Breaking the ransomware business model

By Dale Heath Head of Solutions Engineering, Rubrik A/NZ

Almost every week another ransomware attack hits the headlines, and each week seems more concerning than the last.

Gone are the days of malicious payloads being delivered in poorly-written spam mails. Today, attackers are taking a ‘hub-and-spoke’ approach to inflict the most amount of damage, against the widest number of victims, with the least amount of effort possible.

By weaponising the trust enterprises place on the service providers within their ecosystem, attackers continually thwart perimeter, endpoint, and application-layer security defences, gaining access to the data of hundreds – if not thousands – of businesses in one fell swoop.

With any inbound communication potentially posing a threat to Australian enterprises, a ‘zero trust’ approach ensures critical data is always protected and can be rapidly recovered following an attack.

It is clear the ‘trust but verify’ approach to data protection is no longer adequate and businesses must rethink their protection and ransomware recovery plans.

The traditional approach to cybersecurity has been to adopt a fortress mentality, focusing on preventative measures and perimeter defences.

This assumes 100% of attacks can be stopped ‘at the border’ while also assuming anything ‘inside the border’ can be trusted. Enterprises have been investing in such measures for decades, yet still attackers are able to thwart them time and time again. This demands a rethink.

While perimeter security still has its place, organisations need to consider how they can make their data resilient when an attacker breaches those defences – this is the core of a zero trust approach to security. Developed by the National Institute of Standards (NIST), zero trust is defined as “an evolving set of cybersecurity paradigms that move defences from static, network-based perimeters to focus on users, assets, and resources.” Consider the physical security of a bank branch as an example. Its doors might include heavy locks, complemented with CCTV, alarms, and security guards. But once past these defences, are cash and gold left strewn in a storage room?

No. They’re locked away heavy safes. This is the heart of a zero trust model. It assumes everyone is a bad actor and you can only grant access to approved, safe members.

The ‘crown jewels’ of every business today is its data, and that data must be protected in a similar way.

For any victim of ransomware, recovery – without being forced to pay multi-million-dollar ransoms – comes down to the quality of its backups.

Ransomware attacks are evolving all the time but there’s one recent development that is particularly concerning.

Attackers have begun targeting backup data to make recovery even harder. Having secure, immutable, and airgapped data copies ruins the entire ransomware business model because it allows a business to restart operations from a ‘save point’ prior to the infection. Hackers understand this, so by also encrypting backup data, the victim is more likely to have to pay the ransom.

The Australian Cyber Security Centre recommends organisations make copies of their critical data at least daily to ensure operations can restart quickly following a ransomware attack. The more frequently data is backed up, the more rapidly you can recover without having to pay attackers the ransom – which recent research suggests is AUD$1.25 million on average.

This ability to rapidly recover operations from secure data copies is the best ransomware counter-measure businesses have at their disposal.

Consider the experience of Queensland-based Langs Building Supplies.

The business was hit with ransomware one morning, with the malware quickly encrypting hundreds of thousands of files. Despite the extent of the attack, Langs was able to completely restart its operations from its immutable backups within just an hour.

Rather than face days, weeks, or even months offline struggling to recover its systems – along with the need for expensive cybersecurity consultants and forensic specialists to support remediation – Langs’ business was back operating at 100% capacity before lunchtime on the same day.

Data security solutions, like those Langs relied on, are the core of a zero trust approach. Because these copies of critical data can’t be modified by anything other than approved applications, and because they’re natively air-gapped (meaning the data can’t be accessed through standard internet links), backups can be relied upon to rapidly restore business operations following an attack.

With a zero trust approach to data security, every user, every application, and every device is treated as untrustworthy. By only providing the minimum level of access needed to perform an approved task, and assuming an attacker has already infiltrated the network, trust can no longer be exploited.