Ransomware: Paying Won’t Always Bring Data Back — So What Now?

By Erica Antony

Not a day passes without news about an organization being held hostage with encryption-based malware, aka ransomware. The Internet Crime Complaint Center reported that last year alone, ransomware events cost U.S. organizations $24 million. A recent Trend Micro report revealed that attacks on business emails and business processes will continue to grow in 2017 because they’re cheap and simple forms of corporate extortion. Another survey of SMBs by Kaspersky found that 67 percent admitted that they lost at least some business data to ransomware.

These statistics underscore a growing issue that’s impacting businesses of all sizes — one that executives cannot ignore and will inevitably fall to IT and partners to resolve.

I’m sure the irony of it isn’t lost on many in tech: The same tool that’s designed to help secure your data is now used against you in a criminal endeavor. Because of the way payloads are delivered and the fact that new strains of malicious code are created every day, it’s extremely difficult to prevent ransomware infection even with the most up to date antivirus. Adding insult to injury, once a customer’s data is locked, there’s no easy way out — you’d better have a Bitcoin wallet ready to pay up. Right?

Well, maybe not.

Historically, paying the ransom was successful in most cases. However, with the rising frequency of attacks, that is no longer certain, according to a new report by Carbonite that polled 618 SMB employees with responsibility for containing ransomware infections within their organizations. Of those who had been successfully attacked, just 55 percent say that once the payment was made, the cyber criminal provided the decryption cypher or key. The same number said with some level of certainty that the ransomware exfiltrated data. So clearly, paying up doesn’t always set everything right.

Currently, there’s no consensus on whether to pay ransoms. Even law enforcement, including the FBI, tends to waffle on the subject. I believe you don’t have to pay. Here’s why, and some tips on how to mitigate the damage from a ransomware event.

• Do not negotiate or pay: While businesses often feel powerless to remedy ransomware attacks and decide to pay the asking price in exchange for an encryption key, giving in to demands may create more problems — attackers now often send bogus encryption keys to extort more money from businesses, destroy or corrupt sensitive files beyond repair, and share a company’s vulnerabilities with other malicious hackers who then demand more ransom. And on. And on.
• Be proactive instead of reactive: Contrary to popular belief, ransomware is ultimately a data-recovery issue, not a security one. Businesses can, and should, defend themselves with high-performance threat detection solutions. However, there is no product that will stop ransomware 100 percent of the time. The good news is you likely already have a great solution in place to help you out: the good old backup function. Yes, ransomware is increasingly bringing the unsexy backup … back.

By giving a customer room to make its own decisions, you remove the need to negotiate with attackers should ransomware spread and infect business-critical data. An extremely effective way to approach ransomware from a disaster-recovery perspective is by implementing and regularly testing a robust recovery solution with traditional and cloud-based options to turn back the clock and restore business-sensitive data. No ransom needed.     

However, there are some gotchas and best practices to help organizations stay out of the ransomware headlines and keep business running as usual. Remember, backup servers are targets, too.

• Back up and back up again: Many companies use backup tools to successfully recover affected systems and save their businesses from succumbing to encryption extortionists. With advanced data-protection solutions, they can recover a system from scratch and minimize data loss. Of course, they’d have to get rid of all the infected files and stop the virus from spreading first. But with regular backups, organizations can significantly reduce the amount of exposure and have confidence to recreate a clean system. After all, this is a logical strategy. Wouldn’t a business do the same if somehow it had corrupted a system and its data? The only difference here is the source of the problem.
• Protect the source machine: Take precautions to prevent infection in the first place, such as training users not to click on links within emails or download attachments from unknown sources and updating software on a timely basis. Perform regular backups, which may include rethinking service-level agreements to ensure critical business data is backed up more frequently. As RPO and RTO windows are increasingly shrinking, businesses need solutions that meet all service level requirements.
• Follow the 3-2-1 strategy for backup: One of the copies should be offline, and at least one should be off-site. Leverage technologies like virtual standby, enterprise storage-array snapshots and full-system replication, which are more available, integrated and affordable than ever before. These capabilities enable IT teams to achieve near-instant and continuous recovery of an entire system and make “rollback” more precise.
• Protect the protector — the backup data: If the backup server gets infected or if backup data is on a shared network that is accessible from an infected machine, ransomware can encrypt backup data as well. Obvious but very important!
• Replicate data to offsite/cloud: Periodically, copy recovery points to offline media. Consider leveraging tape as a backup medium for critical data (more sexy). This oldie but goodie comes in handy to send periodic recovery points offline.

In many ways, the onslaught of ransomware is the biggest threat to customers today; however, it also offers businesses an incentive to re-assess business continuity and disaster-recovery strategies to ensure no area has been overlooked. By combining a solid threat detection and malware eradication solution with a robust data availability plan, partners can equip customers for the fight against ransomware. It all starts by educating end users and applying best practices to protect their environment. And if organizations have total confidence in their data-protection solution, they can to go from infection to recovery without worrying about having to make the choice between paying or not paying during a ransomware attack.                                                        

Erica Antony has spent more than 15 years working with businesses on how to approach evolving and data loss challenges. She is currently VP of product management at Arcserve.