How to avoid ransomware attacks to better protect hyperscale environments

Ransomware attacks are nothing new to corporate IT infrastructures. In fact, according to research by Palo Alto Networks the first ransomware attack occurred in 1989, when an AIDS researcher loaded malicious code onto 5.25-inch floppy disks and distributed 20,000 disks to researchers across 90 different countries. Once the researchers booted their PCs after inserting the floppy disks, they found their files were encrypted - and the only solution was to wire the scammer hundreds of dollars.

Decades later, ransomware has become more advanced and commonplace, but still follows the same formula as it did in 1989. Today, to avoid ransomware attacks and better protect their organization’s technology, IT teams must take a proactive risk mitigation approach that includes cyber security awareness training and control monitoring. Let’s take a closer look at how to avoid ransomware attacks to better protect your hyperscale environment.

Important ransomware facts & figures

Over the last year, ransomware attacks have increased in number and evolved in complexity. Instead of simply encrypting an organization’s data and holding it hostage in systems and networks, cyber criminals now tend to make copies of sensitive information and threaten to release this data unless a company pays the ransom.

Unfortunately, many companies have not evolved their approach to account for ransomware attacks. Veritas’ “The 2020 Ransomware Resiliency Report” found:

• 65% of respondents have an “equal mix” of on-premise/public, mostly public cloud, or entirely public cloud infrastructures
• 64% of respondents felt their IT security did not keep pace with their IT complexity
• 42% of respondents said their company experienced a ransomware attack
• 38% of respondents said the ransomware attack disrupted business operations for at least 5 days
• 32% of respondents said the ransomware attack disrupted business operations for 1-4 days

To make matters even more difficult, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an "Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments" in October 2020. Organizations not only need to worry about experiencing a ransomware attack, they may also not be able to pay the ransom if their bank views the payment as a regulatory violation.

Why are hyperscale and multi-cloud environments vulnerable to ransomware?

Unlike traditional, on-premise infrastructures, hyperscale and multi-cloud environments expand an organization’s digital footprint by creating new access points. This increased attack surface makes securing cloud infrastructures a challenge. Understanding the steps malicious actors use to successfully attack hyperscale and multi-cloud environments can help organizations take a more proactive approach to mitigate data breach risk. Consider the following scenarios:

Social engineering

Most ransomware attacks start with social engineering. Social engineering attacks prey on the end-user’s trust, emotions, and common decency to entice them into taking an action that’s against their best interests. All types of ransomware attacks require end-users to take an action, like clicking a link, that sets the process in motion.

This is especially true in times of uncertainty. An August 2020 report from INTERPOL noted that malicious actors used people’s fear of COVID-19 as part of their attacks. People’s fear in conjunction with the lack of available COVID-19 related information during that period made them more susceptible to a social engineering attack. This isn’t the only way that social engineering works, however - a malicious actor could pose as your boss sending you an employee appreciation gift card or could pose as a contractor that is trying to fix your HVAC system (Heating, Ventilation and Air Conditioning).

Even if employees are trained in countering malware and ransomware, social engineering preys on their trust and emotions to make them more likely to ignore or comply with a potential threat that they know they should report.

Executable ransomware

With executable ransomware, the end-user clicking on the document or link triggers the malicious code to write a file to the disk. This is what people usually understand as a computer "trojan." For example, the "fake anti-virus" trojan is a typical example of this type of ransomware. In this case, end-users are notified that there has been a threat detected on their computer, and they are led to do an internet search for "antivirus" to resolve the threat. Next, they may find "free" software online, download it, and install it.

Unfortunately, they have now downloaded and installed ransomware that executes when installed. Now, the trojan has been written to their machine, typically in a hidden location. From there, it could take a few minutes or a few months for the ransomware to spread across your network. On the malicious actor’s cue, the ransomware will execute.

Fileless attacks

Fileless ransomware installs in otherwise native, legitimate system tools. When the end-user clicks on the link or document, they download the ransomware code. However, unlike the trojan, they do not need to install the ransomware for it to impact their device. In a fileless attack, the malicious code uses a native scripting language, like macros, or writes into the device’s memory. This is why an unfamiliar spreadsheet that uses a macro to replicate a series of actions or a PDF that has formatting code in it can be dangerous.

Since fileless attacks do not need to write anything to a disk, they are increasingly common in hyperscale infrastructures. They hide inside legitimate applications, like Microsoft Word, which means that any web-based application, storage location, or database is at risk. Undetected, the fileless malware embeds its code into a centralized source, like an operating system running a server. From there, it can remain undetected until it encrypts and exfiltrates much of the data belonging to your organization.

Even more disconcerting, fileless ransomware leaves little forensic evidence because it does not save anything on a device. Therefore, during the investigation and recovery process, security analysts have a hard time finding and removing it.

How to protect against a ransomware attack

While protecting against ransomware might seem like a unmanageable task, creating a proactive, defense-in-depth approach can mitigate both the success likelihood and organizational impact. Let’s walk through the steps you need to take to protect your organization against a ransomware attack.

Step 1: Start with cyber security awareness

To stop a ransomware attack before it starts, organizations need to ensure that their employees are aware of cyber security risks. For a successful approach to cyber security user awareness, organizations should consider finding training programs that:

• Enable baseline testing to get a sense of where they are now
• Leverage interactive modules that engage users so they retain what they learn
• Incorporate gamification 
• Automate simulated phishing attacks
• Provide appropriate reporting for measuring training effectiveness

Step 2: Establish end-point antivirus protection

Installing antivirus on all endpoints, including servers, is another way to create a proactive approach to avoiding a successful ransomware attack. Over the years, antivirus software has evolved to help predict new malware signatures. When looking to purchase antivirus software, consider the following:

• Endpoint Detection and Response Solutions using Artificial Intelligence (AI) / Machine Learning (ML) to predict new ransomware variants
• Size of the signature database used by an analytics engine
• Ability to quarantine and remove the malicious code
• How often the software updates the signature database

Step 3: Engage in penetration testing

Scheduling regular vulnerability assessments and penetration tests can prevent ransomware from executing or reduce the mean time to detect (MTTD) a ransomware attack. Malicious code generally needs to engage in a series of activities as part of the attack, so it’s important to test for these attack patterns and ensure the controls’ effectiveness. When evaluating a vulnerability assessment or penetration testing service, consider whether the provider can:

• Automate discovery for potential vulnerabilities in networks and web applications
• Assess exposure to vulnerability
• Measure potential risk associated with discovered vulnerabilities 
• Engage in reconnaissance of network and applications by mimicking known attacker techniques
• Exploit vulnerabilities with real-world tools and techniques
• Provide an in-depth report of vulnerabilities and remediation recommendations

Step 4: Create a regular backup plan

Lost productivity is often one of the biggest recovery problems organizations face after a ransomware attack. A primary control to prevent lost income is to ensure appropriate backup and recovery procedures. As the organization looks to mature its processes, a managed backup service provider, such as SoftwareOne, can enable a more rapid recovery. When evaluating a managed backup services provider, organizations should consider whether they have the following capabilities:

• Detect, compress, and duplicate across on-premise and hyperscale infrastructure automatically
• Consolidate backup solutions to lower costs and reduce unnecessary maintenance and support contracts
• Provide transparency about backup job status between public cloud and hybrid environments
• Maintain compliance with organizational backup policies and security controls