The sinister aspect of data blackmail and any other form of ransomware is: the new and constantly emerging versions were – and are – recognised by anti-virus solutions only when it is already too late. The current wave of attacks, using so-called ransomware, was recognised by the virus scanners only weeks after it became known.
In the intervening period, trojans were doing the rounds, causing mayhem. Several companies and public authorities worldwide were affected and, in some instances, had to interrupt operations.
Indeed, in the USA, hospitals have paid ransoms. Depending on company size, the sums involved have amounted to between EUR 200 and EUR 15,000. The only possible effective strategy against data blackmail is an intelligent back-up-strategy.
Yet many companies shy away from this logical step, preferring to set up stocks of bitcoin to be able to buy free their own files, as a current survey among British companies reveals.
Establishing a Strategy
Yet an organisation’s data-securing strategy ought to be an established component of the IT security concept. In addition, all of this is not in fact so difficult; nevertheless it can decide whether an organisation thrives or suffers.
All that is needed is to take some rules into account. Currently most of the attacks are directed at Windows systems. Yet recently other systems also came under threat. The success rate of these blackmail operations strengthens cyber-criminals’ resolve to attack other operating systems.
Because this form of internet crime holds out prospects of success for the attackers, as a British survey shows, the near future can also be expected to bring attacks on SAP environments in the corporate environment and also on open-source solutions. As a specialist for back-up solutions, SEP sees the database files as the main target of attack when crypto-trojans are activated.
This is where organisations can be most severely affected in running their business. Usually, the challenge of restoring the data after an attack amounts to a disaster scenario. But what happens if the back-up files are also already infected and, when they are restored, they are also illegible?
Alongside the classic back-up scenarios – i.e. a weekly complete securing of all data (fullbackup) and the saving of the interim-stored data, at least once daily (differential or incremental back-up) – further measures are necessary. Accordingly, the back-up data should be preserved, by means of a ‘media break’, on a separate tape drive and at a different location (if the latter is possible).
That way, the blackmail software can no longer get at the back-up data. The period for data-storage needs to be lengthened because of the longer period in which viruses can remain undetected. Like in all back-up scenarios, the data quantities add up each time data is secured, especially when it is a full-back-up.
De-duplication can be of help here, intelligently minimising the volume of the data-quantities retained in the back-up memory.
The Aftermath of Attacks
If an attack has taken place, its exact point in time must be narrowed down. Then the ‘Restore’ function comes into play. Initially, data-access is permissible only in read-only mode. If the encryption order has not yet been executed, at least the data can be read. If the last secure data set is found, this is used to restore the systems cleanly.
To guarantee prompt data-restoration at any time, it generally applies that regular restoration tests of all systems ought to be conducted or automatically validated by the back-up software. Therefore, for protection against threats the firewall and the anti-virus software have long since ceased to be enough. Consciousness of the need for an intelligent back-up strategy needs to be reinforced by the new threats.
This is because back-up and recovery are an important supporting pillar on the topic of IT security in companies and organisations.