In the Age of Ransomware, Only Uncompromising Data Security Will Do.

Most experts, law enforcement agencies, and most of the public agree: blackmailers should not be paid - for obvious reasons. Apparently, Peter Spuhler, the head of Stadler Rail AG, agrees. After his company was attacked with ransomware this spring – the criminals demanded 6 million dollars in Bitcoin - the company did not enter into negotiations with the blackmailers even though they published stolen data via Twitter to increase the pressure. "Stadler is not and was at no time willing to make payments to the blackmailers and did not enter into negotiations" the company announced. According to the company, there was backup data available. Therefore, production and provision of services could continue as usual.

An expensive total breakdown

In the case of navigation specialist Garmin things went a lot differently. Garmin announced at the end of July that the company had been affected by an "outage". In fact, it was a total breakdown. Cloud-based devices, switchboards, e-mail servers, and online chats were no longer functioning. In addition to the Connect apps, Garmin Express and FlyGarmin were also paralyzed. Even production facilities were affected. This was a disaster caused by an attack with WastedLocker ransomware. The situation at Garmin slowly returned to normal at the beginning of August. According to press reports, the company had paid a sum in the millions to the blackmailers [i] and in return received the encryption key to make their business data usable again.

Garmin is of course not the only company that has bought back its data from blackmailers. Today there is even insurance coverage available for this case.[ii] One may assume that in many cases such transactions never come to light, especially if the customers of blackmailed companies are not directly affected. Emsisoft, an US company specializing in decryption, estimates the total turnover of the ransomware industry at 25 billion(!) dollars last year.

Double blackmailing is the latest trend

Millions have also been paid in two more known cases in recent months, just as with Garmin. Foreign exchange service Travelex paid a ransom of 2.3 million dollars to criminal blackmailers in January, after hackers had encrypted the company's files. And Blackbaud, a provider of software and cloud hosting solutions, claimed to have stopped a ransomware attack in May. But the company still paid a ransom because the hackers had stolen data from the company network and threatened to publish it online. The Blackbaud incident, like Stadler Rail, is a prime example of today's double extortion schemes with ransom demands. The criminals first try to gain a foothold in the company networks and steal data from them before encrypting local files. Affected companies are then asked to pay a ransom - either to unlock the files or to prevent the stolen data from being made public - as a kind of reinsurance in case the victim refuses to pay and decides to reconstruct the systems.

Covid-19 is an effective lure

According to experts, cybercriminals are increasingly using COVID-19 themes in their phishing expeditions to exploit associated concerns of users. Some current topics where caution is needed include information on vaccines, masks and disinfectants, as well as financial aid programs. Caution is also advised when free downloads or updates are offered for popular technology solutions, such as video or audio conferencing platforms or social media[iii]. This trend can also be observed statistically: According to the Sonic Wall Cyber Threat Report 2020, ransomware attacks have massively increased, especially in the USA, where they have more than doubled compared to the previous year[iv].

Private devices for private activities

This situation necessitates minimizing the risk posed by your own employees. E-mails coming from the outside should be automatically marked. Employees must be able to report suspicious e-mails in an uncomplicated manner (for example, via Report Message Add-On in Outlook). Embedded e-mail links should be thoroughly checked. Limiting macros and scripting languages to users who really need them will reduce the risk. Consideration should also be given to the classification of software necessary for the productivity and communication of home office employees.  Strict separation of personal and corporate devices is critical - employees should use only their personal devices for personal e-mails and surfing activities.  

Three copies, two media types, one copy off-site

To ensure the best possible protection against ransomware on the data protection side, Veeam, a leading global cloud management and backup specialist, recommends applying the 3-2-1 rule[v]: 3 copies, 2 different types of storage media, at least 1 off-site copy. By distributing your data on different media, it becomes more difficult for ransomware to infect everything. For this concept to work, regular testing is required; errors are not permitted. There are, obviously, many different ways to back up data. Backup as a service by an external provider is only one of them. In this case, copies of the backups are sent to another location operated by an external provider. This can be a good solution for customers who do not have a secondary business location or cannot afford to outsource their backups there. The biggest barrier to this option is giving control of company data to a third party.

Magnetic tape storage is an interesting and often underestimated option for secondary data backup and data archives. According to Veeam, this type of data backup is the cheapest (5 - 8 USD per TB) and at the same time one of the most resistant storage types against ransomware attacks; magnetic tapes can easily be stored in a safe place.

As far as the 1-2-3 rule is concerned, it is important that each backup copy of data is stored on a different storage device. If two backups are on the same storage device and the hardware fails, neither backup will work.  If the backups are stored on the same storage as the primary VMs and that storage fails, the primary VMs and their backups will be lost.

UMB and VEEAM: Partners with experience and competence

Don't get cornered! We can provide you with the expertise you need to ensure leading edge data security in your company. UMB is a Platinum Partner in the Veeam® ProPartner program, reaching the highest Veeam® partner level. The award represents experience and expertise in delivering simple, reliable, and flexible Veeam-based cloud data management for businesses that want to be always available. Contact us for your data security.

[i] https://news.sky.com/story/garmin-obtains-decryption-key-after-ransomware-attack-12036761

[ii] https://www.cbc.ca/news/technology/ransomware-cyber-insurance-pros-and-cons-1.5453619

[iii] https://home.kpmg/xx/en/home/insights/2020/05/rise-of-ransomware-during-covid-19.html

[iv] https://threatpost.com/sharp-spike-ransomware-pandemic-inspires-attackers/157689/

[v] https://www.veeam.com/blog/3-2-1-rule-for-ransomware-protection.html