Ransomware gets smarter by attacking backups to prevent recovery. To prevent this from happening, take a few simple steps.
Despite the recent decline in the number of attacks, ransomware still poses significant threats to businesses. Such attacks become more dangerous. In particular, ransomware authors understand that backups are significant defenses and modify their malware to track and destroy backups.
Reducing the Number of Ransomware
The company McAfee reported a decrease in the number of malware samples, and over the past year. According to the latest report, in the third quarter of 2019, the number of ransomware samples was less than half of the number of samples at the end of 2018, when their number reached about 2.3 million. According to Kaspersky Lab, 765,000 of its users were thrashed by malware that encrypted files over the past year, compared with more than five million that were attacked by crypto miners.
BitDefender Threat Research Director Bogdan Botezatu says the main reason for stopping ransomware attacks is because security companies are better protected against them. “There will always be new versions of ransomware, some of which will be more cultivated than others and some more difficult to catch, but we do not wish the ransomware to become much larger in scale,” he says. "At least not more than last year."
“For several years, ransomware has been the main threat, but the numbers have declined significantly,” said Adam Kujava, head of malware research at Malwarebytes. However, the ransomware that is there is evolving, he says. For example, malware authors take advantage of the latest exploits such as the ones leaked from the NSA. “We see them popping up in many relatives of malware,” he says. “When you use this kind of exploit, if you infect one system, you can infect a lot more using these exploits. You're creating a much bigger goal - that's a trend. "
Backup is the New Target of Ransomware
According to Kuzawa, the Ransomware now deletes all backups that come along the way. For example, a common ransomware tactic is to delete automatic copies of files that Windows creates. “So if you go to system recovery, you can't go back,” he said. "We've also seen how they access shared network drives."
Two recent examples of ransomware that have a sight on the backups, - Samsam and Ryuk. In November, the US Department of Justice indicted two Iranians to use malware SamSam to extort more than $ 30 million in more than 200 victims, including hospitals. The attackers maximized the damage by launching attacks outside business hours and "encrypting the victims' computer backups," the indictment says.
Most recently, Ryuk hit several major objectives, including the Los Angeles Times and the provider of cloud data Data Resolution. Ryuk includes a script that removes shadow volumes and backup files, according to security researchers at Check Point. “While this particular malware variant is not specifically designed for backups, it compromises simplified backup solutions that result in storing data on file shares,” says Brian Downey, senior director of product management at Continuum, based at Boston. a technology company that offers backup and recovery services.
The most common way is to use a Microsoft Windows feature called "Previous Versions," said Munir Hahad, head of threat research at Juniper Networks. This allows users to restore earlier versions of files. “Most ransomware variants delete shade copy snapshots,” he says, counting that most ransomware attacks will also attack backups on connected network drivers.
Ransomware Attack on Opportunistic, Untargeted Backups
However, this does not mean that all backups are vulnerable. According to David Lavinder, chief technology officer at Booz Allen Hamilton, when ransomware uses backups, these are not intentional targets. Depending on the ransomware, it usually works by scanning the system looking for certain types of files. “If it locates the extension of the backup file, it will encrypt it for sure,” he says.
Ransomware is also trying to spread by infecting as many other systems as possible, he says. This is a type of worm, as is the case with WannaCry, where more activity is expected to be seen in the future. “We don't desire to see deliberate targeting of backups, but we do expect to see more attentive efforts,” he says.
You can protect your backups and systems from these new ransomware tactics by taking a few basic protection.
Supplement Windows Backups With Extra Copies and Third-party Tools
To protect itself from ransomware that deletes or encrypts local file backups, Kujawa suggests using additional backups, third-party utilities, or other tools that are not part of the default Windows configuration.
Isolate Backups
The more barriers live between the infected system and its backups, the more difficult it will be for the ransomware to get to it. One common mistake people make is that users use the same authentication method for their backups as elsewhere, according to Landon Lewis, CEO of Pondurance, a cybersecurity consulting firm in Indianapolis. “If your user's account is compromised, the first thing an attacker wants to do is to elevate their privileges,” he said.
Store Multiple Copies in Multiple Locations
Lewis recommends that companies keep three different copies of their important files using at least two different backup methods, and at least one of them should be in a different location. Cloud backups provide an easy-to-use off-site backup option, he says. “It is very inexpensive to block online storage. It's hard to argue why someone wouldn't use it as an additional backup method. And if you use a different authentication system, that's even better. " Addition to cloud storage companies should rely on cloud antivirus for any potential vulnerability.
No comments:
Post a Comment