Recent attacks have spotlighted the need for a comprehensive backup plan that allows a business to recover quickly from data loss.
Last month, an unprecedented series of high-profile data breaches and ransomware attacks managed to afflict some of the largest companies and most critical pieces of infrastructure around the globe. Over the course of just two weeks, technology giant Toshiba, the Irish Healthcare System, and the Colonial Pipeline, among others, all faced massive security breaches. These attacks highlight the constant vulnerability that every company faces in our modern technological landscape. No matter how secure a business thinks it is, there is always a vulnerability to exploit.
Toshiba’s European division was hit with a ransomware attack on May 4. The hackers threatened to leak the information they had obtained, which they claimed was 740 GB of data that included sensitive items like passport scans. Publicly, Toshiba has said the amount of data stolen was minimal and they have upgraded security in the wake of the attack. The company claims that it did not pay the ransom, and it seems no data from the attack has yet been leaked.
A little more than a week later, a much more serious attack was carried out that targeted the Irish Department of Health. This ransomware attack crippled the system by encrypting data on its network, rendering it unusable. Not long after, the Health Service Executive was also hit by an attack. These breaches caused serious problems for those dependent on the Irish healthcare system, with hospitals and doctors’ offices having to rely on paper records, forcing them to postpone appointments and treatments. Eventually, the hackers provided a decryption key to the Department of Health that unlocked their system without forcing them to pay. However, they still have all the data they stole during the attack, which can be sold for a pretty penny.
Another hugely disruptive breach was the May 7 ransomware attack on the 5,500-mile Colonial Pipeline—the United States’ largest gasoline pipeline—which completely suspended operations, cutting off a vital fuel artery to East Coast states. The shutdown lasted for approximately six days. This caused severe shortages in some regions and made gas prices skyrocket. Though initial reports suggested that Colonial was working with authorities and had not paid the demands, it was eventually revealed that the company had ponied up to the tune of $5 million dollars in cryptocurrency the day after the attack to obtain a decryption key and begin restoring its systems.
Commenting on the situation, the White House’s top cybersecurity official, Anne Neuberger, did not admonish the company for giving into the ransom. “We recognize, though, that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data,” she said. Though not negotiating with bad actors and turning things over to authorities is the ideal response, these comments seem to recognize the harsh reality that in some situations—when companies have not properly backed up their data or can’t restore quickly enough—paying the ransom may ultimately be the most prudent option. On June 8, the Department of Justice announced that after working the FBI, Colonial was able to recover a portion of the cryptocurrency ransom they paid to the hackers (about $2.3 million), but they still didn’t recoup the entire amount.
One particularly notable thing about these attacks is that they have all been attributed to large-scale ransomware-as-a-service hacking groups, with Eastern European–based group DarkSide believed to have carried out the Toshiba and Colonial Pipeline breaches, and the group Wizard Spider suspected to be behind the Irish health system attack. Both of these thoroughly modern organizations are structured like a corporation–a trend that is becoming more prevalent among hacking groups. Their business model involves employing independent affiliates to perform the breaches, after which DarkSide or Wizard Spider handles negotiations and transfers of payments. Victims of attacks are deliberately targeted, with hackers probing every possible vulnerability, including using social engineering tactics like phishing to try to manipulate employees into unintentionally creating a vulnerability. They then develop customized executables to run on the specific network being targeted. The process is extremely streamlined and very hard to prevent if the hackers are determined enough.
DarkSide’s corporatization even extends as far as using public relations tactics like issuing press releases after significant attacks to explain their actions. The group says it operates under a strict code of ethics—only targeting the wealthy or businesses that have engaged in some sort of transgression in their eyes, while avoiding hospitals, schools, and government services. Wizard Spider does not seem to share these convictions, as it is suspected to be behind the Irish health system intrusions. The resulting chaos caused Ireland’s COVID-19 vaccination site to become inaccessible, and forced the postponement of appointments and treatments, putting patients’ health in jeopardy. Like a corporation, Wizard Spider is conscious of their public image, so it played the “good guy” role by providing the decryption key for free, but as mentioned before, they still stole a treasure trove of data that will likely result in a huge payday for the hackers anyway.
The Far Reach of Ransomware
But these high-profile examples represent just the most visible tip of the insidious cyberthreat iceberg. According to the Hiscox Cyber Readiness Report 2021, the proportion of businesses targeted by cyber criminals in the past year increased from 38 to 43 percent—of those, 28% percent experienced five or more attacks. And this isn’t just an affliction of Fortune 500 companies. Another study from cybersecurity firm Sophos revealed only a small difference—less than 10 percent—in the rates of attacks between smaller organizations (100 to 1,000 employees) versus large organization (1,001 to 5,000 employees). So unfortunately, small and midsize companies cannot just hope that they will fly under the hackers’ radar. These attacks have become so sophisticated that certain ransomware software—such as Ryuk, which is thought to have been created by North Korean hackers—will target large storage devices on the network before encrypting data on local machines. This tactic is intended to target the devices most likely to store backup data first, before the attack is even noticed, thus blocking many companies’ only method of recourse other than paying the hackers. In light of this, the only way to ensure backed-up data is truly safe is by storing it off the network or on media that cannot be overwritten.
