Perception vs reality: How to really prepare for ransomware

Check out all the on-demand sessions from the Intelligent Security Summit here.

It appears that most IT environments have not connected the dots when it comes to ransomware and the importance of a good protection system. It’s easy to infer this when reading a recent IDC survey of more than 500 CIOs from 20-plus industries around the world. 

The most headline-grabbing statistic from IDC’s report is that 46% of respondents were successfully attacked by ransomware in the last three years. That means that ransomware has leaped past natural disasters to become the primary reason one must be good at performing large data restores. Many years ago, the main reason for such restores was hardware failure because the failure of a disk system often meant a complete restore from scratch.

The advent of RAID and Erasure Coding changed all that, putting natural disasters and terrorism in the foreground. However, the chances that any one company might suffer a natural disaster were actually quite low — unless you lived in certain disaster-prone areas, of course.

Lost money, lost data

That 46% basically means your chances of getting hit by ransomware are a coin toss. What’s worse is that 67% of respondents paid the ransom, and 50% lost data. Some commenters have downplayed the 67%, suggesting that perhaps these organizations were responding to a ransomware tactic known as extortionware.


Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.

Watch Here

In this scenario, a business will receive a demand such as, “Give us $10M, or we will publish your organization’s worst secrets.” However, even if we set that statistic aside, we’re still left with the fact that half of the organizations hit by ransomware lost critical data. That’s two coin tosses. This is, as they say, not good.

Prepared for an attack? Probably not

The story worsens, though. Surprisingly, the same organizations that were attacked and lost data seemed to think pretty highly of their ability to respond to such events. First, 85% of the respondents claimed to have a cyber-recovery playbook for intrusion detection, prevention, and response. Any organization is likely to respond “absolutely” if you ask them if they have a plan like this.

In fact, you might even ask what is going on at the 15% that don’t seem to think they need one. They’re like the fifth dentist in the old Dentyne commercial that said, “Four out five dentists surveyed recommended sugarless gum for their patients who chew gum.” If your organization lacks a cyber-recovery plan, the fact that so many businesses have been attacked should hopefully help motivate your leadership to make that change.

An organization should be forgiven for being attacked by ransomware in the first place. Ransomware is, after all, an ever-evolving area where wrongdoers are constantly changing their tactics to gain traction. What is difficult to understand is that 92% said their data resiliency tools were “efficient” or “highly efficient.” It should go without saying that an efficient tool should be able to recover data in such a way that you shouldn’t have to pay the ransom — and you definitely should not be losing data.

Minimizing attack damage

There are several key parts to detecting, responding to, and recovering from a ransomware attack. It is possible to design your IT infrastructure to minimize the damage of an attack, such as denying the use of new domains (stopping command and control) and limiting internal lateral movement (minimizing the ability of the malware to spread internally). But once you are attacked by ransomware, it requires the use of many tools that can be much more efficient if automated.

For example, you can move from limiting lateral movement to stopping all IP traffic altogether. If infected systems can’t communicate, they can’t do any more damage. Once the infected systems are identified and shut down, you can begin the disaster recovery phase of bringing infected systems online and making sure recovered systems aren’t also infected.

The power of automation

The key to making all of that happen in as short a time as possible is automation. Tasks can be completed instantly and simultaneously. A manual approach will cause further downtime as the infection spreads in your IT environment. Everyone agrees that automation is the key, including 93% of respondents of IDC’s survey who stated they had automated recovery tools.

So, roughly nine out of 10 respondents said their data resilience tools were efficient and automated. However, if this were true, half of those attacked would not have lost data, and many fewer would have paid the ransom.

So what does this mean? The biggest takeaway is that you need to take a look at your environment. Do you have a plan in place for responding to a ransomware attack? Does it immediately shut down your environment to limit further damage while you investigate? Can you automatically recover infected systems as well?

If your chances of getting hit with ransomware are the same as a coin toss, now might be the time to take off the rose-colored glasses and get to work.

W. Curtis Preston is chief technical evangelist at Druva.

Originally appeared on: TheSpuzz