Field Notes: How to Protect Yourself from Ransomware Attacks
Ransomware. Just the word itself is enough to chill the hearts of everyone from personal users to corporate IT and senior executives. May 12th’s massive attack took down hundreds, perhaps thousands, of companies and unknown numbers of individuals, including the United Kingdom’s healthcare systems with possible impacts including critical patient care and historical medical records. At iDS, we’ve helped companies recover from ransomware attacks. In some cases their policies and security held, keeping the malware contained with limited systems impacted. In others, the damage was severe and substantial. In all cases, the attack cost the company time, resources, and money – which could have been avoided.
Defending yourself and your organization against ransomware incorporates several aspects of cybersecurity, from least privilege to patch management. While these are all important, the best single defense is a good, well-implemented backup and recovery plan. Unfortunately, many instances of malware now seek out and destroy online backups and either encrypt, or delete and wipe, the backup files. We’ve seen reports of ransomware going after time machine backup files, as well as Windows shadow copies and system restore points. All of this makes it very difficult to recover, which, of course, is the point. Even online cloud-based backups can fall victim to ransomware. As content constantly synchronizes between systems, encrypted content can overwrite live copies. One way to avoid this is to use offline backups, such as tape systems, with appropriate media rotation and retention policies. But this can be expensive and require extensive IT involvement, planning, and purchase of significant equipment. And then there are tapes, which can multiply, become mislabeled, and are difficult to physically manage which adds ongoing expense and headaches.
I’m here to tell you there’s another way. Using a cloud backup system, specifically Amazon’s S3, to create a Write Once Read Many, or WORM, cloud storage location for receiving backup files. Using Glacier Vault Lock, AWS S3 allows you to write backups out to the storage media, but won’t allow deletions or modifications to the backup files until certain criteria have been met. These criteria are programmable, but for simplicity, you could indicate all backups must be retained for 10 days, or store daily backups for a week and weekend backups for a month. If ransomware hits, backups are safe from encryption or overwriting. Additionally, if an attack happens, you’d likely know within a few hours, lessening the need to retain backups for significant periods of time – even a week may be overkill.
Ransomware attacks are obviously a real concern and must be taken seriously. That said, if time is spent to properly defend against them, expensive and possibly debilitating incidents may be avoided. Hopefully you and your organization were not impacted by last week’s attack, and if this advice can assist in recovering from a future attack, then I’ve done my job. If you have questions or would like to discuss how iDS can help you with your cyber defense please feel free to reach out to us for a free consultation.
For further reading and specifics on how to setup Glacier Vault Locking, there is a great write up on the AWS blog here: https://aws.amazon.com/blogs/aws/glacier-vault-lock/