Andres Rodriguez is founder and CTO of nasuni.
We live in the age of ransomware. This persistent threat remains a primary concern of CEOs, their boards, CIOs, CISOs and everyone in the IT firing line. However, we still get a lot wrong about ransomware and why it is devastating for businesses.
Information security focuses its efforts on three pillars: prevention, detection and recovery. With ransomware, the first two get much more attention than the third. This misguided focus stems from a lack of understanding of how ransomware actually works. This article will explain how ransomware operates at the file system level, how it affects ransomware recovery, and why paying the ransom is not a viable option.
Prevention is not enough.
The common misconception about ransomware is that it compromises organizations at the software level, somehow defeating the security controls of file storage systems. The genius of ransomware is that it takes advantage of normal operating procedures for storing and accessing files. Ransomware starts as a social hack, bypassing normal safeguards through impersonation.
Typically, when an employee wants to access a file, they first obtain authorization through systems such as Active Directory (AD). With the proper permissions, AD allows access through the file server and the employee gets to work. Hacking AD is possible, but it is much more difficult than tricking one of thousands of employees into clicking on a link or image. If AD is the impregnable fortress, end users have the keys to the gate.
So ransomware targets people. An end user clicks the wrong link and the malware compromises that individual’s computer, impersonating that individual and potentially other employees with broader permissions.
File systems are designed to allow users with permissions and authority to make changes to files. So when malware impersonates an end user with high-level permissions, the file server naturally assumes the malware is that user and allows changes, including encryption. Everything in place to protect against infiltration – the security prevention part – becomes useless or ineffective. The system believes it is operating normally. By assuming the user’s identity, the ransomware is AD-authorized and can move through the file system, encrypting additional files and folders.
While it used to be easy to spot the anomalous rewrite pattern of a ransomware attack, hackers are becoming more sophisticated. They are making the software behave more like regular users. So prevention, like any pure defensive strategy, can never be enough.
Ransomware does not destroy, extract or leak data.
Hackers do not change the file server code and trick it into deleting volumes or files. Ransomware keeps everything in place. That’s what makes it so efficient. No data leaves the organization – if that happens, most companies have tools that would detect the leak early and stop the attack before too much damage is done.
With ransomware, files are locked and inaccessible within your security perimeter. The Hollywood equivalent of the heist would be a band of thieves who change the code for a bank vault, making valuables inaccessible, and only offer to provide the combination in exchange for a fee. The money is still in the bank. The data is still on the file server. You just need a way to get it back that is practical and doesn’t take forever.
Trying to break the ransomware’s encryption is a foolish task. However, if you can recover versions of your stored files before they were encrypted, and do so quickly – in minutes or hours, not days or weeks – it should be possible to eliminate the effects of the attack from your systems. Fast recovery is the most important offensive weapon against ransomware.
Paying the ransom is a risky option at best.
Most organizations understand that paying the ransom does not guarantee file recovery. Decryption keys may not work if hackers provide them. However, there are additional issues to consider. Are you and your organization behaving legally when engaging with criminals? By paying hackers, you would be encouraging the behavior and effectively funding future attacks. Are you then an accomplice to these future schemes? Barring legal ramifications, the potential damage to your personal and corporate brand is just as powerful. Nobody wants to “fund a global criminal organization” as part of the company’s values.
Fast recovery turns ransomware from a threat into a nuisance.
As explained above, ransomware does not destroy or steal data. It makes recovery so long and complicated that organizations see no alternative and cooperate with criminals. Companies can protect themselves by storing older versions of files in additional locations or in the cloud. Then, IT can restore the versions saved before encryption.
This works great in theory, but in practice, these restores can take days or weeks. Many solutions require bulk rollbacks of the entire file system, which means that unaffected files or new changes are lost. Possible business disruption could be more harmful than paying the ransom. This is the crack in the armor that ransomware targets.
The good news is that it is possible to quickly recover from an attack without paying a ransom. A more efficient approach is to focus on file system-level protection and store immutable, unlimited versions of each file in cloud object storage. This allows you to surgically restore only those files and folders that were encrypted. This significantly speeds up retrievals because no files need to be moved. The file system is simply redirected and pointed to these “clean” unencrypted versions in the cloud.
If there is a modern solution like this, why are so many organizations still vulnerable? One word: inertia. The traditional way of protecting files relies on backups, which tend to be unreliable and slow to restore, especially if many files, or worse, file servers in multiple locations are affected. However, organizations follow the traditional backup model because that’s what they’ve always done. It’s what they know.
In the age of ransomware, the old ways of protecting files no longer apply. A new threat demands a modern solution.
The Forbes Technology Council is an invite-only community for world-class CIOs, CTOs and technology executives. do i qualify?