabilities. Also, we have S3 MFA delete-enabled bucket option which safeguard from permanent delete of an object version or change the versioning state of the bucket.

Similarly, GCP storage containers with Bucket Lock offers write-once (WORM), immutable storage to meet your compliance standards and ensure your data’s integrity while offering instantaneous access for quick restores. As part of protection, once you lock a bucket, you cannot unlock it until all objects are out of the retention period. Retention policies prevent the deletion or modification of the bucket’s objects. Applying Bucket Lock to a storage bucket in the Archive class can help you achieve WORM compliance for long-term data archival as well.

Apart from introducing immutable backup options which provide a secure storage for your data, we all know initial steps such as to keep multiple copies of data backup (keeping data off-site), use a standard practice of Multi-Factor Authentication (MFA) for administrative accounts, separation of administrative roles. We also need to enable encryption of the data and segment the workflow so that authorized systems and users have limited access to use the key material to decrypt the data. We know that network sharing protocols work well for general-purpose file sharing. However, minor mistakes in permissions can lead to data being exposed. In place of using them, we recommend using object storage APIs, for example Amazon S3 compatible APIs, virtual tape libraries, or keep storage as “local” to the backup server (do not access over a network sharing protocols).

Interesting part to understand here is, the technology which was initially introduced for a security compliance requirement to keep the golden copy of any data for later auditing or reconciliation, has taken a shift to be also used to safeguard from ransomware attacks to maintain integrity of data. Cloud storage is an economical solution because resources are readily available, is scalable, and multi-tiered.

Author:

Deepak Kumar,
Cloud Practice Head,
ITC Infotech