Ransomware is on the rise: For more than three years in a row, this type of malware has been the most frequently observed attack type, according to the IBM X-Force Threat Intelligence Index. Every fifth cyber attack noticed was a ransomware attack.
A study by IDC, in which security managers from 200 companies were interviewed, shows what effects this is having in Germany. According to this, more than two out of five companies have already lost data due to a ransomware attack – and thus suffered enormous economic damage. In order to keep this risk as low as possible, ransomware must be detected quickly and rendered harmless.
In the fight against ransomware, backup, which for a long time only played a subordinate role in the area of information security, now plays a decisive role. Because of the sheer mass of ransomware attacks and their sometimes perfidious approach, the general view of data backup has changed fundamentally. Especially since a majority of the companies surveyed in the IDC study that were able to recover their data after an attack state that this was only possible because of clean backups.
Ransomware is constantly evolving
To understand the increased importance of backups, it is worth taking a look at the ransomware “Emotet”. The Trojan was first discovered in 2014 and aims to paralyze the entire IT of government agencies and companies. In return, the malware penetrates the system unnoticed via careless users and gains access.
The special thing about “Emotet”: The malware can not only encrypt data, but also establish its own botnets and even carry out brute-force attacks using downloaded auxiliary programs. With this attack method, secure access is broken using high computing power by repeatedly and systematically entering user-password variants and combinations.
“Emotet” was already working very effectively in 2014. Since then, hackers have continued to develop the malware: The latest version is said to have an extensive botnet that distributes installers on a 64-bit basis. According to Kaspersky, the ransomware is currently “celebrating” a comeback – a year after it was destroyed. In February and March of this year alone, the number of attacks is said to have tripled.
Malicious snippets spread everywhere
In addition to “Emotet”, there are numerous other ransomware. Not only the sheer mass has to be considered, but above all the sophistication of the hackers: Newer malware such as Conti or Sodinokibi act much more intelligently than “Emotet”. Once in a system, they can hide on one or more machines, servers, or storage devices for a period of time—waiting for the perfect time to attack.
The perfidious thing about it: The ransomware can fragment itself and is therefore hardly detectable with Big Data evaluations by SIEM systems. Even in the defragmented state – i.e. when it activates after playing hide and seek in some cases for several months – this malware simply disappears in the big data cloud of alerts, logs and scan data. It can sometimes generate hundreds or even thousands of status logs per second.
The small data fragments of the ransomware only become visible with the help of a targeted examination in a “clean room” where the attacker is searched. The later the malware is discovered, the more devastating the effects can be. And it is precisely here, as part of a cyber incident recovery concept, that backup is experiencing its renaissance.
Keep backup clean and minimize damage
With a cyber incident recovery concept, or CIR concept for short, the data snapshots of production and configuration data are ideally stored in a protection zone on a daily basis (see Figure 1). This zone is immutable storage with an air gap feature that physically separates the data from the production environment. In the “Clean Room” that follows, the files are checked for ransomware.
In order to detect malware, “patterns” – i.e. patterns based on the CVE referencing system – are compared with the current data (see Figure 2). On the other hand, machine learning is used to generate new patterns for analysis in order to detect unknown ransomware.
As of 10/30/2020
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. You can find detailed information in our data protection declaration.
Consent to the use of data for advertising purposes
I agree that Vogel IT-Medien GmbH, Max-Josef-Metzger-Straße 21, 86157 Augsburg, including all companies affiliated with it within the meaning of Sections 15 et seq. AktG (hereinafter: Vogel Communications Group) my E e-mail address for sending editorial newsletters. Lists of the respective associated companies can be accessed here.
The content of the newsletter extends to the products and services of all the companies mentioned above, including, for example, trade journals and specialist books, events and trade fairs as well as event-related products and services, print and digital media offers and services such as other (editorial) newsletters, competitions, lead campaigns, Market research in the online and offline area, subject-specific web portals and e-learning offers. If my personal telephone number was also collected, it may be used for submitting offers for the aforementioned products and services from the aforementioned companies and for market research.
If I call up protected content on the Vogel Communications Group portals, including its affiliated companies within the meaning of §§ 15 ff. AktG, I have to register with additional data for access to this content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here.
right of revocation
I am aware that I can revoke this consent at any time for the future. My revocation does not affect the legality of the processing carried out on the basis of my consent up to the time of revocation. In order to declare my revocation, I can use the contact form available at as one option. If I no longer wish to receive individual newsletters to which I have subscribed, I can also click on the unsubscribe link at the end of a newsletter. I can find more information about my right of withdrawal and how to exercise it, as well as the consequences of my withdrawal, in the data protection declaration, section Editorial newsletters.
In this way, atypical data structures and other anomalies can be detected and infected data can be discovered with a high degree of probability. If it turns out in the “Clean Room” that data is infected, the affected components in production must be checked, possibly switched off and overwritten with the clean data from the backup.
This concept ensures that anomalies are detected as quickly as possible. And it ensures that the files contained in the backup are always clean and, in an emergency, can be restored to the production environment without any problems. This allows companies and authorities to minimize damage to their systems and protect themselves from successful ransomware attacks.