New independent research shows UK businesses are vulnerable to ransomware attack. Although around 80% of companies have been attacked and over 90% say backups are critical to their recovery plans, a surprising number aren't taking all precautions to protect those backups.
Let's start by stepping back a little. If you consider how a ransomware attack works, you can see why this is so dangerous. Typically, the ransomware will be installed accidentally by a user that clicks on a bad link or installs an infected application on their laptop or workstation (take a look at Osirium's Privileged Endpoint Manager (PEM) to see how to reduce that risk). The ransomware then starts trying to escape the endpoint and work its way around the network.
At that point, the attack is looking for high-value targets. In particular Domain Controllers because that would allow the malware to easily install itself on other endpoints and servers. It will also be looking for Virtual Machine (VM) hypervisors as many critical applications and security devices (for example, firewalls) will be running in a VM. Once the attack becomes active, those VMs will be disabled either through encryption or deleting VM images.
At the same time the malware will be looking for backup management systems. It does this for two reasons: it could be looking to change backup policies to prevent backups being taken, and looking for locations and credentials for the actual backups. Once the malware has access to the backups, it will again either encrypt or delete the backups. The malware may stay dormant for weeks or months to ensure that complete backup cycles are repeated so that the infected data from end user devices or servers are copied into the backups.
Once the ransomware becomes active, it will encrypt and/or delete the backups before the victim has a chance to protect them. Once the backups are gone or damaged, the task of recovery is much harder, even impossible, which makes it more likely the victim will end up paying the ransom demand.
A worrying data point uncovered in the research is that a majority of businesses (53%) would prefer to pay a ransom than invest in protection against attack. That is very worrying. It's not clear from the data why this attitude is so prevalent. It's possible that IT and business leaders are underestimating the cost and impact of an attack, or that they feel willing to take the risk that they will be able to recover after paying a ransom. Either way, that's a very risky strategy.
Part of the evaluation of cost of protection vs ransom could be a mis-placed assumption that protection if complex and expensive. But that doesn't have to be the case.
The simplest protection is to ensure the credentials used to access the backup management system and the backups are never revealed to users or their workstations. If the credentials can't be harvested by the malware, then it can't do its damage.
The research shows that although most businesses depend on backups for recovery, only 35% are currently taking active measures to protect access to their backup management systems and backups using privileged access management (PAM).
You can see how PAM can protect backups in this video. Although this demo uses Veeam, the same principles can be applied to any backup system.
Regarding the assumption that PAM will be expensive or complex, modern PAM solutions like that from Osirium are very different. As Saunderson House said, "We had Osirium PAM up and running in under a day" and Osirium are currently offering a special "Fast Protect" package to help new users get protection in a day.
If you like to know more about the findings of the research, you can download a complimentary copy here, and please get in touch if you'd like to learn more.