Ransomware is a major threat to the many cyber risk insurance companies we support at NetDiligence, and especially to the policyholders themselves.
Threat actors are getting more brazen, demanding massive extortions from victims in exchange for decryption keys.
Ransomware attacks cause business interruption and financial losses, taking a heavy toll on corporate reputations. Today, I’m speaking with Jonathan Tock, a leading expert along with his colleagues at SpearTip, about ways to mitigate this exposure using ransomware cloud backups.
NetDiligence: When you conduct ransomware investigations, do you find that threat actors target backup repositories during an attack?
Yes, what we call “cloud actors” are targeting backups. They want to do everything they can to ensure that a ransom will be paid as a result of the attack. So naturally, they go after backups to limit the company’s ability to restore from backup.
NetDiligence: Whether you’re a breach coach lawyer, insurance company, or the policyholder, no one wants to pay the extortion amount. With a quality backup repository, a company can recover without paying the ransom. But I’d say that 50% of the time, the threat actor is able to compromise the backup system. Is that your estimate as well?
Yes, the threat actor is searching for the backup repository 100% of the time but probably only succeeds about 50% of the time. They want to get to your backups because they don’t want you to be able to restore your systems, since that would allow you to avoid paying the ransom. We have partners who use offsite backups because they’re not immediately accessible by threat actors.
NetDiligence: In the worst case scenario, an organization’s network gets encrypted and the backup system is also infected. What options are there for the victim when they come to you for help?
We want to do everything we can to avoid paying the ransom. Most of the time we have found available backups or a way to locate and deploy a critical system.
Anything we can do to find those systems is very important. Though people tend to panic when they first get compromised, we’ve found that most of the time we can peel back a few layers and find some data; for example, with virtual machine experts.
Sometimes though you exhausted all the available options and have to consider paying for the decryption key. We try to put the business first and get it up and running as quickly as possible.
NetDiligence: Let’s say we’re looking at a best case scenario where someone gets attacked but they do have cloud backup ransomware protection to help mitigate the fallout. How does that help you as an investigator?
Well, the true best case scenario is that Shadowspear is already running on host, so it isolates the machine and an incident never occurs!
When an organization has viable backup, the quality of what’s being restored is much higher. Remember that the same group making the encryption mechanism is also creating the key to unlock it. Decryption keys can come with all sorts of issues. For example, some decryption keys are designed to address top-level files such as Word documents and PDF, but other files simply cannot be decrypted (and this is after you’ve paid the ransom!). Having a viable cloud or offsite backup will get your organization up and running more quickly in the event of a breach.
NetDiligence: Larger companies usually have the resources necessary to take care of themselves in this situation, but the small- and mid-sized companies often do not. In many cases, a threat actor could be in the backup system a full month before the attack even occurs. Can you recommend a ransomware backup strategy to help SMEs reduce the risk of a threat actor accessing their cloud backup?
An organization benefits from utilizing multiple layers of security. Having one backup is good; having a cloud and offsite backup is even better.
You should have a weekly process––not only so that you know it’s there and it works, but because a backup is only as good as the frequency with which it’s tested. If you’ve just experienced a ransomware event, you don’t want that to be the first time you try to deploy from backup. Anything can go wrong, whether due to human error or technical issues with repositories. When you restore from backup, you want to be sure that what you bring back is clean (otherwise, you’ll be in the same spot the next week)!
Even with a backup in place, deployment is never as smooth as you expect. When you do tabletop exercises to prepare, you want to know how long it takes to get the systems up and running. It’s better to know ahead of time that it will take six hours total than to be three hours in and not know how much longer it’s going to take.
NetDiligence: Many of our clients have asked if cloud backup is safe from ransomware, and we always tell them that no strategy is bulletproof. Outsourcing can mitigate some of that risk, but do you ever encounter a situation where the third party is affected?
We’ve seen incidents where the cloud provider was hit and the client wasn’t affected at all. Like you’re saying, using a third party provider can’t be the be-all and end-all of your strategy since you never know if they will be attacked. The advantage is having a check every month; the assurance of knowing that your backup is good and ready. The pros of using a third-party do outweigh the cons. Just keep in mind that even if you’ve outsourced the cloud backup, you should still keep offsite backups.
NetDiligence: Do you have any favorite third-party providers that you would recommend?
The best backup is the one that’s tested regularly. There’s not one that’s better overall. The two that I run across the most in our investigations are VAM and DATO. But at the end of the day, we’ve seen those fail when they haven’t been nurtured the way they should be. You should run through the right processes, test often, and make sure they’re working as expected. Doing that will keep you lightyears ahead when an incident does happen.
Thoughts or questions? We’d love to hear your thoughts on ransomware cloud backup. We encourage you to keep checking back at eRiskHub for industry updates or reach out to us at NetDiligence by calling 610-525-6383.