What we’re wrong about ransomware

Andres Rodriguez is founder and CTO of Nasuni.

We live in the age of ransomware. This persistent threat remains a top concern for CEOs, their boards, CIOs, CISOs, and anyone in the crosshairs of IT. Yet we are still very much wrong about ransomware and why it is devastating to businesses.

Information security focuses its efforts around three pillars: prevention, detection and recovery. With ransomware, the first two get a lot more attention than the third. This misguided focus stems from a lack of understanding of how ransomware actually works. This article explains how ransomware works at the file system level, how it affects ransomware recovery, and why paying the ransom is not a viable option.

Prevention is not enough.

The common misconception about ransomware is that it compromises organizations at the software level, somehow circumventing the security controls of file storage systems. The genius of ransomware is that it takes advantage of normal operating procedures for storing and accessing files. The ransomware begins as a social hack, bypassing normal protections via impersonation.

Typically, when an employee wants to access a file, they first obtain authorization through systems such as Active Directory (AD). With the appropriate permissions, AD allows access through the file server and the employee gets to work. Hacking AD is possible, but it’s much harder than tricking one of thousands of employees into clicking on a link or an image. If AD is the unassailable fortress, end users have the keys to the door.

Thus, ransomware targets people. An end user clicks on the wrong link and the malware compromises that individual’s computer, impersonating that individual and potentially other employees with broader permissions.

File systems are designed to allow users with permissions and authority to make changes to files. So when the malware impersonates an end user with high-level permissions, the file server naturally assumes the malware is that user and allows changes, including encryption. Everything in place to guard against infiltration – the prevention part of security – is rendered useless or ineffective. The system thinks it is working normally. Assuming the user’s identity, the ransomware has AD authorization and can roam the file system, encrypting additional files and folders.

While it was once easy to detect the anomalous overwrite pattern of a ransomware attack, hackers are becoming increasingly sophisticated. They make the software behave more like regular users. Therefore, prevention, like any purely defensive strategy, can never be enough.

Ransomware does not destroy, extract or disclose data.

Hackers do not modify file server code or trick it into deleting volumes or files. Ransomware keeps everything in place. That’s what makes it so effective. No data leaves the company. If so, most companies have tools that can detect the leak at an early stage and stop the attack before significant damage is done.

With ransomware, files are locked and made inaccessible within your security perimeter. The Hollywood equivalent of the heist would be a gang of thieves who change the code to a bank’s safe, making the valuables inside inaccessible, and only offer to provide the combination in exchange for a fee. . The money is always in the bank. The data is still in the file server. You just need a way to get it back that’s convenient and doesn’t take forever.

Trying to crack ransomware encryption is a wild ride. However, if you can recover the versions of your files stored just before they were encrypted, and do so quickly (in minutes or hours, not days or weeks), it should be possible to eliminate the effects of the attack. systems. Quick recovery is the most important offensive weapon against ransomware.

Paying the ransom is a risky option at best.

Most organizations understand that paying the ransom does not guarantee file recovery. Decryption keys might not work if hackers even provide them. Still, there are additional issues to consider. Are you and your organization behaving legally when engaging with criminals? By paying hackers, you would encourage their behavior and effectively fund future attacks. Are you then complicit in these future schemes? Barring legal ramifications, the potential damage to your personal and business brand is equally potent. No one wants to “fund a global criminal organization” within the framework of their company values.

Quick recovery turns ransomware from a threat into a nuisance.

As explained above, ransomware does not destroy or steal data. This makes recovery so long and tedious that organizations see no alternative and cooperate with criminals. Businesses can protect themselves by storing previous versions of files in additional locations or in the cloud. Then IT can restore the versions saved before encryption.

This works great in theory, but in practice these restores can take days or weeks. Many solutions require full restores of the entire file system, which means that unaffected files or new changes are lost. The potential business interruption can be more damaging than the ransom payment. This is the flaw in the armor targeted by ransomware.

The good news is that it is possible to recover quickly from an attack without paying a ransom. A more effective approach is to concentrate protection at the file system level and store immutable, unlimited versions of each file in cloud object storage. This allows you to surgically restore only files and folders that have been encrypted. This greatly speeds up recoveries because no files need to be moved. The file system is simply redirected and pointed to these “clean” unencrypted versions in the cloud.

If a modern solution like this exists, why are so many organizations still vulnerable? One word: inertia. The traditional method of protecting files relies on backups, which tend to be unreliable and slow to restore, especially if many files, or worse, file servers spread across many locations, are affected. Yet companies are sticking with the traditional backup model because that’s what they’ve always done. That’s what they know.

In the age of ransomware, the old ways of protecting files no longer apply. A new threat demands a modern solution.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives. Am I eligible?


Leave a Reply

Your email address will not be published.