Ransomware attacks have taken an especially nasty turn in the last week. An individual or group of people going by the pseudonym Dark Overlord has been terrorizing a high school in Montana after launching a ransomware attack. In addition to demanding the usual amount of digital cybercurrency, the attackers have been evoking the images of multiple massacres involving school-aged children to induce local authorities to comply with their demands. The hackers know precisely what it is in this day and age that parents fear most when they send their children off to school every day.
Dark Overlord is the same nom de guerre employed by the individual or group of people that also launched the recent ransomware attacks against HBO and Netflix this year demanding to be paid to not post stolen intellectual property on the Web before the media companies' scheduled broadcast. Even after receiving a reported $50,000 payment the hackers apparently went ahead in one instance and released an episode of Orange is the New Black before its official release.
Conventional wisdom says the best way to defend against ransomware attacks is to backup pristine copies of data. To a degree this is true. But Jerome Wendt, president and lead analyst of DCIG, Inc., an independent storage analyst and consulting firm, notes there are at least three scenarios where ransomware can compromise those backups. They include:
- Finding and encrypting backups on network file shares: Many backup products backup data to shared files, Many organizations also use the default directory name created by these backup products to store these backups. The default names of these directories are readily accessible in the documentation published by backup providers. Cybercriminals have figured this out. As part of their attacks they find and encrypt data on production servers and probe corporate networks for these default backup directories so they can encrypt the backups as well.
- Hacking application programming interfaces (APIs) of the backup software: Most enterprise backup software products expose an API. Intended to make backup and recovery programmable it turns out cybercriminals have figured out how to use APIs to disrupt or encrypt a backup.
- Plant a ransomware time bomb: When ransomware encrypts data, the encryption it generally does so as soon as or shortly after it gets onto the corporate network. Now it’s been observed that ransomware is being launched as a form of an advanced persistent threat. The malware used to launch the attack will infect data, including all the backups, for months before encrypting all that data.
Because of these issues, testing of backup and recovery processes needs to become continuous. Daily of backups of important intellectual property are now required. IT organizations will also need to make sure they are backing up pristine copies of data to multiple locations in case that one copy of their data winds up being compromised. Naturally, that’s a lot of additional work for all concerned. But the alternative now is to not only being forced to pay a ransom, it’s also to enduring increasingly vicious demands from what are now cyber terrorists. It’s never advisable to negotiate with terrorists. That’s tough advice to follow when critical data is involved. The real challenge is to implement the security measures necessary that prevent your organization from ever finding itself in the position in the first place.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.