When Malware Returns: Beating the Silent System Killer

Written by

Ransomware is the hacker “gift” that just keeps on giving, it seems. A 2017 study shows that more than half of ransomware victims got hit a second (or more) time, often with the same malware – and with ransomware attacks growing significantly since then, it's likely that many more organizations are getting hit multiple times.

It's a problem that especially affects enterprises. Half the companies in the study had 1,000 or more employees, a third had up to 10,000 employees, and 19% had more than 10,000. Enterprises are arguably in the best position to protect themselves from ransomware – they have the scale and resources to deploy the most advanced solutions – and yet they keep getting attacked – in “reruns,” to add insult to injury.

Why is that? Often it's because the companies that are attacked haven't hardened their systems sufficiently to keep hackers out altogether. While they may have remediated the weakness that enabled hackers to break through defense systems for the first attack, there are often other weaknesses that they can take advantage of for additional attacks. There are many paths into a system, and guarding all of them is a major challenge, to say the least.

Maybe there's another reason; if a hacker dispatches their malware in the form of a trojan that bides its time before attacking, it's very possible that the malware that attacked got recorded in a company backup – and when that backup is unrolled after a ransomware attack, it re-enters the system, and gives a return performance.

Is this feasible – or even possible? The answer to both those questions is - yes. With the plethora of malware that systems are subjected to daily, it’s unlikely that anti-virus software, firewalls, filters, and the like will catch everything. According to German software firm GData, a new piece of malware was released into the wild every 3.2 seconds during the first part of 2017; that's a figure that has likely grown. According to Malwarebytes, the use of trojans – malware that hides and bides its time before getting activated – has shot up in 2019.

Taking these two trends together, it's fair to say that the likelihood of malware hiding in a system and copied to a backup is rather high. When the backup is rolled out– because the working system got compromised by hackers – the same malware that brought the system down in the first place could be rolled out as well, enabling hackers to start in a “second act,” and enabling them to continue stealing data, extorting ransom, or causing losses for their victims.

The trick, then, is to ensure that malware doesn’t get into the backup - that they are “hygienic,” and are not infected with hidden security issues. To do that, organizations need to unleash the full force of anti-malware tools at their disposal.

Running these tools on the production data that gets backed up as well as on the backup themselves enables organizations to be as thorough as possible; because these are backups and not production systems, organizations can run a wide range of anti-malware tools without harming production performance.

Throughout the computer era, the mantra has been “back everything up” - or face significant losses because of missing data. Now, backups themselves could be the cause of losses. This is the kind of thing that could wreak havoc in the IT industry; if you can't trust your backup, then how can you trust the data in it, when that data may contain the seeds that will cause losses?

Too many organizations blindly rely on their backups, believing that backups are their insurance policy against a malware or ransomware attack. Indeed, a backup could, and should, provide that kind of insurance – but to ensure that the policy is active, organizations need to ensure that their backups are protected and malware-free.

What’s hot on Infosecurity Magazine?