I’ve been tracking news on ransomware for a while now, and there’s been a few events of late that warrant greater attention. Data protection is an umbrella term: for some it refers to security, for others it refers to privacy, then there’s data storage protection as well. Ransomware is of interest in all three fields: it’s clearly a security problem, it could create a privacy issue, and it can be recovered faster and cheaper from with appropriate storage protection options than by paying vile criminals for a decryption key.
Let’s start with City Power in Johannesburg, South Africa:
Ransomware has had a long history of targeting sensitive industry verticals. Healthcare has been a common target, and I’d wager serious money that by now we have had patient deaths or caused, or significantly contributed by a ransomware attack at the wrong time causing a quality of care issue.
Power and other utilities are obvious additional targets. While utilities companies will usually separate their corporate systems from their operational systems, that’s not always going to happen, and what’s more, a common theme when you have isolated networks is that they’re also isolated from the internet, and therefore have out of date patching and virus scanning. So all you need is one person with a USB key at the wrong time and you may very well see ransomware toast what is meant to be a sensitive, secured network area.
According to BBC News:
The ransomware attack initially affected customers’ ability to buy pre-paid electricity and also hampered the firm’s efforts to respond to localised blackouts.
A spokesman for City Power told the BBC that more than a quarter of a million people might have been affected.
“These are the people on pre-paid system[s] and would at any given day buy electricity,” he said.
“Those people were not able to access the system.”
Ransomware hits Jahannesburg electricity supply, 26 July 2019
There are only two types of companies in the world: those who have been hit by ransomware, and those who haven’t been hit by ransomware yet.
Ransomware has turned into a serious business model for criminals:
From May 2018 to May 2019, the top malware category mentioned in underground forums was ransomware
Bestsellers in the Underground Economy: Measuring Malware Popularity by Forum, July 24 2019, Insikt Group
People are seeking ransomware because so far it’s proven an effective extortion process: companies with inadequate backup and recovery processes feel compelled to pay the ransom in order to get the data back.
Paying ransom to get back data is nuts. OK, if that’s your only option then you probably end up having to do it, but from a compliance perspective, how can you prove that something else hasn’t been done to the data?
But the real rub is that if you’ve got appropriate data storage protection, you can get the data back faster by not paying the ransom.
Here’s the next thing: the sorts of cheap and cheerful storage systems that SMB and smaller mid-market companies tend to use are now also being targeted by ransomware. Yes, I love my Synology NAS systems I have at home, but:
Taiwan-headquartered storage vendor Synology is warning users to strengthen the passwords to their network attached storage (NAS) after several devices — capable of storing terabytes of data — were encrypted by ransomware.
Ransomware crooks hit Synology NAS devices with brute-force password attacks, Liam Tung, 26 July 2019, ZDNet
It’s not just Synology though — QNAP has been similarly targeted.
This is an ongoing theme: ransomware may at times be an opportunistic attack, but it’s just as likely to be deliberately targeted at specific industry verticals through spear phishing and other social engineering approaches. What’s more, you’re more likely to hear these days about ransomware attacking backup servers, which is why using general filesystem storage presented by, and accessible as a normal OS filesystem mount, is dangerous. (On the other hand, systems like Data Domain Boost keep the mount away from the backup server — and clients! — giving you greater peace of mind in a ransomware situation.)
Law enforcement teams and collaborative projects are trying to get tools in the hands of businesses to allow them to decrypt ransomware attacks without having to pay a ransom. But this is a standard arms race. Every time a decryption tool gets freely published, there’ll be a new encryption attack released.
On the three-year anniversary of the No More Ransom project, Europol announced today that users who downloaded and decrypted files using free tools made available through the No More Ransom portal have prevented ransomware gangs from making profits estimated at at least $108 million.
No More Ransom project has prevented ransomware profits of at least $108 million, Catalin Cimpanu, 26 July 2019, ZDNet
Preventing $108 million in ransomware profits sounds good, until you stop to consider that $108 million is a drop in the collective ocean for ransomware:
Ransomware cost businesses more than $8 billion per year in 2018
…This is an incredibly high surge compared to 2016, when the annual cost of ransomware was estimated at $1 billion. It’s also important to mention that the money is only a part of what a company loses. The company’s reputation, the downtime, and other factors all amount to disastrous consequences behind these ransomware statistics.
Ransomware Statistics, Ana Bera, 24 March 2019, Safeatlast
So if it was $1 billion in 2016, and $8 billion in 2018, let’s be conservative and assume it was $3 billion in 2017. So the No More Ransom project collectively appears to have wiped out 0.9% of profits for ransomware criminals. Hmmmm.
There was a time when IT related incidents were just seen as things that impacted geeky people who didn’t mind being on-call. Ransomware changes that up:
This Wednesday, Louisiana Governor John Bel Edwards declared a state of emergency in response to ransomware attacks on three public school districts.
Louisiana declares state of emergency in response to ransomware attack, Jim Salter, 27 July 2019, ArsTechnica
What a way to make the news.
If you think you’re safe from ransomware if you operate in the cloud, you may want to re-think that one, too:
iNSYNQ, a cloud computing provider of virtual desktop environments, has been down in a major outage that has lasted nearly a week after its servers were infected last Tuesday, July 16, with ransomware.
