Ransomware: to pay or not to pay? That is the question
- Published: Tuesday, 30 August 2016 07:19
Gary Watson says that organizations should never get to the stage where they need to ask the above question. Combining data security with data protection can keep data safe and eliminate the need to pay ransoms.
I was staggered to read recently that many companies are stockpiling bitcoins in preparation for a ransomware attack. This means two things, one that they expect an attack and two, that they see no choice but to pay it. It seems investing in Bitcoins is the only solution some businesses have, but this sends out totally the wrong message that “we’re vulnerable and prepared to pay”. This might not seem surprising since malware strains are constantly evolving and security deigned to keep out attackers struggle to keep up with the increasing sophistication of the attacks. However, there is a way to combine data security with data protection, which can keep data safe and eliminate the need to pay the ransom: surely companies should be investing in that instead?
But, what is that solution? You might be surprised to hear it’s not a security one. Security solutions tend to focus on detecting the virus and keeping the virus out. But, any breach that tricks a user - already on the inside of that perimeter fence - will get through it, however tough the security is. Of course, companies must focus on keeping threats out, but they should also have a contingency plan for what to do when that first line of protection has failed. Given companies are stockpiling Bitcoins, they must already be aware of the limitations to the ‘keep it out’ approach and know they are vulnerable.
It’s happened: the ransomware has passed your firewall and is in. You have a demand to pay and the clock is ticking. You can’t afford to lose valuable data nor admit to customers that often confidential or highly sensitive data has been at risk. You have to pay, right? Wrong. If your archive storage has the option to restore to a point in time, then you can revert files to the version they were prior to the attack. Furthermore, in the case of a widespread attack, you have the option to restore just the shortcuts, which is an extremely fast operation.
Archive solutions built with security in mind don’t have a ‘delete’ function. This means that clients, even administrator-level users, or malware that has escalated to admin level (which most try to do), can’t directly delete, modify, corrupt, overwrite, or encrypt a file. Files are only deleted pursuant to the policy attached to the file when it was ingested. Any such attempts will be treated merely as a new version of the file.
What does this mean? It means that even if the malware tricks your system into thinking it is the administrator, any amends to a file will create a new file, ensuring the old, non-corrupted file remains safe and is ready to be accessed as soon as the ransomware has been disinfected from your infrastructure. Once your system is clean again, you can re-instate the shortcuts to the file that existed before the attack. Which means none of your archived data is lost and the ransom demand can be ignored.
Re-instating the shortcuts takes seconds compared with restoring data from a backup. And, often, it is discovered that the malware has not totally been removed, so the process of disinfecting and restoring needs to be repeated. With a process, based on re-instating shortcuts, a ‘rinse and repeat’ cycle is significantly quicker and doesn’t impact the recovery time objective as much, which means the business can be up and running faster.
The current tendency for companies to pay the ransom demands of malware perpetrators will only encourage more hacks and more ransoms. It’s not acceptable and it certainly isn’t sustainable. Of course data is critical to a business and sensitive data even more so, but companies should be aware that there is an alternative. Investing in technology solutions that can recover data to a point in time before the attack provides an insurance policy against these threats that are holding company data hostage. By including data protection as an essential component of its storage strategy, companies can better defend their critical data, ensuring any ransomware attack fails and, therefore, discouraging repeat attacks.