Sponsored Post: Nasuni
Ransomware is a term that strikes fear in the minds of many CIOs and Technology Directors. While not a death sentence, it can certainly seem so as downtime turns from minutes, into hours or even days. During that time, operations grind to a complete stop or at least slow down as digital processes are temporarily transitioned to paper-based systems. There are many examples of organizations being down for days or weeks due to ransomware.
- After experiencing a ransomware attack in 2018, it was six days until City of Atlanta officials instructed their employees to finally turn their computers back on for the first time. While the company never paid a ransom, they spent more than $17 million in recovery efforts and some of their systems took weeks to get back online.
- In 2020, the University of California San Fransisco was forced to pay $1.4 million in ransom to get systems back up that had been down for more than a week after being crippled by ransomware.
- In 2021, Colonial Pipeline was forced to shut down the largest fuel pipeline network in the United States for six days after paying nearly $5 million in ransom.
In 2023, ransomware continues to plague organizations. The Dole Food Company was recently forced to shut down multiple food processing plants in North America due to ransomware.
Have the Right Tools and Strategies
Despite the pattern of elongated windows of disruption and shutdown, a ransomware attack does not have to result in a business shutting its doors temporarily. Quite to the contrary. Ransomware today can be more of a hiccup with the right strategy in place—and no, paying a ransom is not a strategy. An actual strategy is about having the right security controls and a well-designed and rehearsed incident response plan. An up-to-date incident response plan that is periodically rehearsed can save a great deal of time as everyone on the response team knows their assigned role and their next course of action.
Early Detection Makes a Difference
Ransomware is like a cancer to your organization and like any cancer, early detection significantly improves the chance for recovery. For many impacted organizations, ransomware was detected because of a ransomware note delivered by the perpetrators. But at that point the cancer was far beyond stage one.
Observability tools are playing a big role in early ransomware detection. Such tools can monitor system logs of disparate devices in real time and alert internal IT teams of any unusual activity such as data encryption or file exfiltration that could indicate a ransomware attack. Early detection gives your IT team the opportunity to contain an active ransomware threat before it can spread further and do more damage. Once contained, a damage assessment can begin, followed by remediation of all encrypted files. Remediation is greatly accelerated by utilizing ransomware mitigation policies that are triggered automatically when an attack is detected. Such policies can quickly isolate an infected machine, thus cutting it off the network until cleaned.
Granular Access Controls
Ransomware typically requires elevated local administrative rights or elevated privileges to infect and encrypt file systems. Unfortunately, too many organizations either allocate local admin rights to standard users or assign overzealous access permissions. While these practices are certainly convenient, they leave file repositories open to easy attack. By enforcing the principle of least privilege across your file structures you can limit the number of users and processes that have sufficient privileges to do damage, thus hardening your attack surface against lateral moving ransomware attacks.
File versioning has been in practice for many years, and it is now being used as a resilient tool against ransomware. The principle is quite simple. A new version of a file is created each time the file is modified and the delta is added to the file’s history. That means a new file version is created during the encryption process. While this newest file version may be rendered inaccessible after an attack, previous file versions of the file remain unencrypted and can be used for restoration. File versioning can also be helpful in gathering information about an attack because all file versions are time stamped.
One of the reasons why organizations are down for so long as they depend on traditional backup systems. Unfortunately, the file backup strategies that drive these systems were created long before ransomware was introduced. File recovery times from a ransomware attack take far too long in the new era of digital transformation that depends on all systems being operational round the clock.
A far better approach is immutable snapshot recovery. Here, snapshots are created on a regular basis to capture the state of all operating systems files, application files and file data at specific points in time. Like file versioning, a snapshot history is created. This allows support personnel to simply roll the system back to a particular point in time prior to an attack. Because snapshots take place far more frequently than a traditional backup, data loss is substantially reduced.
One Set of Tools
Organizations can sometimes get caught up in the practice of acquiring a new best-of-breed tool every time a new threat is identified. This adds to the complexity of security management and remediation as personnel must pivot from tool to tool. There are solution providers such as Nasuni that offer complete ransomware solutions that include early ransomware detection, access control management, file versioning and snapshot recovery all in one package. Ransomware doesn’t have to be a death blow to your business or career if you have the right systems and strategy in place.
Learn more about how the Nasuni Ransomware Protection add-on service helps you recover from ransomware attacks smarter and faster than ever before.