Ransomware attacks have escalated over the last few years, with Gartner reporting that ransomware accounted for 27% of attacks in 2020. The ACSC states, ‘Cyber dependent crimes, such as ransomware, were a very small percentage of total cybercrime reports. Nevertheless, the ACSC assesses that ransomware remains the most destructive cybercrime threat.’ We anticipate that ransomware attacks will continue to increase over the years, highlighting the need for all organisations to be ready.
What does this mean?
A couple of us Galahs got together to write on the topic. We decided not to focus this blog specifically on ransomware as there’s a multitude of content on this topic already. Instead, we decided to focus on one of the simplest ways to defend against ransomware: backups. This blog also focuses on clearing up a common misconception about replication and backups. So let’s start with some basic definitions.
Simply, ransomware is a malware attack in which the malware encrypts the files it can access, followed by demands of a ransom to restore the encrypted files. These attacks typically originate from social engineering attack vectors. It’s not hard to imagine the severe damage this could inflict on any organisation. The entities perpetrating these attacks are often highly sophisticated and use advanced attack models that are challenging to thwart. These attacks have become increasingly hard to detect due to the advent of ChatGPT and other LLM AI tools, which make phishing email and social media content much more believable; thus, the user frequently becomes the last line of defence.
Backups are copies of your company’s data stored at a different location from the original files. It is a snapshot of your data at a specific moment in time. This snapshot exists in a secondary location distinct from the source files and with access entirely separate from the source. You can leverage this snapshot to recover from ransomware and many other incidents. How often your company performs a backup will depend on your specific needs.
Replication mirrors a company’s data to another device or server in real-time or near real-time. A good example of replication is clusters, where you replicate one container multiple times to ensure service availability. Consequently, replication is incredibly beneficial for maintaining business continuity and reducing downtime.
From these definitions, it becomes clear that replication is not a preventive measure against ransomware attacks; conversely, it could worsen the situation as you replicate encrypted data across all copies. The most effective method to recover from a ransomware attack is regular backups. While it is vital to have an efficient replication system to ensure system availability and enhance customer experience, it’s equally important not to confuse replication with backups and to back up all data regularly.
The key takeaway is that backups and replication are separate data management methods with different purposes and benefits. Backups can aid in recovering from ransomware attacks, while replication assists in maintaining business continuity.
Geoff Mefford, Cyber Security Consultant at AT&T Cybersecurity and John Shier, Senior Security Adviser at Sophos, recommend these key steps to protect against ransomware:
- Keep at least three copies of your company’s data.
- Store two backup copies on different devices or storage media.
- Keep at least one backup copy off-site, offline, or otherwise only physically accessible.
- Get the basics right; back up your data regularly.
- Install intelligent, integrated cyber security software.
- Avoid using vulnerable remote desktop access services.
- Patch often.
- Educate employees on what to look for in phishing, suspicious emails, and more.
When you have good backups, you have more leverage against ransomware demands.