Know Your Ransomware Enemy: Getting Inside the Mind of a Hacker

Cybersecurity threats are on the rise, with industry pundits predicting that 2022 will see the dawning of a “golden era of ransomware.” Last year 61% of businesses were hit by ransomware attacks. Still, with the rise of the ransomware-as-a-service (RaaS) model and politically motivated attacks, ransomware will only increase in volume and severity.

Faced with the reality that it’s no longer a case of if, but when attackers strike, IT teams face a mission-critical task. Since reliance on cyber defense capabilities alone will not be enough to protect the organization, cybersecurity protocols now need to include recovery as a priority. So that when the inevitable happens, the business can get back up and running with minimal disruption and data loss.

Knowledge is Power

As threat actors continue to refine and evolve their practices, finding new and innovative ways to wreak havoc, understanding the hacker’s mind is crucial for combating this danger.

In the Art of War, Sun Tzu states that to ‘know thine enemy’ is the key to being appropriately prepared and ready for the attacks that will come. Because ransomware is a disaster scenario, IT teams need to ensure they can bring data and operations back online as quickly as possible.

Understanding the principal stages of a ransomware attack is the key to ensuring that the right recovery options are in place to quickly bring systems back online and with the most recent ‘clean’ replica of data.

Stage 1: The Calm Before the Storm

The first stage of a ransomware attack is initiated in various ways. These include targeting users via phishing email attacks and malicious websites, exploiting weaknesses in RDP connections or attacking software vulnerabilities directly. The stealth-like nature of these approaches means they will fly under the wire – no one sees them coming.

Having infiltrated a system, ransomware can lay dormant and undetected for weeks or months. During this time, it may move laterally across other systems accessing as much data as possible along the way. This has significant implications for organizations with no idea when their last ‘good’ backup was made.

The moment an attacker activates or executes the ransomware attack remotely, it will become a race against time to ensure that mitigation and recovery efforts spring into action.

Stage 2: The Storm

Once an attack is activated, the enterprise’s systems and data are jeopardized. Different ransomware variants use different encryption methods, ranging from encrypting the master boot record of a file system to encrypting individual files or entire virtual machines. This leaves the organization with stark choices: pay the ransom and risk your organization or don’t pay the ransom and try to recover without extended disruption and suffering staggering revenue loss.

Without an effective and rapid data recovery method, the cost, time and effort involved in getting systems back online can prove prohibitively expensive. Last year, the total cost of recovery from a ransomware attack hit $1.85m – 10 times the average ransomware payment – with organizations typically experiencing an average of 21 days of downtime following an attack. Of those organizations that paid their attackers a ransom, only 8% managed to get back all their data.

Recovery is Resilience

Ransomware attackers are counting on the fact that legacy security thinking, where the focus is only on prevention, means the organizations they target will not have modern backup and recovery solutions in place. 

For data to be truly protected, it needs to be recoverable entirely and within minutes. Utilizing continuous data protection (CDP) will give IT teams the always-on replication and journaling technology that makes it possible to recover entire sites and applications at scale and with the least amount of data loss.

To enhance the overall resilience of the enterprise, today’s IT teams need to be able to effortlessly create multiple copies both locally and remotely. Testing data in an isolated environment is critical for a risk-free recovery. Organizations need a sandbox environment where they can test to ensure there is no malware before recovering. They also need to take advantage of options like immutable copies of data that cannot be encrypted or corrupted so that they can recover with confidence in just a few clicks, to a point just seconds before an attack.

Today’s threat landscape is such that a ransomware recovery plan is now a must-have for any organization looking to minimize the impact of an attack. Unfortunately, when cyber-criminals get through, many enterprises find they have little choice but to pay the ransom. Yet, by ensuring that the enterprise’s data is protected and quickly recoverable with CDP, IT teams will be able to select a checkpoint of their choice and recover business-as-usual operations in minutes.

What’s Hot on Infosecurity Magazine?