Ransomware hackers are now trying to extend the time period between infection and detection in order to maximize the revenue potential of their cyberattacks. IT teams performing virtual machine rollback restores generally do a roll back of the entire VM rather than restoring individual files. Hackers have adapted to this behavior by changing the way their ransomware works; rather than showing its hand immediately, a typical infection attempts to remain stealthy for a period of time in order to wreak havoc slowly.
The aim is to encrypt as much data as possible, for as long as possible, before the ransomware is detected.
It’s an operational fact of life that rolling back complete VMs effectively loses all productivity during the rolled-back period. If we roll back by an hour, that’s one thing, but if we have to roll VMs back by a week it poses a much bigger problem. It may be necessary to identify every infected file and restore only those files. The discovery and selective restore process can be very slow.
Canaries. Obviously, we need to neutralize this ransomware delaying tactic. One solution pointed out by this great TechTarget article is to detect infection as fast as possible by implementing “canary files” that rapidly inform us if an attack has infiltrated the network. (Similar to the “canary in the coal mine” that protected miners from slow oxygen starvation by passing out first and providing an alert. Tough job.) By design, canary files and shares are not valuable to the business. They exist solely to provide fat targets for ransomware attacks and raise a quick flag if an infection occurs.
Encryption. Another countermeasure is encryption. Object storage systems are often configured to encrypt stored data. This protects against lost drives, but not at the level of hackers gaining access to individual files. To protect files stored in a public, private, or hybrid Cloud, data should be encrypted before transmission to the Cloud by placing it in encrypted volumes attached to the instance, which emulate regular hardware volumes. Because VMs may be moved or duplicated, an encryption proxy between the compute instance and the storage volume can be used when multiple instances connect to the same storage. For Cloud-based data storage, encryption key management is (to use a pun) the key to successful data protection. Keys can be managed centrally or by the service provider.
In today’s cyber-insecure world your CSP must share the security mission with you. A VAZATA Cloud Computing Needs Assessment can reveal useful insights about your IT infrastructure status. Why not contact us today?