Backup admins: Watch out for these ransomware attack trends
Ransomware attacks have evolved and present a new set of challenges for backup admins. Here are some recent attack trends to prepare for to keep data and backups safe.
The latest ransomware trends suggest that IT teams will need to be more diligent than ever. Organizations that fail to either put data at risk or may even bring organizations to the point where full recovery can be impossible. The repercussions from a ransomware attack can be enormous, and cost up to millions in lost revenue, ransom payments and recovery efforts.
Many analysts now consider ransomware the top cybersecurity threat, with attack frequencies soaring and steadily growing more expensive. Cybersecurity Ventures, a research and publishing firm, estimated that organizations are now being attacked by ransomware every 11 seconds, compared to every 14 seconds at the end of 2019. This makes ransomware backup and recovery plans more important now than ever.
Below are four ransomware attack trends that have emerged that IT teams must be aware of when planning a ransomware backup and recovery strategy.
1. Ransomware attacks now include data theft and extortion
To limit the risks from ransomware, organizations have gotten smarter about backing up their data and protecting those backups from ransomware, but cybercriminals have also gotten smarter and are now stealing data, as well as encrypting it.
The data might include intellectual property, high-privilege credentials, personally identifiable information or any other types of sensitive data that, if exposed, could harm the organization. Once the criminals have the data, they might threaten to disclose it or sell it to the highest bidder if the organization doesn't pay up -- criminals often use the dark web to carry out their transactions.
For organizations to protect themselves from ransomware, they must back up their data regularly and frequently, and those backups must be both physically and logically secured. An organization's backup strategy should include any types of data that require protection. In addition, the organization should maintain at least two copies of its backups, with one copy both immutable and kept offline.
2. Ransomware offered as a service
Rather than attacking organizations outright, developers might offer ransomware as a service (RaaS) to other cybercriminals in exchange for a licensing fee. However, this is no ordinary software model. Customers may use RaaS software to carry out their own ransomware attacks, but they must share a percentage of the take with the developer group, which can be a hefty chunk of the profits. That said, not all developers follow this model. Instead, some sell complete ransomware kits for a set fee on the dark web.
3. Ransomware attackers choosing more specific targets
Attacks are becoming more targeted, focused and selective. Hackers might go after particularly vulnerable organizations or those that can least afford the downtime. Governments, educational and healthcare systems have been getting hit exceptionally hard in recent times. But cybercriminals do not limit themselves to industries. They're just as likely to go after high-profile organizations with exceptionally deep pockets.
Cybercriminals take advantage of the increased number of people working at home during the pandemic, exploit vulnerabilities in such systems as the Remote Desktop Protocol. For example, rather than using generic types of phishing, cybercriminals often run spear phishing campaigns that target specific victims.
Organizations should have a monitoring and alerting system in place that provides visibility into the entire infrastructure to prepare for tailored attacks. They should also ensure that their end-users receive the training necessary to reduce an organization's vulnerability to ransomware.
4. Ransomware now aims for larger 'blast radius'
Like any technology field, ransomware attacks continue to improve and evolve. They've become more effective at penetrating networks, finding sensitive data and holding that data hostage. Human-operated ransomware is also on the rise.
In the past, ransomware would spread randomly across a network, but now an operator uses stolen credentials to access the target systems to exfiltrate sensitive data and guide the infection process, which can result in a far more effective attack. Hackers can also disable security software, utilize mobile device features or carry out distributed denial-of-service attacks in conjunction with the ransomware attacks.
Face these new challenges head on
Organizations can review and update their backup and recovery plans to ensure that their data is completely protected. There should be no doubt about what data they need to back up or when backups should occur. Backup operations should be easy to manage and modify, and the backups should be scanned and verified.
Organizations should also look for backup tools that can help protect against complex ransomware attacks, such as the following:
- Acronis Cyber Protect includes advanced anti-ransomware technology that actively safeguards documents, media files, programs, backup files and other types of data.
- The Carbonite data protection platform provides incremental recovery capabilities that enable customers to restore only new or changed files following a ransomware attack.
- Veeam Backup & Replication supports immutable backups and includes ransomware detection capabilities.
An organization should also develop an incident response plan that outlines what steps to take in the event of a ransomware attack. If an attack does occur, the response team should immediately launch that plan, identify and isolate infected systems, and conduct a root cause analysis.
They should also notify the key players who need to be informed about the attack, such as security experts, insurance companies, law enforcement agencies, legal counsel and anyone else who should know. After they've contained the infection and notified key players, they can then begin the recovery process.