Ransomware – worse than Kryptonite?

More scary stats

It’s not just the number of attacks that is increasing, but the stakes are too.

• A 2021 report from Palo Alto Networks estimates that the average ransom paid in 2020 was over $300,000 – a year-over-year increase of more than 170%.

• When an organization falls prey to cybercrime, the ransom is only one component of the financial cost. There are also remediation expenses — including lost orders, business downtime, consulting fees, and other unplanned expenses.

• The State of Ransomware 2021 report from Sophos found that the total cost of remediating a ransomware attack for a business averaged $1.85 million in 2021, up from $761,000 in 2020.

Our business clients’ (our heroes) white Kryptonite is at risk

The prevailing wisdom is that if you backup your critical data you can sidestep and recover from a ransomware attack. While this premise generally holds true, simply backing up your data no longer provides an absolute guarantee that you can recover from a ransomware attack. Ransomware is sharpening up its aim at our heroes’ backup software.

Businesses need to take a fresh look at their backup software to make sure that it has the right set of features to ensure they have a verifiable path to recovery.

Here are the three well tuned techniques experts have seen hackers successfully use to circumvent backups and made “good” backups bad.”

1. Finding and encrypting backups on network file shares.

Some backup products backup data to file shares accessible over corporate networks. Further, many organizations still use the default directory name created by these backup products to store these backups. The default names of these directories are readily accessible in the documentation published by backup providers. Some creators of ransomware figured this out a while ago. As part of their malware that find and encrypt data on production servers, they also probe corporate networks for these default backup directories and encrypt the backups in these directories. In so doing, they increase the possibility that companies cannot recover from backups.

2. Plant a ransomware “time bomb.”

When ransomware encrypts a company’s data, the encryption generally occurs as soon as or shortly after it gets onto the corporate network. However, ransomware continues to evolve. Rather than encrypting data as soon as it breaches the corporate firewall, it begins to infect the data but does not immediate encrypt it. Then, only after days, weeks, or even months go by does it initiate the encryption of the corporate data. In many respects, this is the worst type of ransomware attack. Not only is all of a company’s production data encrypted, the company thinks it has “good” backups and when it goes to restore the data, the restored data encrypts as well because it was infected when it was backed up. This may make it almost impossible for an organization to determine when it was initially infected and which of their backed up data they can reliably and confidently restore.

3. Hacking the backup software’s APIs.

A number of backup software editions have their own application programming interface (API) available to developers, including ransomware creators, who can also access these published APIs for malicious purposes and use them to encrypt existing backups.

Conclusion

Having the latest back-up solutions is vital for businesses. As you know, your clients can add BOXX’s Managed Back-Up and Recovery service to their Cyberboxx membership. Our team of experts can help your clients implement a data security strategy designed specifically for their business. If you want to learn more about how we can safeguard your data, AND your wallet, let us know.

1. https://blog.present.ca/when-ransomware-attacks-backups

2. https://www.cnet.com/personal-finance/investing/the-history-of-hacking-ransoms-and-cryptocurrency/?ftag=CAD-03-10aaj8j