Is this starting to sound like a hopeless situation? Well, there are steps that companies can take to ensure that not only is their data backed up, but also accessible in times of crisis.
Backup and Storage Basics
The principle threat of a ransomware attack is losing access to your data because the hackers who gained entry into system have encrypted it. These encrypted files cannot be accessed without the corresponding decryption key, rendering it unusable until the ransom is paid and the key is delivered. Because modern encryption is so strong, unencrypting the data without the key is unfeasible due to the time and processing power required. This gives the criminals the leverage they need to demand five-, six- or even seven-figure ransoms—and have desperate companies pay them.
Unfortunately, once the attack takes place, your options are limited. You can concede defeat and pay the ransom, try to get authorities involved—a long process without guaranteed results—or restore from a backup. This is why having an intelligent and comprehensive backup plan in place is becoming more important than ever.
Duplication and Diversity
The keys to an effective backup strategy are duplication and diversity. To the first point, to recover compromised data, you need to have duplicates or copies of that data in the first place. To make recovery smooth, it helps to keep these duplicates as current as possible. The second vital component to successful backup is diversity—a concept that applies not only to the media itself, but also its physical location. Diversity of media is important because some formats retain their integrity longer than others, while also helping to future-proof in case a format falls out of use. If your network uses solid state drives (SSD) or hard disk drives (HDDs), backing up to a format like tape provides a solution that stores vast amounts of data and will outlast the company’s primary storage devices. The medium will also be supported for years to come, as the LTO Consortium—the developers of the Linear Open Tape (LTO) standard—has outlined their development roadmap through at least four more generations.
Maintaining physical diversity means keeping at least one duplicate of that data in another location. As we all know, catastrophes can strike at any time: A fire or flood can completely gut an office, destroying any backups you keep onsite. This is why at least one copy should be stored on a server in another location, in the cloud, or, in the case of tape, simply removed from the drive and taken to another place.
An important variable to consider when devising your own backup plan is the speed with which you will be able to return operations to normal if a cyberattack occurs. Restoring from various backup media can take different amounts of time. If you’re restoring your data from HDDs or SSDs, their throughput will provide fairly quick results. However, backing up to these forms of media are very expensive and, in the case of hard drives, prone to failure. Keeping a backup in the cloud may seem the best option, but depending on your plan, restoration can take days or weeks. In the deepest storage tier of many cloud providers, data is stored away on tape and must be physically located and sometimes even shipped before restoration can begin. This process can often be expedited—for a fee.
If your data capacity needs are particularly great or you want a long-term way to backup data, tape storage provides a low cost-per-gigabyte solution. As LTO technology has evolved, so has its data throughput rate, jumping up to 750 MB per second in the latest generation. Libraries can also be equipped with multiple drives to restore data from more than one cartridge at the same time. Physical diversity is also easy to achieve with tape, as a cartridge can be removed and store offsite for long periods.
The COVID-19 working restrictions set up in many states resulted in more telecommuting jobs that ever before. However, more remote workers mean more points of vulnerability for hackers to exploit, especially if they connect to a public network at, say, a coffee shop to do their work. To combat this, it is vital that companies not only implement strict security measures, but also provide guidance as to proper backup procedure. There are compact storage devices available that provide humongous data capacities that individual workers can use to backup their files securely from home. Once they have backed up to a medium like tape and removed the cartridge from the drive, that data is completely secure from any sort of cyberattack. A criminal would not only have to gain physical access to the cartridge, but also have the correct encryption key to access the data through another device. The write once, read many (WORM) protection offered by tape keeps hackers from destroying any backup by forbidding any attempt to overwrite the original data.
Having these sorts of backup policies in place, both for at-home workers and office denizens, is key to restoring an organization to functionality as quickly as possible after an attack. If everything a company needs to operate is backed up, they can restore from a previous version without having to give into the criminals’ demands. This doesn’t protect against hackers releasing sensitive data they may have collected, but it does solve the problem of lengthy downtimes due to the breach. The only way to truly ensure that sensitive data cannot be accessed by cybercriminals under any circumstance is to store all copies offline on a secure format like tape.
The problem of ransomware doesn’t seem like it will disappear any time soon, especially when companies are willing to pay their demands. These now corporatized groups will continue to be a bane to businesses, which will need to get serious about having a comprehensive backup plan. Because as gas buyers in places like Florida are seeing, just a few days of downtime can cause a business nightmare.
Check back regularly for more cybersecurity news!