Virtualization Technology News and Information
VMblog's Expert Interviews: BackupAssist Talks A Two-Pronged Approach to Safeguarding Data from Ransomware

interview backupassist ransomware

You do not need to be in high tech to be well aware of the mounting threat of ransomware, and the growing frustration around how to successfully combat it.  It seems that even the FBI lacks a truly effective solution. Joseph Bonavolonta, a Boston-based cyber and counterintelligence specialist at the FBI, told attendees at a recent security conference: "To be honest, we often advise people to just pay the ransom. The ransomware is that good." But, paying the extortionists isn't always financially feasible, certainly never desirable. 

Today, we speak with Linus Chang, Founder and CEO of BackupAssist, about this increasingly hot topic, and learn more about his "one-two punch" strategy.

VMblog:  What are the biggest issues that businesses need to worry about today when it comes to cybercrime?

Linus Chang:  I think no matter what size of business you're talking about, ransomware has become the most significant threat that's out there. It's the most insidious form of malware and is extremely prevalent and damaging-so much so that even the FBI has sometimes advised victims to manage it by just paying the ransom fee. That's not something that all companies can afford to do, and they shouldn't have to do it since there are much better solutions available now. 

Another big problem with ransomware is that there are so many constantly evolving permutations. It's not like the old days where the extent of the expertise was just social engineering-where someone would get an invoice in a Word or Excel document, open it, and it infected their system as soon they clicked "enable macros." The infections have become much more sophisticated now.

VMblog:  What different types of more evolved ransomware attacks are companies seeing today?

Chang:  The main thing is that ransomware infections have become much more complex over time. You see plenty of active hacking, where hackers break into systems and install ransomware onto them directly. You see worms like WannaCry that exploit vulnerabilities in the operating system. You also see more advanced techniques like hollow memory injection-things like these are extremely difficult to detect.

VMblog:  Can't companies just protect their data by installing anti-virus and anti-malware software?

Chang:  These days, that's not enough of a strategy given the huge amount of attackers and types of variations on ransomware design that I just mentioned. No matter how powerful a given anti-virus (AV) or anti-malware product is, it simply can't effectively protect a business's data from all of the different potential attack vendors lurking out there today. Preventing ransomware from corrupting your system is exceptionally difficult, and AV products can't realistically mitigate the threat.

VMblog:  So what does that mean for businesses?  Is there anything they can do to reliably safeguard their valuable data, or do they just have to hope that they don't get hacked?

Chang:  Fortunately, there is a two-pronged strategy that can give enterprises the maximum data defense. The types of strategies that we were just talking about, AV or anti-malware, are still part of the picture, but they're not the whole thing since they just aren't powerful enough on their own. These are threat-focused strategies that I call "active defense" since you deploy them on the front end to attempt to ward off attacks. But since these tactics aren't foolproof, companies need to pair active defense moves with "reactive defense" on the back end. Reactive defense strategies are data focused rather than threat focused, and their value-added is that they can undo data damage in the event of a successful malware attack.

VMblog:  If a computer gets infected, wouldn't it make sense for the administrator to just restore corporate data from backup?

Chang:  That's a great question. It seems like that would be a logical solution, but the reality is that once data gets infected, the damage amplifies and can affect backups as well. The problem doesn't stay localized on just one computer-it undergoes what I call "infection magnification." This is just another way of saying that a single infected computer can literally lead to triple the pain and triple the damage.

VMblog:  How does that happen?

Chang:  There are basically three layers of storage that all get corrupted from a ransomware infection. First, primary storage becomes corrupted. Ransomware instantly scans for network shares and starts corrupting files on your file server. Next, distributed storage gets corrupted. This is because when you're using cloud sync applications like Dropbox, Google Drive, and Microsoft One Drive, files that are locally corrupted end up synced to the cloud, and then onward from there onto other machines. So remote workers and traveling employees can also be affected when this happens, and it works in reverse too-if their computers are infected while working remotely, then those corrupt files end up spreading back to the home office.

