How to Maintain Business Continuity in the Age of Ransomware

10/22/2020: This blog was originally published on 8/26/2019, and has been updated to provide additional resources.

As we enter week four of National Cybersecurity Awareness Month (NCSAM), it’s worth making the connection between ransomware and your overall business continuity strategy.  Ransomware has been a scourge for years, but the attacks are only growing more sophisticated, capable of hitting multiple sites and bringing your entire organization to a halt.

What’s a good example?  Looking back to May 7th, 2019, the city of Baltimore was hit by a ransomware attack – code named “RobinHood.” Hackers used remote encryption to lock down the city’s file servers and demanded payment of 13 bitcoin in exchange for keys to release them.  The city immediately notified the FBI and took systems offline to keep the attack from spreading, but not before it impacted over 10,000 computers and multiple city departments. Baltimore decided not to pay the 13 bitcoin – roughly $70,000 at the time – but the city hardly emerged unscathed.

All told, the cost to restore data and upgrade systems, combined with the lost revenue, totaled over $18M.

So what should healthcare systems, corporations, government agencies, and other large organizations do to prepare for these attacks? And what can a large enterprise do to maintain business continuity in the age of ransomware without paying the attackers?

How to Maintain Business Continuity in the Age of Ransomware

To get a better understanding of this problem, I sat down with cryptography expert and Nasuni Chief Science Officer David Shaw. We discussed:

• The evolving ransomware threat and the specifics of the Baltimore incident
• Tips for how to avoid a ransomware attack – and mitigate the impact
• How to dramatically decrease business downtime and cost following an attack

You can watch the on-demand video here, but I’ll recap the highlights.

How Ransomware Works and Why It’s More Effective Than Ever

A ransomware event is generally an encryption attack. A piece of malware finds its way into the system, then tracks down all the files it can and encrypts them. Normally we hear of encryption as a good thing, but in this case, the attackers hold the encryption keys. The victim doesn’t know the key or keys, so they can’t access their own files.

The attacker then contacts the victim and offers to give them the key to decrypt their files in exchange for money – typically bitcoin.

In the first wave of ransomware attacks, ransoms were often small. The attackers figured that enterprises would gladly pay a ransom in the range of tens of thousands of dollars to avoid a massive disruption of business. Today the ransoms are higher and the attackers are even more focused. Plus, some variants have evolved into distributed disasters that might impact dozens of or even hundreds of sites.

The Truth About Avoiding Ransomware Attacks

So how do organizations respond to this growing threat? In our talk, David stresses that a strong front-line defense is critical. Basically, you want to do as much as possible to avoid getting infected in the first place.

This requires strong security systems – and investments in those systems – that protect your email servers. But education is critical as well. End users in your organization need to be reminded not to click or double click the links in the suspicious emails that we’re all bombarded with on a daily basis. That link isn’t going to give them a chance to win a million dollars. It’s going to give ransomware attackers an opportunity to extract cash from the company.

Another piece of advice from David: “When you find that USB stick in the parking lot, it’s probably best not to stick it into your computer.”

Investing in security and educating your users will go a long way toward protecting your organization, but David offers a sobering caveat.

Eventually, attackers will find a way through.

So the next question is how to respond when ransomware does strike. How can you recover as quickly as possible without disrupting your business? And how can you do this without paying hundreds of thousands or millions of dollars to attackers who will only be emboldened to strike again?

How to Recover from Ransomware Quickly and Cost-Effectively

File backup can be a great recovery strategy, David says, but you have to ensure that the backup won’t be infected along with the rest of your primary data. In the early days of ransomware, this wasn’t much of a threat. Today, however, attackers have found ways to infect online backups.

Tapes can be somewhat effective. A piece of malware is not going to find its way onto a physical tape sealed inside a physically secure vault. The downside is that your recovery times will be much longer. So from a business continuity standpoint, this isn’t good enough, either. If a critical business unit is down for days or weeks, that’s not true recovery.

The other option is to protect your data securely in the cloud. What Nasuni has pioneered is a continuously versioning file system that stores each file as a series of objects in the cloud. When changes are made to a file, these changes propagate to the cloud as objects. The advantage here is not so much the fact that files are stored in the cloud, but how they are stored – as immutable WORM (write once, read many) data.

Why is this more effective? Consider the Baltimore incident, which impacted 10,000 users and laptops. With Nasuni, you wouldn’t have to physically restore every piece of every file for every user. Instead, IT would effectively wind the entire file system back to the most recent point before the attack. Since this would be a file-system-level change, all files would be restored from that point, and anyone reading a file from then onward would benefit. The IT department would still need to examine different machines to ensure that certain laptops don’t re-encrypt files, but you could restore the file system much faster than with tape restores and achieve a reasonable level of business continuity.

This is not a hypothetical solution, either. Multiple Nasuni clients have recovered from ransomware attacks. Nasuni Continuous File Versioning® gives IT the power to restore files and volumes accessed by many different users. It’s a ransomware solution that works at scale, with infinite versions, secure backup to the cloud, and restores in minutes.

Ransomware is not going away, so every large organization should be doing everything they can to protect their systems, educate their end users, and prepare for a fast recovery. To that end, we have a few resources we’d recommend:

• Watch my short video with David Shaw to learn more
• Read our comprehensive new white paper, Ransomware Defense for Multi-Site Enterprises: How to Recover Faster

And as always, send us a note if you have any questions.