Why system backups no longer shield against ransomware

security
(Image credit: Shutterstock / binarydesign)

Traditionally, regular system backups have been one of organizations’ key defenses against ransomware attacks, as they allowed organizations to restore systems quickly, without paying ransom. While regular backups are still a necessary and prudent practice, they no longer provide the protection against ransomware that they once did.

About the author

Craig Lurey is CTO at Keeper Security

From 'encrypt and exfiltrate' to 'exfiltrate and extort'

For years, ransomware attacks differed from data breaches in that no files were compromised. Cybercriminals would lock down systems and demand a ransom, usually in Bitcoin, to provide an encryption key.

As ransomware evolved, cybercriminals realized that the same network access levels they needed to plant ransomware files also lent well to exfiltrating data -- and allowed them to get around the pesky backup files that stood in between them and an immediate payday. Enter double extortion, also known as “encrypt and exfiltrate,” which extended ransomware attacks to include data breaches. In addition to encrypting victims’ files, cybercriminals also steal them, then threaten to sell or publicly release the data if the victim doesn’t pay the ransom.

Ransomware attacks with an extortion component have soared in popularity since they first emerged in late 2019. A recent study by Coveware found that 77% of ransomware attacks involve a threat to leak exfiltrated data. Additionally, cybercriminals are moving away from the “encrypt and exfiltrate” model and towards “exfiltrate and extort.” Prolific ransomware group REvil recently stole data and schematics for unreleased Apple products, then vowed to sell it if they didn’t receive a $50 million ransom.

These types of attacks are set to increase in frequency due to the preponderance of “ransomware as a service” (RaaS). RaaS enables cybercriminals to sell subscriptions to ransomware “solutions” in the same way that legitimate developers sell benign SaaS products. RaaS developers earn money through commissions off successful ransoms. RaaS severely lowers the entry barrier for cybercrime by giving everyone, even people with few or no technical skills, the ability to launch ransomware attacks.

Ransomware attacks target SMBs

In addition to forgoing encryption, cybercriminals are increasingly targeting small and medium-sized businesses (SMBs), many of whom are vendors to large enterprises. While large companies can afford to harden their security defenses against attacks, many SMBs are budget-strapped, making them “soft targets.”

In 2019, SMBs represented about 60% of ransomware targets. The Coveware study found that 77% of ransomware victims have 1000 employees or less, with professional services (especially law firms), healthcare, and public sector organizations representing nearly half of all targets.

Protecting your organization from next-gen extortion ransomware

The report found that nearly half of ransomware attacks begin with cybercriminals compromising remote desktop protocol (RDP) services, either by using stolen credentials, guessing default or common passwords, or by exploiting unpatched vulnerabilities. The second most common attack vector, representing an additional 25% of attacks, is email phishing.

This is good news for organizations, because it means that the overwhelming majority of successful ransomware attacks involve stolen or guessed login credentials -- which, by the way, also account for over 80% of successful data breaches. Any organization can dramatically harden its security defenses simply by securing its user credentials through comprehensive password security and identity and authentication management (IAM).

Here are five steps to take right now:

  1. Implement a zero-trust security architecture, where all users, human and machine, are verified and authenticated before they are allowed to access organizational resources. Having been gaining in popularity for years, zero-trust is soaring now due to widespread remote work. With distributed workforces connecting from multiple devices and locations, zero-trust is the only model that ensures that everyone logging onto the organization’s network is who they claim to be.
  2. Mandate that employees use strong, unique passwords for every website and app. This protects the organization against breaches caused by weak, easily guessed passwords.
  3. Mandate the use of multi-factor authentication (2FA) on all accounts that support it. Even if a cybercriminal manages to get hold of a working password, without the second authentication factor, it will be useless.
  4. Deploy an enterprise-grade password security and encryption platform organization-wide. Enterprise-grade platforms are more robust than consumer-grade password managers. While both types of solutions automatically generate and securely store strong, unique passwords, and automatically fill login credentials across websites and apps, enterprise-grade solutions have additional features that enable IT administrators to enforce password security policies company-wide.
  5. Pair the password security and encryption platform with a dark web monitoring solution. These solutions scan dark web forums and notify organizations if any company passwords have been compromised. This allows IT administrators to force password resets right away, minimizing the risk of cybercriminals having time to use them to breach company systems, exfiltrate data, and plant malware.

Ransomware is aggressively evolving, and organizations must be aggressive about combating it. Since most ransomware attacks involve stolen login credentials, organizations that implement comprehensive password security, in conjunction with a zero-trust security model and IAM, are far less likely to be victimized.

Craig Lurey is CTO at Keeper Security