The misery doesn't end there though; backup storage can also be corrupted. If you think about how traditional backup software works, its function is to simply back up whatever files are on the server-it doesn't matter whether those files are corrupted or not, it will back them up. That's a major problem since most backup systems don't have unlimited space for version history. While normally you can store many older versions since they have only a small number of incremental changes, once ransomware strikes, the number of changes made to the incremental backup expands to such a degree that it can completely displace all older backups. So there's no more version history to go back to, and you're left with a useless backup of corrupted files.

VMblog:  Can ransomware attack backups directly?

Chang:  Unfortunately it can and it does. When ransomware attacks a backup directly, it causes corruption just as when it corrupts other types of files. I've heard of companies that were forced to pay the ransom fee because their backup had failed and they hadn't set up any reactive defense strategies to help them access their data after an attack.

VMblog:  Let's talk more about that reactive defense strategy that you mentioned can solve these problems.  How does it work, exactly?

Chang:  The best way to describe how this proactive approach works is to think of it as two layers of defense. The first layer acts to shield your backups, creating a wall between them and any unauthorized processes trying to access them. This shield is always on, around the clock. The second layer of defense adds even more protection to both on-premise and cloud backups by detecting, preserving, alerting, and recovering functions.

The solution starts by running a backup and next scans the file system to detect any encrypted or corrupted files. If it finds anything, the system goes into lockdown mode to save the last clean backup, disable future backup jobs, and alert the administrator about the attack through both email and SMS. Then the administrator can step in to activate IT's response plan, which includes recovering from the preserved, clean backup made possible by this reactive defense strategy.

VMblog:  And, you also mentioned that businesses should use this reactive defense strategy in conjunction with active defenses like anti-malware software?

Chang:  Yes, it's really the combination of these two types of defense strategies that can keep companies from feeling like they have no choice but to pay ransom fees. The goal should be to employ a two-fold solution. The first arm of the strategy, the reactive defense, should be to deploy a system that knows how to look for the types of changes that ransomware causes. After an attack, there are detectable changes in file and directory structure, mangled filenames, and malformed files, like invalid Office documents. The right solution can examine a file's mathematical properties to tell whether it has been encrypted or not.

But you should use this reactive defense as a complementary strategy to active defenses, providing an extra layer of protection that helps you recover your data if you lose it to a malware attack. So on the front end, companies should put up network firewalls, inform users about social engineering, and use AV/anti-malware software and email filtering to attempt to ward off threats the best they can.

VMblog:  It sounds almost like you're recommending a defense ecosystem of sorts?

Chang:  Yes, that's a nice way to put it. Because we know that we can't prevent ransomware infections with active defenses since hackers have learned how to circumvent these strategies, it's vial to employ reactive defenses as well. That way you'll have a shield that can protect your backups as a last line of defense, not to mention a clean backup to use for recovery, which is invaluable. Without this two-pronged system in place, you won't have the same assurance that your data is truly protected.

VMblog:  Do you have any other recommendations when it comes to safeguarding data from ransomware?

Chang:  I'll leave you with this analogy: by using the two-pronged approach to data protection and recovery, it's almost like giving yourself a bouncer and a time machine as your tools. On the front end, your active defense strategies act like a bouncer at a nightclub. Your bouncer helps you identify potential threats, tries to keep them out, and evicts dangerous elements.

But if someone unauthorized gets past your bouncer and wreaks havoc, you also having a time machine-your reactive defense system-that serves as an "undo button," helping you go back in time to protect your content. It rolls back the damage and recovers the data exactly how it was prior to the infection. In other words, this ecosystem approach lets you outsmart ransomware by having a clean backup in place to preserve your data-even if hackers get through your most powerful active defenses.


Published Wednesday, November 15, 2017 8:02 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2017>