Money or your business: Ensure your ransomware defense strategy beats off disruptions, extortions

Sponsored Feature The mass pandemic-driven migration to remote working has been a significant threat vector which precipitated a surge in cyberattacks last year. Prominent among these were ransomware attacks, which rose by 92.7 percent year-on-year in 2021, according to consulting firm NCC Group.

Elsewhere, an IDC survey found that more than one third of organizations worldwide have experienced a ransomware attack or breach. The number of attacks is poised to rise further as new ransomware gangs emerge and criminal enterprises continue to invest in tools that exploit zero-day vulnerabilities.

Lindy Cameron, CEO of the UK's National Cyber Security Centre, has highlighted ransomware as "the most immediate danger to UK businesses and most other organizations." Indeed, high-profile ransom attacks against critical infrastructure, private companies and municipalities are grabbing headlines.

The mid-2021 attack on Colonial Pipeline succeeded by exploiting a legacy virtual private network system which lacked multi-factor authentication, shutting key conduits delivering fuel to the US East Coast.

Colonial Pipeline paid nearly $5 million in cryptocurrency to Eastern European hackers (although the US Department of Justice later recovered $2.3 million of the ransom paid). Still, it took more than a week for the company's delivery supply chain to return to normal.

More concerning, however, is the threat of ransomware and digital extortion initiatives plaguing enterprises of all sizes – from a million-dollar critical infrastructure like Colonial Pipeline right through to  a supermarket chain in China's Zhejiang province.

Bitcoin blackmailers hacked the supermarket's cashier system, took it offline, and made all data on the server inaccessible. The attackers demanded payment of 0.042 bitcoin within 24 hours. At that time, each bitcoin was valued at $43,730. Given the proliferation and increasing sophistication of ransomware attacks, the Zhejiang supermarket attack shows that any business that is ill-prepared could be the next victim.

Profit-driven evolution

Ransomware attacks use malware that encrypts or steals the victim's data. Attackers make victims' computers or specific files unusable or unreadable, then demand a ransom to recover the computer or decrypt the encrypted file. Ransoms are often paid with cryptocurrencies.

Threat actors continue to modify their tactics as they seek effective ways to make money. Six trends prevail in ransomware's on-going evolution:

- Ransomware attacks are more specific in targeting high-value customers rather than just broad campaigns, with large/mid-sized enterprises and infrastructure the focus.

- Because larger organizations tend to back up valuable data to minimize disruption or damage many criminals have adopted the double extortion model which increases the stakes in a data breach. Beyond encrypting data, attackers also threaten to expose exfiltrated data on the dark web, piling more pressure on victims to pay up.

- Rapid development of networks and IT; widespread use of big data, cloud computing and mobile internet; and the continued popularity of cryptocurrencies have created a new normal of insecure data that stokes ransomware growth.

- Ransomware operators have reimagined their business model with ransomware as a service (RaaS), selling related services to other attackers through membership, subscription or customization.

- The July 2021 attack on US remote management solutions developer Kaseya underscore threat actors' sharpened focus on supply chains as the main entry point for extortion attacks. In these large-scale assaults, threat actors breached the victim's system through a vulnerability at a software or service supplier.

- Learning from advanced persistent threat (APT) campaigns, threat actors are customizing ransomware attacks by using highly experienced attack teams that hit targeted victims with APT-like precision and capability.

These ransomware attacks have caused victims to suffer long service interruption, high recovery cost, and ruined reputation. And it is harder to get back on an even when consumers lose confidence in your brand's digital experience.

Unsurprisingly, the amount paid by ransomware victims is increasing. The average ransom demand hit $2.2 million in 2021, a 144 percent rise from the year prior, according to the Unit 42 security consulting group. Meanwhile, the average ransom payment grew 78 percent to $541,010. This growth follows a hefty 171 percent year-on-year increase in average payment in 2020.

Globally, damages caused by ransomware reached $20 billion in 2021, 57 times more than it was in 2015. Research firm Cybersecurity Ventures projects that this will rise to $265 billion by 2031. In July last year, the REvil ransomware gang that executed the supply chain assault on Kaseya demanded $70 million in cryptocurrency – the largest ransom demand to date – to unscramble affected machines in thousands of companies worldwide.

Tamper-proof protection

The bottom line is that the debilitating and ruinous impact of a ransomware attack compels IT organizations to ensure that their cyber security and contingency planning can withstand a major incident. Core data must be protected within a physically isolated protection system. Further, built-in ransomware detection in the NAS can analyze user behavior and file corruption features, send event alarms, and provide client information for source tracing, if necessary.

In addition to network-layer security protection, professional storage infrastructure must also have anti-ransomware attack capabilities. Huawei's data storage systems provide a high-security protection solution for both main storage and backup storage – during and after a ransomware attack.

Specifically, three key technologies are in play for effective protection against ransomware attack:

Air Gap replication: Huawei's Air Gap replication technology sets the replication service-level agreement so data can be automatically and periodically replicated from the production or backup storage to the isolation environment for security scanning. Data copies remain offline before and after replication.

WORM file system and secure snapshots: Users can set a protection period using a WORM file system or read-only snapshots to prevent ransomware from modifying, deleting or encrypting production or backup data.

Ransomware detection: Using advanced algorithms, Huawei builds on a model to identify abnormal changes in the metadata of backup copies compared to an established baseline. Any change in the data determined to be caused by ransomware encryption is marked for necessary remedial action.

These technologies position the Huawei Ransomware Protection Storage Solution to help enterprises create a multi-layered defense system for ransomware protection while enhancing security awareness and management.

Defenders crush attackers

At Huawei's Chengdu Research Center Lab, a ransomware protection team pitted the OceanStor data storage solution against across four scenarios to illustrate its protective capabilities:

Round 1: Common ransomware versus preconfigured blacklist

The defense team used a blacklist on the OceanStor system to easily intercept and block the common Ryuk ransomware.

Round 2: Rare ransomware versus backup copy

A rare ransomware successfully avoided the blacklist detection and infected files. But the OceanStor system detected an exception and sent an alarm. The defense team opened a snapshot directory and used the snapshots to restore clean copies of the files.

Round 3: Latent ransomware versus backup storage

A ransomware hijacked the OceanStor Storage System, lurked in the system undetected, and infected all files, including their snapshots. But the defense team had backed up production data in the Huawei OceanProtect Backup Storage as a contingency against the attack. The backup data was used to restore clean copies to the OceanStor system.

Round 4: 'Ultimate' ransomware versus data isolation

The hacker used a powerful ransomware to render the backup storage system unresponsive. The Huawei solution's Air Gap technology was used to create a data isolation zone with firewalls and network isolation features. The zone connected to the network only during data replication so the data were shielded from the attack. The isolated data was then used to restore production data and the backup storage system.

These simulated tests demonstrate how Huawei's comprehensive data protection portfolio – including the Huawei OceanProtect Backup Storage and Huawei OceanStor Dorado All-Flash Storage solutions – empowers enterprises to effectively defend against ransomware attacks. Readied with a multi-layered defense strategy, enterprises will now be better positioned to stop threat actors from achieving their goal, be it to exfiltrate, encrypt, expose or extort.

To find out more about Huawei data storage solutions please click here.

Sponsored by Huawei.