Cloud-based virtual desktop provider hit by ransomware, Catalin Cimpanu, 22 July 2019, ZDNet
Some verticals have been targeted so heavily that it’s become a major topic of consideration. Take US city councils for instance: there’s been a near constant flow of news reports about US municipalities being taken out by ransomware. This has even lead to:
Meeting in Hawaii at the end of June, 1400 mayors, representing just about every US municipality with a population of 30,000 or more, voted unanimously to refuse to pay to unlock their IT systems encrypted by a ransomware attack.
US Conference of Mayors bans payment of ransomware demands, David Heath, 13 July 2019, ITWire.
The above article gives some interesting details by quoting the actual resolution that was passed:
WHEREAS, targeted ransomware attacks on local US government entities are on the rise; and
WHEREAS, at least 170 county, city, or state government systems have experienced a ransomware attack since 2013; and
WHEREAS, 22 of those attacks have occurred in 2019 alone, including the cities of Baltimore and Albany and the counties of Fisher, Texas and Genesee, Michigan; and
WHEREAS, ransomware attacks can cost localities millions of dollars and lead to months of work to repair disrupted technology systems and files; and
WHEREAS, paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit
Ibid.
People run around bleating that cyber-insurance is the way to go to address the ransomware issue. Is it? Is it, though?
Weeks after the city’s insurer paid the ransom, the phones are back on and email is once again working, but the city has still not recovered all of its files.
A City Paid a Hefty Ransom to Hackers. But Its Pains Are Far From Over, Frances Robles, 7 July 2019, New York Times.
My first book is called Enterprise systems backup and recovery: A corporate insurance policy for a reason. If you want cyber-insurance, spend your funds on making sure your data protection process is up to date and functional rather than paying shysters offering “cyber insurance”.
So between all the ransomware news I’ve been reading about recently, and conversations I’ve been having for a while, I’ve got a few thoughts and observations:
- Backing up to ReFS is nuts: OK, where did this one come from? I’ve had a few conversations where people have wanted to compare using a purpose built backup appliance like Data Domain to “hey I’ll just backup to ReFS on Windows Server, that does dedupe.” Even putting aside the obvious points about, there’s deduplication, and there’s deduplication, if you’ve got someone telling you that you can achieve backup efficiency by leveraging ReFS, what they’re not telling you is that you’ll also get very poor efficiency on your ransomware payout when that storage area is encrypted.
- Avoid Windows-hosted backup servers: Yes, I know that ransomware attacks Linux systems as well, but it’s a numbers game, and if you track the incidents of ransomware you’ll see that Windows systems are more likely to be hit than Linux or Unix servers. So put your backup services on a Linux host, or better yet, a locked down appliance, and take away that entire threat vector.
- If you are using a regularly accessible OS for your backup server, make sure you wrap CDP around it: Of course, this assumes that the actual backup data is generated external to the backup server itself. (E.g., Data Domain.) If your backup server gets hit by ransomware, you need a way to quickly rewind it and get your catalogues back so you can start recovering data quickly. That’s what things like RecoverPoint for Virtual Machines is for.
- You should be as paranoid about security on your backup server as you are your mission critical systems: Data protection is a mission-critical function for your business: the impact to your business if your backup service is lost or degraded has the potential to be massive. See my earlier post about cascading failure states.
- Tape is not the solution to ransomware: Yes, tape is an offline copy. Yes, tape won’t be hit by ransomware. (I’ll bet money that by mid-2020 that there will be ransomware that deliberately looks for tape devices attached to a system and at least writes data to whatever tapes are in the drives. It’s not hard.) But give yourself a thought exercise: what if you had to recover everything in your environment from tape, all at the same time? Particularly for disaster recovery scenarios tape does not scale.
- Your databases won’t decrypt properly: I see regular references in ransomware articles about “even our databases have been encrypted”. Congratulations, you’ll pay for a decryption key that won’t help you out. Your database hasn’t been encrypted by the ransomware jumping into the database SQL interface as an administrator and issuing SQL commands to replace the contents of each row with encrypted data, it’s stampeded over the database as a file and encrypted the data. Do you seriously want to bet that the data will come back in a consistent, recoverable format? (If you do, you’re braver than I.)
- So-called cyber insurance doesn’t do squat: As far as I’m concerned, the burgeoning push for “cyber insurance” is almost as criminal as the ransomware movement itself. Cyber-insurance doesn’t guarantee you an outcome, doesn’t have a guaranteed timeframe that you’ll get your data back, and doesn’t guarantee that your business won’t end up dragged through the papers as a poster-child for ransomware victims.
Those are just some of my observations. Personally I think criminals are going to end up targeting conventional backup services even more, and that means point (4) above becomes even more critical.
I want to wrap up by reiterating a previous point, that being there are only two types of companies in the world: those who have been hit by ransomware, and those who haven’t been hit by ransomware yet. Which type of company do you work for?
Finally, if you’re reading this in July, there’s still a couple of days left for you to go in the draw to win my latest book. Check it out, here.
1 thought on “Ransomware News”