Many IT professionals lose sleep worrying about threat actors attacking their mission-critical systems and data assets. While many types of cyberattacks exist, ransomware causes particularly severe consequences. A successful ransomware attack can stop crucial business operations and effectively shut a company down.
At one time, ransomware was little more than a nuisance. If affected, organizations could recover fairly easily. This article examines how ransomware has evolved into a much more dangerous threat that companies cannot address with traditional defensive measures. We discuss the multiple measures your company needs to implement to protect itself against ransomware attacks and why immutable backups are an essential component of a comprehensive defense strategy.
How Has Ransomware Evolved to Threaten Your Business?
Ransomware threat actors have evolved from using simple malware to organized extortion that exploits compromised or stolen credentials. This evolution has increased the risk of successful attacks and forced companies to refine their defensive measures. The following is a brief outline of ransomware evolution.
- Stage 1: In the early 21st century, ransomware used weak or reversible encryption, demanded manual payment, and had minimal impact.
- Stage 2: Around 2010, ransomware adopted stronger encryption methods, demanded payment in cryptocurrency, and targeted random small businesses and individuals.
- Stage 3: From 2016 to around 2020, ransomware gangs targeted specific high-value victims with a strategy of breaking into an environment and then encrypting business-critical data assets. Their tactics added lateral movement within an infrastructure to attack the most valuable systems. Threat actors also began to deliberately destroy backups when possible.
- Stage 4: In the early 2020s, ransomware perpetrators attempted to exfiltrate data before encrypting it and threatened to leak it publicly if the victim did not meet their extortion demands. This approach may expose victims to regulatory and legal risks, providing an additional incentive to meet ransom demands.
- Stage 5: Recent ransomware developments have focused on eliminating recovery options through infrastructure attacks. Backup systems and media have become primary targets for compromise and deletion before the ransomware attack is launched. Threat actors may remain dormant in an IT environment, waiting for an opportune time to deploy their malicious code.
The Dangers of Sophisticated Ransomware Attacks
Companies face increased risk due to the sophistication of modern ransomware attacks. These attacks are designed to eliminate or compromise recovery paths before encrypting the targeted data. An organization’s backups have become the primary target for threat actors, who understand that effective recovery destroys their ransom leverage.
Intruders who gain access to the environment typically perform reconnaissance of backup systems as the initial step in their attack. They aim to identify backup schedules and retention policies to better time the backup infrastructure’s incursion and the encryption to inflict optimal damage. Threat actors commonly use the following techniques to compromise enterprise backups.
Privilege escalation and credential theft
Infiltrators may steal admin or backup service credentials, allowing them to disable or delete backups without attracting attention. They may leverage vulnerabilities in backup software APIs. A backup may seemingly disappear with no trace of a malware infection.
Escalated privileges may enable attackers to delete or corrupt backup catalogs, rendering the backups unusable. They can exploit snapshot backups by changing retention limits or forcing overwrites of critical files. Compromised cloud credentials may result in the deletion of cloud backups or a reduction in retention periods.
Backup infrastructure encryption
A ransomware attack may be initiated by encrypting the environment’s backup servers with a separate malicious payload. This approach can result in the unavailability of all online backups and reduce recovery options.
Time-delayed attacks
Threat actors often maintain unobserved persistence in an infrastructure for months. They can inject infected data and ransomware code into the backups. Recovery teams using these backups will reintroduce the malware to the IT environment.
Tactics to Protect Your Environment from Ransomware
Organizations need to develop a comprehensive, multifaceted strategy for ransomware protection. Companies should implement the following tactics to minimize the risks of a successful attack.
Reduce the attack surface to prevent threat actors from accessing the environment by:
- Enforcing multi-factor authentication (MFA) throughout the environment;
- Eliminating shared and default admin accounts;
- Disabling exploitable remote desktop protocols;
- Applying zero-trust for all remote access.
Detect infrastructure intrusion and lateral movement by:
- Deploying endpoint detection and response (EDR) and extended detection and response (XDR) solutions;
- Detecting and preventing malicious activities with intrusion prevention systems (IDS/IPS);
- Monitoring east-west traffic between internal infrastructure components;
- Logging access requests for anomaly detection.
Limit the blast radius with network and identity segmentation, including:
- Separating the production and backup infrastructure;
- Enforcing least-trust internal network access;
- Defining specific admin roles for production, cloud, and backup resources;
- Eliminating credential reuse.
Protect backup and recovery solutions with:
- Immutable backups utilizing object-locked storage or WORM technology;
- Ensuring retention periods cannot be reduced;
- Implementing backup domain administrators;
- Monitoring backups for retention changes or deletion;
- Creating offline or air-gapped backup copies;
- Enforcing strict MFA for backup consoles.
Secure the infrastructure by:
- Continuously monitoring for privilege escalation and MFA bypass attempts;
- Hardening operating system and cloud security configurations;
- Turning off unnecessary or unused services;
- Patching all infrastructure components promptly to minimize vulnerabilities.
Prevent extortion and data exfiltration with measures such as:
- Deploying data loss prevention software;
- Encrypting production and backup data;
- Restricting direct server access from external networks;
- Monitoring and suppressing large outbound data transfers.
Recovery preparation by:
- Developing ransomware-specific incident response plans;
- Aligning recovery with compliance and legal requirements;
- Performing full recovery testing;
- Identifying a clean recovery environment.
Security awareness with:
- Providing organization-wide phishing and social engineering training;
- Supporting admins with role-specific security training.
Ransomware Protection with Cloud Backup-as-a-Service
Companies face substantial costs when implementing in-house backup infrastructure to support immutable backups and protect against modern ransomware. These costs may be prohibitive, resulting in a suboptimal backup solution that puts your business at risk.
VAST has your back with an affordable way to create immutable backups for enhanced ransomware protection. We can tailor our Cloud Backup-as-a-Service (CBaaS) solution to your unique business requirements. It offers immutable backups built on Druva’s data protection technology for your complete IT environment.
Get in touch with VAST today and learn how easy it is to implement immutable backups to protect your business from ransomware.
