Surviving a modern ransomware attack such as Maze or Sodinokibi/REvil
The most recent ransomware headline occurred a few days ago when the Sodinokibi/REvil ransomware group hit technology manufacturer Acer with a $50M attack. According to published reports, confidential internal data was made public as proof of the attack.
As ransomware attacks become more frequent and the ransom amounts continue to grow, what can companies do to survive a ransomware attack?
1. Maintain an effective data backup and restoration program
2. Stop ransomware attacks early by monitoring file system activity
3. Secure all data that should never leave the company
Data Backup and Restoration
One of the reasons malicious actors attack manufacturers, local governments, and hospitals is that the downtime cost to restore normal operations is high. It is a lot easier for these organizations to pay the ransom rather than restore data from backups. Often the backups are local and have also been compromised during the attack.
Organizations need to ensure backup data is isolated from the production environment so the attack cannot impact the backup. Organizations also need to test their restoration process to have confidence in the restoration process and the amount of time required to restore critical systems.
Early Detection of Ransomware
Ransomware attacks are focused on files and data. All of the actions ransomware needs to succeed need to be monitored. File system events such as file creation, deletion, rename, modification, and volume mount and unmount should all be monitored.
SecureCircle's agent monitors all file system activity to detect when to secure data automatically. Regardless of the decision to encrypt data, the file system logs are available for early anomaly detection.The records can alert and stop ransomware threats before the attack is successful.
Secure all Data
Complex ransomware attacks encrypt data within the organization and steal a copy of the data to release it. Organizations pay the ransom if they can't accept the outcome of either attack. While a comprehensive backup and restoration program can limit the impact of downtime, companies still need to address the threat of data leaking to the public.
Again, hackers have chosen their targets wisely since hospitals and government agencies have compliance requirements to meet, such as PHI (Personal Healthcare Information), CCPA (California Consumer Privacy Act),GDPR (General Data Protection Regulation), and more. The technology and manufacturing companies have valuable intellectual property worth $ millions.
Typically organizations have used DLP (Data LossPrevention) solutions to keep confidential information from leaving. But legacy DLP is challenging to operationalize and leads to additional operational overhead with marginal success. As a result, only a small subset of data is secured.
SecureCircle enables end-users to operate without obstacles while data is continuously secured against breaches and insider threats. Instead of relying on complex reactive measures, SecureCircle persistently protects data in transit, at rest, and even in use. Most important, SecureCircle allows the organization to secure all their data since there is no impact on the end-user behavior or business workflows, no additional administrative overhead, and no impact on applications or technical workflows.
Following these three guidelines will minimize the impact of a ransomware attack.