Ransomware. Just the word itself is enough to chill the hearts of everyone from personal users to IT professionals to senior executives. May 12th’s massive attack took down hundreds, perhaps thousands, of companies and unknown numbers of individuals and institutions, including the United Kingdom’s healthcare systems (with possible impacts including critical patient care and historical medical records).
At iDS, we’ve helped companies recover from ransomware attacks. In some cases, their policies and security held up, keeping the malware contained, with a limited number of systems impacted. In others, the damage was severe and substantial. In all cases, the attack cost the company time, resources and money. And the damage could have been avoided.
Defending yourself and your organization against ransomware should incorporate several aspects of cybersecurity, from “least privilege” to “patch management.” While these are important, the best single defense is a well-implemented backup and recovery plan. Unfortunately, malware can now seek out and destroy online backups and can either encrypt or delete and wipe your backup files. We’ve seen reports of ransomware going after Apple’s Time Machine backup files, as well as Windows shadow copies and system restore points.
All of this makes it very difficult to recover your data and return to business as usual, which, of course, is the point. Even online cloud-based backups can fall victim to ransomware. As content constantly synchronizes between systems, encrypted content can overwrite live copies. One way to avoid this problem is to use offline backups, such as tape systems, with appropriate media rotation and retention policies. But this can be expensive and require extensive IT involvement – especially in planning a defense and purchasing a significant amount of equipment. And then, as tapes multiply, they can be mislabeled and become difficult to physically manage, which adds ongoing expense and headaches.
I’m here to tell you that there’s another way. You can also use a cloud backup system, specifically Amazon’s S3, to create a “write once read many,” or WORM, cloud storage location for receiving backup files. Using Glacier Vault Lock AWS S3 allows you to write backups to the storage media, but it won’t allow deletions or modifications to the backup files until certain criteria have been met. These criteria are programmable, but for simplicity, you could indicate that all backups must be retained for 10 days, or you could store daily backups for a week and weekend backups for a month. If ransomware hits, backups are safe from encryption or overwriting. Additionally, if an attack happens, you’ll likely know within a few hours, lessening the need to retain backups for significant periods of time – even a week may be overkill.
Ransomware attacks are obviously a real concern and must be taken seriously. That said, if time is spent to properly defend against them, expensive and possibly debilitating incidents may be avoided. Hopefully you and your organization were not impacted by last week’s attack. But if this advice can assist you in recovering from a future attack, then I’ve done my job.
Charlie Platt is a director at iDiscovery Solutions (iDS) and a Certified Ethical Hacker. He advises clients on data analytics, digital forensics and cybersecurity. If you have questions or would like to discuss how iDS can help with your cyberdefense, you can reach him at firstname.lastname@example.org for a free consultation. For further reading and specifics on how to set up Glacier Vault Locking, see this article on the AWS blog.