Editor’s note: The following is a guest article from Sebastian Goodwin, chief information security officer at Nutanix.
Over the last decade, ransomware has become the de facto tactic of cybercriminals looking to make a quick buck.
And why not? Average ransomware payments are nearing the $1 million mark, and many criminal groups are now selling their tools and services on specialty ransomware as a service marketplaces.
With nearly every business already permanently connected to the internet, global ransomware damage is expected to reach an annual impact of $265 billion within this decade.
In practical terms, this means that we will soon face a reality where organizations are attacked every two seconds by threat actors that continue to evolve their tools and tactics.
Doing business in such a world can seem overwhelming, but modern cybersecurity approaches are working to keep up with the growth of ransomware.
As a result, CISOs looking to apply advanced thinking to ransomware defense can integrate new processes and tactics as they formulate their cybersecurity strategies.
What’s in a name? Ransomware types by description
Today’s ransomware can come from many specialized groups and threat actors. To make things more complicated, some criminal groups even sell their tools through a ransomware as a service business model, letting anyone with a bank account or cryptocurrency wallet automate ransomware attacks via the dark web.
Most common types of ransomware fall into six distinct categories:
- Crypto ransomware: After breaching individual workstations and systems, this type of ransomware finds and encrypts files, rendering them unusable. Victims are encouraged to pay a ransom or lose access to their data permanently, often by having it completely deleted off their system.
- Locker ransomware: While crypto-style ransomware blocks access to individual files, Locker-type ransomware affects whole machines, preventing a user from accessing any files or programs until a ransom is paid. In general, this type of ransomware affects computer systems, though some are specifically made to lock IoT and smart home devices.
- Ransomware as a service: This type of ransomware is sold by anonymous hacking groups, automating the process of targeting businesses, breaching networks, collecting payments and returning files. For a percent of proceeds, or a flat fee, these tools make it easier than ever to attack individual users and organizations using sophisticated ransomware methods.
- Scareware: A type of ransomware that tries to scare users into downloading malware masquerading as antivirus programs or paying a ransom. Scareware may display popup-style images and use fake or simulated programs to make it seem like files have been stolen or encrypted.
- Leakware/Doxware: Leakware, also known as Doxware, is a dangerous type of ransomware that breaks into systems and threatens to publicize sensitive user data. Most dangerous to organizations and businesses that store or manage private information, it demands a ransom for the return of data.
- Double extortion: Modern types of ransomware often involve multiple aspects of the above attacks. Double extortion attacks combine tactics to breach systems and encrypt, exfiltrate, and hold sensitive data for ransom. Unlike other attacks, double extortion attacks demand separate ransoms for returning data and decrypting it, forcing victims to pay multiple times throughout the process.
The sheer variety and complexity of today’s ransomware landscape means that legacy antivirus software and firewalls are inherently ineffective, and relying on them alone can potentially cause enterprises to suffer from losses in productivity, data and – perhaps most importantly – customer confidence.
Without modern security practices, IT teams at affected organizations will spend fewer hours supporting development of new products and services and more hours on lengthy investigations of affected storage systems, data recovery and interfacing with emergency consultants and crisis managers.
Hacks against future hacks
One of the ways to modernize security is by proactively integrating protection capabilities directly into storage systems. This way, security teams can not only detect and lower the risk of attack, but also successfully recover structured and unstructured data while analyzing attack sources.
This approach also facilitates several capabilities that help future-proof systems against cyberthreats.
Detecting behavioral anomalies
Common ransomware attacks encrypt large numbers of files, generating several read, write and rename events. Today, businesses can integrate built-in threat models to detect this type of activity and generate ransomware threat alerts.
Once anomalous behavior indicates an attack, configurable remediation policies trigger automated responses to block the offending client session or IP address.
Making file sets immutable
By changing data to read-only as it is written into a storage system, enterprises can create immutable file sets and put a retention date on the immutable files to protect the data from any modification or deletion until the retention period passes.
Once written, the data cannot be modified or deleted, protecting the most sensitive data against malicious attacks and ransomware.
Isolating management networking
Isolating the management network from read/write traffic used by the data services greatly helps to secure the data residing on shared file storage.
More effective management across multiple virtual networks can also further reduce the attack surface and apply appropriate controls that prevent intruders from accessing critical data that resides in these networks.
Sharp, strategic and secure
Cyberattacks are inevitable, and ransomware is a significant – and growing – threat to all businesses. Today’s cybersecurity landscape requires enterprises to be more proactive in hunting threats, detecting and remediating them quickly in order to recover and restore operations in real-time, and responding to any resulting regulatory and legal claims efficiently.
While CISOs and their teams cannot completely prevent ransomware from targeting their businesses, the growing number of attacks underscores that now is the time to implement more efficient data management and security strategies to future-proof systems and establish protection for vulnerable centralized storage.