VOX

Like virtually every technology developed, ransomware traces its roots back to an origin that seems rudimentary by today’s standards. In 1989, an AIDS researcher named Joseph Popp, Ph.D., circulated to the research community20,000 floppy discs infected with malware that was activated after the computer was turned on 90 times. A ransom note appeared on the screen requiring payment of between $189 and $378 for a “software lease.”

Popp’s malware had multiple defects, so this first ransomware attack was quirky and not very effective. But it’s stunning to think about how ransomware has been refined and perfected over the next 31 years.

Consider some of the common attack methods Microsoft documented in 2020, where large scale digital crime organizations “exhibit extensive knowledge of systems administration and common network security misconfigurations” and “take advantage of network configuration weaknesses and vulnerable services to deploy ransomware payloads.”

Ransomware continues to be so effective and crippling to targeted organizations because the adversaries developing ransomware technology are adept at staying one step ahead of the best security measures.

This is why, at Veritas, we counsel enterprises to adopt what we call a “zero-security” posture. Zero-security is a mentality that assumes that no system is 100 percent guaranteed secure. We avoid making promises about “stopping ransomware” and making data and systems “secure” from ransomware threats. Instead, we talk about mitigating threats.

Ransomware is a high-volume business. Given the frequency, sophistication, and scale of attacks, at some point, it is safe to assume one of those attacks will be successful. A zero-day exploit will take advantage of a vulnerability that wasn’t patched properly on an operating system. Or, a phishing attack or spear-phishing attack will infect devices or systems.

Zero-security doesn’t mean be passive. Of course, enterprises need to have robust endpoint data protection and system security. This includes antivirus software and even whitelisting software where only approved applications can be accessed.  Enterprises should have both an active element of protection, and a reactive element of recovery. Some organizations that have paid six-figure ransoms to get their data back may have become too lax and assumed their security measures were so robust that two backup copies of their data, and a disaster recovery plan last tested three months prior, was sufficient.

Veritas’ 2020 Ransomware Resiliency Report found that two-thirds of companies would take five days or longer to recover from a ransomware attack fully. Most respondents whose company had experienced a ransomware attack said they had to pay all or part of the ransom because they weren’t resilient enough, and anything like five days of reduced operations would be devastating.

A key part of zero-security is not putting all of your eggs into one basket. Keep in mind that the Black Hats who are developing ransomware are trying to prevent any means of egress from an enterprise having to pay the ransom. This is why ransomware attacks don’t simply target your files and systems in use. They also target your backup systems, including cloud-based data.

We recommend that organizations implement a more comprehensive backup and recovery approach based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It includes a set of best practices: from using immutable storage, which prevents ransomware from encrypting or deleting backups; to implementing in-transit and at-rest encryption to prevent bad actors from compromising the network or stealing your data; to hardening the environment by restricting ports and processes by enabling firewalls.

The three strategic pillars of Veritas’ ransomware resiliency strategy are Protect, Detect and Recover. Enterprises being most heavily impacted by ransomware are often those that may be strong in one of those pillars, but weak in another.

We at Veritas find that it’s always best to talk honestly about ransomware resiliency. No single solution or security control is going to stop ransomware. But by taking a layered security approach, you can mitigate the impact of ransomware and get your business running again more quickly. Having a zero-security posture is the first step to thinking about ransomware resiliency in a more diversified, comprehensive way.

Interested in learning more? Read the next in the blog series: How Controlling IT Complexity is the Key to Ransomware Resiliency.