Ransomware and the Backup Renaissance

With the number of ransomware attacks increasing, more and more companies are focusing on protecting their IT systems. A clean data backup is also decisive for success.

Ransomware is on the rise: For more than three years in a row, this type of malware has been the most frequently observed attack type, according to the IBM X-Force Threat Intelligence Index. Every fifth cyber attack noticed was a ransomware attack.

A study by IDC, in which security managers from 200 companies were interviewed, shows what effects this is having in Germany. According to this, more than two out of five companies have already lost data due to a ransomware attack – and thus suffered enormous economic damage. In order to keep this risk as low as possible, ransomware must be detected quickly and rendered harmless.

In the fight against ransomware, backup, which for a long time only played a subordinate role in the area of ​​information security, now plays a decisive role. Because of the sheer mass of ransomware attacks and their sometimes perfidious approach, the general view of data backup has changed fundamentally. Especially since a majority of the companies surveyed in the IDC study that were able to recover their data after an attack state that this was only possible because of clean backups.

Ransomware is constantly evolving

To understand the increased importance of backups, it is worth taking a look at the ransomware “Emotet”. The Trojan was first discovered in 2014 and aims to paralyze the entire IT of government agencies and companies. In return, the malware penetrates the system unnoticed via careless users and gains access.

The special thing about “Emotet”: The malware can not only encrypt data, but also establish its own botnets and even carry out brute-force attacks using downloaded auxiliary programs. With this attack method, secure access is broken using high computing power by repeatedly and systematically entering user-password variants and combinations.

READ:  What is Kali Linux?

“Emotet” was already working very effectively in 2014. Since then, hackers have continued to develop the malware: The latest version is said to have an extensive botnet that distributes installers on a 64-bit basis. According to Kaspersky, the ransomware is currently “celebrating” a comeback – a year after it was destroyed. In February and March of this year alone, the number of attacks is said to have tripled.

Malicious snippets spread everywhere

In addition to “Emotet”, there are numerous other ransomware. Not only the sheer mass has to be considered, but above all the sophistication of the hackers: Newer malware such as Conti or Sodinokibi act much more intelligently than “Emotet”. Once in a system, they can hide on one or more machines, servers, or storage devices for a period of time—waiting for the perfect time to attack.

The perfidious thing about it: The ransomware can fragment itself and is therefore hardly detectable with Big Data evaluations by SIEM systems. Even in the defragmented state – i.e. when it activates after playing hide and seek in some cases for several months – this malware simply disappears in the big data cloud of alerts, logs and scan data. It can sometimes generate hundreds or even thousands of status logs per second.

The small data fragments of the ransomware only become visible with the help of a targeted examination in a “clean room” where the attacker is searched. The later the malware is discovered, the more devastating the effects can be. And it is precisely here, as part of a cyber incident recovery concept, that backup is experiencing its renaissance.

Keep backup clean and minimize damage

With a cyber incident recovery concept, or CIR concept for short, the data snapshots of production and configuration data are ideally stored in a protection zone on a daily basis (see Figure 1). This zone is immutable storage with an air gap feature that physically separates the data from the production environment. In the “Clean Room” that follows, the files are checked for ransomware.

READ:  RDP Is A Huge Security Risk for Enterprises

In order to detect malware, “patterns” – i.e. patterns based on the CVE referencing system – are compared with the current data (see Figure 2). On the other hand, machine learning is used to generate new patterns for analysis in order to detect unknown ransomware.

In this way, atypical data structures and other anomalies can be detected and infected data can be discovered with a high degree of probability. If it turns out in the “Clean Room” that data is infected, the affected components in production must be checked, possibly switched off and overwritten with the clean data from the backup.

This concept ensures that anomalies are detected as quickly as possible. And it ensures that the files contained in the backup are always clean and, in an emergency, can be restored to the production environment without any problems. This allows companies and authorities to minimize damage to their systems and protect themselves from successful ransomware attacks.