Ransomware Is Coming For Your Backups

Veeam have released a survey report about ransomware, and in an interesting twist, the research specifically looked at people who had suffered at least one ransomware attack.

Here’s how we’ve interpreted the results:

  • Most successful attacks use malicious links, usually via email.
  • More than half of people just pay the ransom and get all their data back.
  • Ransomware will come after your backups.
  • Lots of people still use tape for an isolated backup.

Phishing and malicious links are still the number one entry vector for ransomware, according to Veeam’s report. On one level, this is unsurprising: we’ve been hearing this story for years.

But on another level, this should be surprising, if not alarming. Why is this still a thing?

Links are for clicking. Why is it, so many years after discovering that clicking on links can be dangerous, have the multi-billion-dollar global enterprises who make the operating systems and email clients not fixed this problem? Why is it that performing the specific function that hyperlinks have been designed for, since the very beginning of the World Wide Web, potentially harmful to a computer?

PivotNine is unconvinced that this is an inherently intractable problem. We are increasingly of the opinion that it is a result of design choices made by the manufacturers of these products. The security flaws in these products (email clients and operating systems) are not due to deliberate misuse by end users.

End users are attempting to use these products as they were designed to be used. The risks exist because of choices made by the companies that make them. Yet the costs are borne predominantly by the people who buy these products.

Crime pays very well

According to Veeam’s report, 52% of the people hit by ransomware just pay up and get their data back. More than half. A further 24% of people pay the ransom but are unable to get all their data back. That means 76% of people are just paying up.

The incentives here are hugely in favour of ransomware gangs. Right now, it is more cost effective for most organisations to be extorted by criminals than to have secure IT. This is a massive indictment on the entire multi-billion-dollar cybersecurity industry. It is a systemic failure on a global scale.

PivotNine believes this calls for a fundamental rethink of the entire approach to ransomware. It will require inviting in people who have been excluded from the conversation thus far, and listening to people who may not tell us things we enjoy hearing. It will require some challenging conversations and acknowledgement of some harsh facts.

Improvement will be impossible without it.

Backups are a target

Apparently ransomware gangs are well aware of how useful backups can be as a way of avoiding payment, so they now routinely seek them out in order to cut off a victim’s means of escape. Veeam reckons that backup repositories are targeted in 94% of attacks.

Clearly the answer here is to remove all your backup repositories so that they aren’t targeted. Since this is unlikely to be palatable for a variety of reasons, backup repositories will need to be hardened against attack so that they can survive to be useful.

Plenty of people are still using tape for this purpose, which makes a lot of sense. Tape stores lots of data, consumes few resources when not in active use, and is readily disconnected from any computer than could be running ransomware. Cloud is also being used as an almost-disconnected form of data storage, but it’s still tricky to correctly configure it to provide tape-like ‘disconnected’ functionality.

Joking aside, we think there is merit in backup repositories that masquerade as something else, hiding their true nature from attackers so as to avoid being attacked. We look forward to the first camouflaging backup repository feature from whichever vendor is creative enough to implement it.

Conclusion

Ransomware makes exploiting the insecurity of IT systems extremely profitable, and with relatively low risk of being caught. After many years of trying, the IT industry seems unable to address the single main entry point for ransomware: links in email.

Ransomware isn’t going away without a major rethink to IT’s approach, and given the industry’s track record thus far, PivotNine doesn’t hold out much hope there.

Absent an industry-wide shift in attitude, clients should invest in a system for backing up their data that they have proven can be relied on to recover from ransomware. Good backups have always been a good idea, but there’s just no way to do without them now.

More broadly, we think customers of major operating system vendors should be pressuring them to fix the flaws in their product. They may also like to consider pushing their governments to make product quality legislation to apply to commercial software products.

PivotNine is finding it increasingly hard to justify an exemption from product quality legislation for software, especially given the profit margins of the vendors that sell something that so often explodes when used as designed.