Backups Won’t Save You From The Digital Pandemic

Ransomware is a growing threat to all businesses. It’s easy to think you’re safe, though. My business is fine; nobody would bother ransoming me, right?

Most businesses are more vulnerable than they think: on the back-end, there’s the initial shock of getting locked out of your system. But this snowballs rapidly: consumers today expect high-quality customer service 24/7. If they cannot access your site or services, this sends your business into a tailspin – and leaves you scrambling to meet the criminal’s demands.

Many ransomware attacks target SMEs. Cybercriminals know that – for most growing enterprises – sales are a far higher priority than data security. And the larger the business, the greater the sum demanded. Though ransoms range from 3 to 7 figures, the average ransom for SMEs in the UK is £90,000. The average turnover of a business that size is £720,540.

It’s not bankruptcy-causing cash, and that’s the whole point; it’s just low enough to swallow the cost as an inconvenience.

Cybercriminals are sneaky like that.

IMAGE: UNSPLASH

Ransomware – Crypto’s Ugly Shadow

Ransomware initially struggled to find a footing in the digital world. The first piece of ransomware wasn’t even a criminal attack: it was a piece of activist art at an AIDS convention. Limited options around anonymous payment meant that receiving the ransom money was – short of setting up a PO Box in Panama – too much work for your average criminal.

Enter cryptocurrency. First created in 2008, 2013 was the ‘Year of the Bitcoin’. Bitcoin’s first ever bull run was certainly noticed by some. Finally, a currency that didn’t pass through the trigger-happy hands of a banking system.

The cybersecurity-scape was totally unprepared for what followed. Cryptolocker swept through a quarter of a million devices in under a year.

Once downloaded (usually from a phishing email), Cryptolocker sits there silently. Within the malware’s code is the following instruction:

KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “CryptoLocker_<version number>”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “*CryptoLocker_<version number>”

This dictates that Cryptolocker doesn’t start until the machine is booted up. Once it has, over a few hours, Cryptolocker worms its way through the machine’s hard drive. Scrambling any files it finds, it systematically reshuffles the bits into a new order.

The order of the now-ruined strings of bits is kept track of with a ‘key’. Through a screen-covering ransom note, the criminals dangle this key above your head – for a Bitcoin-converted fee, of course.

Cryptolocker in many ways became a ransomware archetype, ahead of its time. The first explosion of ransomware attacks came in 2016: malware ‘Locky’ became particularly notorious after an attack on San Francisco’s public transport system.

And ransomware has not stopped evolving since. Cryptolocker was effectively destroyed in 2014 – requiring a full-time, dedicated government task force to stop the $3-million disaster. However, rates of ransomware rose again between 2020 and 2021 alone, with criminals upping the ante to include US critical infrastructure in their attacks.

Backups To The Rescue?

So, if ransomware works by encrypting your data – it’s possible to nullify the threat with a backup, right?

Not all backups are created equal. For a lot of small businesses, data backups are a three-way tug of war between IT Best Practice, time restraints, and budget.

Technically speaking, fully isolated physical storage is the most secure solution. However, the scale of this quickly becomes an absolute nightmare. Each time you update the storage, you’d need to retrieve this hard drive, and re-copy all existing data in a full backup.

The financial demands of so much physical storage – at a time when the chip market is under heavy pressure – would soon become untenable. You’d also waste a lot of expensive space on identical copies.

Cloud backups offer a good deal of security, as your files are hosted on an external server.

Incremental backups are also a more cost-effective solution than full. However, the more time a backup spends connected to the company network, the larger the backup’s attack surface. In the world of ransomware, connection is vulnerability. Having your backup permanently connected to either your device or your network is a recipe for disaster.

So, if your version of a backup is to save a file to your OneDrive, prepare for a nasty shock. Ransomware can access any file connected to your device. The single major vulnerability of ransomware used to revolve around unencrypted data. Now, however, this is changing.

New-Wave Ransomware

Whereas early attacks focused on encrypting files on a host device and its network, new-wave ransomware holds another threat: customer data.

Double extortion sees not only commercial data encrypted for financial gain – but also exfiltrated by the criminals and leaked. This way, even if a company manages to decrypt their files, criminals are still able to inflict massive data loss.

Triple extortion (yes – it just gets better!) is where criminals force access to customer information as well.

This happened recently in the 2022 Ubisoft, Microsoft, and Nvidia attacks by LAPSUS$. Nvidia saw 1TB of data stolen – including firmware and schematics of its latest GPU – which was then drip-fed to the public over Telegram.

Backups – The Last Line In Zero-Trust Architecture

Backups offer no protection against ransomware.

21 days is the average amount of time a business stays down after a ransom attack. A cohesive backup can make your recovery faster, but falling for ransomware makes you more likely to be targeted again.

Focus on prevention rather than cure. Education is the single most powerful tool against malware. Read up on zero-trust architecture, and create a cohesive overview of your own cybersecurity.

Along with education and firewalls, file integrity monitoring (FIM) can offer last-minute protection. FIM solutions offer real-time alerts to suspicious behaviour in files, allowing you to respond to ransomware before it’s crippled your entire network.

FIM can also be used to retrace the steps of a previous malware event, strengthening your future response plan.

Ultimately, the threat of ransomware is increasing. We’re in the middle of a digital pandemic, and – just like any other virus – ransomware is constantly evolving. Keeping yourself up to date and protected is a constant task, else you risk the integrity of every device on your network.