The "Ranscam" ransomware, which appeared in the summer of 2016, is considered the dumbest malware to date. Whether users infected with them pay or not, the data will be deleted anyway. With so much logic on the part of cybercriminals, it’s even more important for businesses to protect themselves from data breaches caused by malware. A clever concept for backup and restore helps here.
Whether it’s a flu virus or an infected PC: companies need secure protection against pests of all kinds to prevent business processes from coming to a standstill. If malware has nevertheless deleted important data, IT departments should be able to restore current data in no more than 30 minutes. In reality, this figure is around three hours in German companies, according to the results of the latest Veeam Availability Report.
In addition, the survey showed that companies suffer an average loss of 53% due to an IT failure.000 Euro per hour arises. Against this backdrop, cloud-based infrastructures are becoming an absolute necessity: by 2019, most organizations worldwide will have to move to a predominantly cloud-based IT environment, according to IDC’s "Developing a Cloud Strategy for Digital Transformation" study.
Digital evolution theory
Where do these viruses actually come from? As early as 1972, researchers succeeded in developing a self-propagating software – the birth of the first, still harmless computer virus. Today’s viruses spread autonomously and act much more dangerously: for example, cyber extortionists have been terrorizing users with encryption Trojans for some time now. Once the so-called ransomware has infected the PC, it spreads across the network and encrypts all data there. The password for decryption is available only on payment of a ransom.
In this context, a recent Kaspersky Lab study finds that German users in particular are increasingly exposed to ransomware attacks. In a global comparison, Germany came under the most fire between April 2015 and March 2016, followed by Canada, the United Kingdom and the U.S. At the latest with the ransomware "Locky", which infected even research institutions through a Word macro and temporarily paralyzed more than 60 network computers at the Fraunhofer Institute, the term came into the consciousness of users.
Lockdown – nothing works anymore
Understandably, companies resort to drastic measures in response to these messages, blocking email attachments containing Office documents, for example. But that doesn’t just make for declining productivity in the office, it also makes employees inventive. When looking for alternatives to receive Word, PowerPoint or Excel documents, they switch to freemailers. A nightmare for IT security, as this behavior creates serious gaps in the existing security concept. Even worse: If an encryption Trojan finds its way onto the computer via this detour, it not only encrypts the PC’s data, but in the worst case also spreads in the company network, as happened with "Locky".
As of this moment, nothing works. Entire systems have to be shut down, work comes to a standstill and with every minute the downtime costs increase, not to mention the lost documents and data.
Don’t pay, restore backup
Once the data is in the hands of cyber thugs, the question arises: should you pay to get the decryption password? No. There is no guarantee that the crooks will actually give out the password, and if you pay once, you automatically make yourself a target for follow-up attacks. Instead, IT consultants recommend importing a backup immediately. How long the failure lasts depends on the backup concept used. Quick access to a copy of the operational data saves costs, minimizes losses and gives IT valuable time to track down the source of the intrusion.
A good backup strategy describes the 3-2-1 rule: make three copies of data (once the data on the current system and two backups), store the backups on two different technologies (such as network hard drive and tape drive) and keep one of the backups in a different location. This protects entire enterprise sites from outages. Today’s backup architectures adhere to this 3-2-1 approach, prioritizing primary storage for short-term backup and recovery operations and creating a redundant copy on secondary media.
Rules to protect against ransomware
How to protect data depends partly on operational processes, and partly on how the organization prioritizes data availability. A simple backup is suitable for small amounts of data. Here the organization copies the most important data on an external non removable disk. After that, separate it and keep it in a safe place. Depending on regularity, this may already be sufficient protection against ransomware, but changed data after backup will be lost to an attack. That means the time it takes to restore current business operations with up-to-date data sets can take hours to days to. Another alternative is the proven ribbon drive. In this case, the malware does not have direct access to the file system, which means that the attack will come to nothing.
However, cloud backup is more elegant and much more efficient: here, the storage is located outside the company’s IT with a professional provider, offering increased protection against ransomware. Since this "storage location" is not constantly changed as with a tape or removable disk drive, much shorter backup cycles are possible. If you back up a snapshot of the productive environment every two to three hours, for example, you will always have up-to-date data for recovery.
Depending on the industry and the type of data, IT managers may have to comply with legal requirements from data protection laws when using cloud storage. Anyone who processes personal data in Germany must ensure that it is processed and stored within the country’s borders. Different providers offer suitable solutions for this. NetApp, for example, works with authorized providers for its "Backup as a Service" cloud service, which stores data exclusively in Germany. In addition, Veeam Cloud Connect provides an AES-256-bit encrypted end-to-end connection between the customer and the cloud provider of their choice. The software also checks the backup to make sure it is working and reduces the amount of data by compressing it, which shortens transfer times.
Computer protected, now secure the backup
The backup repository itself also requires some protection mechanisms. Precisely assigned access rights for users and applications to drives and files are a simple but effective hurdle for malware and prevent the spread of ransomware in the network. It can also be advantageous not to connect the backup server to central authentication. The same applies to sharing rights for backup repositories in NAS systems. Sometimes a disabled Windows firewall or the use of third-party firewalls is the gateway for ransomware. Therefore, the Windows Firewall should always remain active, because the solution has always performed quite well in comparative tests. A virus scanner with active real-time scanning and always up-to-date virus definitions is also part of the basic equipment.
Storing data off-site, protecting the backup repository, taking full advantage of authentication mechanisms and keeping virus protection up to date – these are important precautions companies can take to protect their data from encryption Trojans. Even if these measures sound trivial to the IT professional, these rules are often "forgotten" in the hectic daily IT business.
In addition, new security vulnerabilities are emerging every day and attacks are becoming more and more sophisticated, which means that one hundred percent protection will never be possible. It’s good to have an up-to-date backup available then. This also helps when IT is down for other reasons. A modern backup strategy guarantees increased availability. Because customers expect to receive information everywhere and immediately, companies today cannot afford long downtimes. Modern availability solutions enable automation of backup processes and recovery of application data in less than 15 minutes – the prerequisite for success in the digital economy.
Author: Matthias Fruhauf is Regional Presales Manager CEMEA at Veeam Software. Since 2011, Matthias Fruhauf has been Presales Manager at Veeam Software, responsible for the Central Europe region. As part of his job, he advises strategic partners and enterprise customers on the use of Veeam products. At the same time, it is essential for the management and expansion of the presales organization in CEMEA (D-A-CH, Eastern Europe& Russia) responsible. With Veeam since 2009, he previously worked as a systems engineer for the company. He has more than 15 years of experience in IT as a systems engineer and technical instructor for server/storage systems and software solutions.
Share the message "How companies protect themselves against outages caused by crypto Trojans and viruses" with your contacts: