Why M365 is a Ransomware Target

Microsoft 365’s large userbase makes it a particularly attractive target for cybercriminals. Small businesses and large enterprises alike can use M365, so if a vulnerability is found in the system, bad actors can exploit it to gain access to a larger user base compared to less popular platforms.

While M365’s interconnected environment is convenient for businesses, it can pose a greater risk during a ransomware attack, making the spread of encryption or theft easier.

Compromised endpoints, such as unpatched software vulnerabilities and access via malware, are popular points of entry for ransomware attackers, but they can also use other ways to gain access to systems. In June 2023, a company experienced a ransomware attack against their Sharepoint Online environment that was carried out by a cybercriminal using a Microsoft Global SaaS admin account.

Common Ransomware Attack Vectors

Tactics used by ransomware criminals are constantly changing, but some of the most common attack vectors include:

• Phishing emails: Criminals send emails posing as legitimate sources, asking for key information or tricking recipients into clicking malicious links.
• Supply chain attacks: Sometimes, the problem doesn’t start with your business. It starts with a third-party vendor that has been compromised, leading to an attack on your business systems later on.
• Software vulnerability exploitation: M365 unpatched vulnerabilities, especially in their initial stages (zero-day), can serve as a great backdoor for ransomware.
• Compromised credentials: Malware, weak passwords, and phishing emails can help cybercriminals gain access to user credentials, allowing them a way to further infiltrate systems.
• Unsecured remote desktop protocols (RDP): Organizations that use remote access for maintenance or to allow more flexibility for remote workers can be more vulnerable to attacks if the correct configurations are not in place.

The Business Impacts of M365 Ransomware

How M365 ransomware impacts businesses will depend greatly on how much the organization relies on M365 for their critical operations, as well as how many safeguards against ransomware are already in place. For companies that don’t have a plan to recover from ransomware, especially those without backup and data recovery strategies, the fallout from ransomware can be catastrophic.

Disruption of Operations

Because businesses can store so much in their M365 environments, experiencing data inaccessibility as a result of a ransomware attack can bring operations to a grinding halt. Organizations may experience operational paralysis, finding themselves unable to make key decisions that move the business forward, because their files are inaccessible.

Financial Losses

M365 ransomware attacks can inflict a crippling financial blow on businesses. The most immediate hit comes from the ransom itself, which can range from a few thousand to millions of dollars. But the financial losses extend far beyond that initial demand. Negotiations with attackers can drag on, incurring legal or professional fees, and forensic investigations to understand the attack and identify vulnerabilities are expensive endeavors.

Other notable financial losses typically include associated downtime costs, data loss or theft expenses, remediation costs, reputation damage, regulatory fines, additional legal fees, and lost revenue.

Loss of Trust

Data breaches don’t just hurt your finances, they can also permanently harm brand reputations. A business that has experienced a ransomware attack can receive negative publicity. An iffy reputation can also hurt future business opportunities, well after the fallout from an attack has subsided.

Legal and Regulatory Compliance Problems

Some industries require certain safeguards against ransomware. The consequences of ransomware can include legal fines or other regulatory penalties, making compliance crucial for organizations and non-compliance can also render cyber insurance invalid, resulting in greater financial losses.

How to Prevent a M365 Ransomware Attack

Microsoft 365 operates on a shared responsibility model. While Microsoft is responsible for the infrastructure and underlying system, businesses using it are accountable for protecting their data.  This means that preventing a ransomware attack on M365 data requires implementing additional security measures and offering end user training to recognize common threats.

Perform Regular Software Updates

One of the most important steps a business can take in protecting against ransomware is also one of the simplest. When M365 systems have software updates, it’s important to apply them as soon as possible. While some updates may be related to functionality, many have to do with patching newly discovered vulnerabilities.

According to IBM’s Cost of a Data Breach report, approximately 17% of data breaches come from either known, unpatched vulnerabilities (6%) or zero-day vulnerabilities (11%). This means it’s important to stay up-to-date on the most recent threats, as well as not let much time pass before making updates on known issues. Consider implementing automatic updates and scheduling regular patch days for your organization.

Leverage Built-In Protection Features

Microsoft 365 has several built-in security measures that can reduce the threat of ransomware. These tools include Microsoft Defender, Safe Attachments, and Multi-Factor Authentication (MFA). While these tools are not all a business should be using to defend against ransomware, they can serve as a strong first line of defense.

Deploy Additional Layers of Defense

In addition to implementing MFA and other tools native to M365, organizations should consider adding specialized solutions or tools to their ransomware protection plan. For example, data protection is still the responsibility of the business, so managing encryption, protecting sensitive data, and configuring tools to prevent data loss are all tasks for the business to take on.

Establish a Robust Data Backup and Recovery Strategy

One of the tools that may be included as an additional safeguarding layer could be part of a larger data backup and recovery strategy. Backup services and tools can help a business recover from ransomware attacks by providing a geographically distinct site for data that cybercriminals may encrypt. TierPoint’s M365 backup services, for example, allow for automated backups, improved data availability, data protection from ransomware, as well as the implementation of air gapping and immutable backups.

Manage Access Controls and Permissions

There’s no organization where every user requires the same level of access. Different departments, organizational levels, and skill sets will require different access points in a M365 environment. Manage permissions and access controls based on what different segments and individual team members are likely to use in your business. You can always change permissions temporarily for special projects. Plan time to regularly review permissions and make changes as necessary.

Provide Education and Require Employee Security Training

Employees can be a significant source of ransomware attacks, from falling victim to phishing emails and social engineering, to lost credentials, to other business email compromises, employees account for a significant amount of data breaches and malicious attacks. Train employees on best practices to avoid ransomware to decrease the risk from these attack vectors. You can even further test them periodically using fake phishing emails and other simulated drills.

Data Recovery Options

In general, businesses have one of two options for data recovery – logical or physical. When there’s something wrong with the physical form of storage itself, physical data recovery is needed to replace damaged parts. However, ransomware is most concerned with logical data recovery, which involves using data backups, data recovery software, or professional data recovery services to regain access to lost or locked data. TierPoint’s disaster recovery as a service (DRaaS) offerings can help organizations meet their recovery time objectives (RTO) and recovery point objectives (RPO), while restoring access to data through cloud-by-cloud recovery. Other businesses may benefit from backup as a service (BaaS).

How Can You Recover from an M365 Ransomware Attack?

Unfortunately, some businesses start thinking about ransomware attacks only after they’ve experienced one. To begin ransomware remediation and recover from an M365 attack, you need to immediately isolate the infected systems to stop the spread. Then assess network vulnerabilities and prioritize the recovery of critical data and systems to maintain business operations.

However, prevention is truly the best form of protection to avoid a ransomware attack. Managed service providers can assist in crafting and implementing these preventative measures and recovery strategies emphasizing the importance of preparation.

Safeguarding Your M365 Environment Against Ransomware Threats

Successfully safeguarding your M365 environment from ransomware threats requires a multifaceted approach. By employing Microsoft’s tools, bringing in additional resources, and regularly training your staff, you can fortify your M365 environment against attacks. TierPoint’s IT Disaster Recovery Services include Backup and Recovery for Microsoft 365 Powered by Metallic, as well as complementary solutions that can make your environment much less vulnerable. Download our eBook to explore the comprehensive benefits of implementing a M365 data backup and recovery plan.

What is Considered Ransomware?

Ransomware is a type of malware that restricts a user or organization’s access to certain data and systems. A ransomware attack carries this out by gaining entry and then encrypting files or blocking access. Sometimes, ransomware infections are accompanied by threats to publish sensitive data. Often, attackers will require an organization to pay a ransom to decrypt and gain access to their data and prevent data exfiltration.

In 2023, known ransomware attacks increased by 68%. Ransomware demands are also getting bigger, with the greatest known demand being $80 million in 2023. About one-quarter of all breaches involve ransomware, making it a significant threat in the digital landscape.

Common Types of Ransomware

There are several common types of ransomware, each with its own characteristics and particular threats. Some of these can also be used in combination.

Encrypting Ransomware

The most common form of ransomware is encrypting ransomware. This is where cybercriminals restrict access to your files by encrypting them using an encryption algorithm. To access their data, businesses must pay a ransom and get a decryption key to begin the data decryption process. 

Locker Ransomware

Instead of encrypting your files, with locker ransomware, hackers prevent access to files, applications, or systems by locking them up. This could look like blocking a screen or keeping users from accessing certain functions on their devices.

Scareware

Scareware relies on fear to get users to act quickly. A typical scareware tactic would include a warning for users to buy software that can fix a false security issue. When users try to install the software, cybercriminals can use it to gain access and encrypt or lock files.

Doxware/Leakware

Much like scareware, doxware (also known as leakware), also depends on fear. Bad actors will claim they have valuable information from the company or user and threaten to leak sensitive data unless they pay a ransom.

Master Boot Record Ransomware

Devices need a Master Boot Record (MBR) to start up. When hackers infect the MBR, they keep the device from operating properly. Essentially, users will not be able to reach the operating system level of the device, so it becomes useless.

Mobile Device Ransomware

Ransomware tends to be the most common on desktop and laptop computers, but mobile ransomware also exists. With mobile ransomware, users are prevented from accessing key files and applications on their smartphones and tablets. Doxware and leakware may also be used in mobile ransomware threats.

How Do You Get Infected by Ransomware?

Just like there are many types of ransomware tactics, there are also many different points of vulnerability for users to get infected by ransomware.

• Phishing emails: These emails frequently direct users to enter their credentials into a seemingly legitimate website. Once entered, attackers will be able to gain access to the network and upload ransomware. 
• Remote Desktop Protocol (RDP) attacks: RDP allows someone else to control a user’s computer, or allow someone to access their work device from home. When organizations have weak RDP configurations, they can allow attackers to deploy ransomware. This attack vector is commonly used when organizations have firewall policies that allow sources from the internet RDP access to internal devices.
• Malvertising: Malvertising can be linked to scareware or seem more benign. Users receive malicious advertisements, and if they click on them, they may infect their devices with ransomware.
• Pirated software: When users download software from unverified sources, they may become infected with hidden ransomware.
• Unpatched software: Zero-day vulnerabilities from unpatched software can pose a significant risk to businesses. Patching regularly can reduce the risk of software vulnerabilities.
• Social engineering: Social engineering is a more sophisticated attack vector that is often used with phishing emails or other methods of impersonation, such as voice calls. Scammers may call pretending to be part of the IT team and ask a user to download malicious software, for example. 

How Do Ransomware Attacks Impact Organizations?

At their smallest, ransomware attacks can be annoying, forcing users to find workarounds to their data through backups, or taking down functions that aren’t mission critical. At their largest, ransomware attacks can bring down entire organizations, grinding processes to a halt and impacting thousands, if not millions, of users at the same time. A recent attack at Change Healthcare, the largest medical claims clearinghouse in the United States, led to the company having to connect over 100 systems, making it impossible for them to process medical claims via primary platforms.

Additional impacts to organizations can include:

• Damaged brand reputation
• Compromised employee and customer data
• Legal issues due to a breach or leak of sensitive data
• Significant unexpected costs – on average, it costs $1.54 million to remediate and recover from an attack
• Extensive downtime

13 Best Practices for Avoiding Ransomware

While ransomware attacks are always a possibility, taking these proactive measures can significantly reduce the risk of falling victim to common attack vectors or feeling the pressure of paying a ransom demand.

1. Develop Detailed Plans and Policies

You don’t want to be caught off-guard when a ransomware attack happens. By developing an incident response plan and defining roles for your security team to fulfill curing a ransomware event, you can act quickly when an incident occurs. Form a ransomware recovery plan with your team and have marching orders in place so you don’t have to second-guess your plan.

2. Conduct Drills and Regular Testing

Once you’ve created a response and recovery plan, test it regularly. You can create drills that simulate what an attack would be like to ensure the remediation steps you plan on taking will work. Businesses can use what they’ve learned during ransomware drills to improve their processes and be even more prepared for an attack.

3. Use a Zero Trust Architecture

The strictest access method you can implement is zero trust architecture, where all users are required to authenticate each time they try to access the network. Preventing automatic logons will reduce the chance of unauthorized users accessing the network.

4. Maintain Backups

Maintaining backups of network data is the most effective way to restore network and data access and recover from a ransomware attack without paying the ransom. According to Cybereason’s Ransomware: The Cost to Business Study 2024, only 47% of organizations that pay the ransom gain access to their uncorrupted data, leaving 53% of organizations without access to their encrypted data even after cooperating with attackers. Consider employing traditional or air-gapped backups as part of your ransomware recovery plan.

5. Routinely Update and Patch Systems

Software vulnerabilities are an easy way cybercriminals can compromise your network and access data. Patching and updating your systems regularly can cut down on zero-day vulnerabilities, making it more difficult for bad actors to access back doors to your systems.

6. Review Port Settings

Block any unused ports, which can be cracked doors for ransomware attacks. Aside from blocking, you can also allow those ports with the implementation of a firewall policy. If you chose the latter route, be sure to study and execute the principle of least privilege (POLP) when creating your firewall policies and configuring user access management. When following this principle, it’s particularly important to do the following:

• Tighten your firewall rules to only allow essential network traffic. This helps block ransomware’s lateral movement, as it often uses unusual ports to evade detection.
• Give users only the access they need to do their jobs. This minimizes data breaches and damage from compromised accounts.

Additionally, implement multi-factor authentication (MFA) as an additional layer of security for network resource access. By requiring extra verification steps beyond passwords, it severely hinders ransomware attacks that rely on stolen credentials or phishing scams.

7. Harden Endpoints

Fortifying endpoints diminishes potential weaknesses that hackers could leverage for malicious purposes. This process encompasses deploying and updating anti-malware solutions capable of identifying and neutralizing ransomware before it can encrypt data or propagate across the network. Additionally, it includes implementing other security measures like regular patching, disabling unnecessary services, and applying strict access controls.

8. Perform Network Segmentation

Ransomware can do more damage the more it is given the chance to spread. Network segmentation can help you cut ransomware infiltrations off at the pass and limit the amount of damage that attacks can do.

9. Implement Web Application Firewalls

To better protect your network resources that can be accessed via the internet, utilize web application firewalls (WAFs). This type of firewall scrutinizes incoming web traffic, acting as a gatekeeper to thwart malicious requests that could potentially exploit vulnerabilities in web applications. By meticulously filtering out hazardous inputs, WAFs erect a formidable barrier, preventing attackers from delivering ransomware or exploiting weaknesses to gain unauthorized access. These robust security solutions serve as a critical shield, fortifying defenses against the initial vectors commonly employed in ransomware campaigns.

10. Leverage UTM Security Capabilities Within Firewalls

Unified threat management (UTM) offers a multi-layered defense at the network level, encompassing antivirus, intrusion prevention and web filtering, alongside other robust security features. These features enable UTM solutions to detect and neutralize ransomware signatures within network traffic, preventing them from infiltrating network resources and compromising systems. Additionally, web content filtering fortifies defenses by restricting access to malicious websites that could potentially deploy ransomware onto users’ computers, mitigating the risk of infection from external sources.

11. Consider Incorporating Email Gateway Security and Sandboxing

Organizations looking to take their email security up a notch can add advanced multilayered protection against email-borne threats through email gateway security measures, filtering out suspicious emails before they reach a user’s inbox. Sandboxing can also improve email security by creating a safe testing environment for unknown links, senders, or file types in a controlled environment.

12. Use Advanced Security Solutions

Security information and event management (SIEM) solutions aggregate and analyze data streams from diverse sources across the network in real-time, facilitating the identification of suspicious activities and potential threats. By harnessing advanced analytics, correlation rules, and threat intelligence, SIEM systems can detect indicators of compromise early. This proactive approach enables response and mitigation actions to be quickly taken, preventing the propagation of ransomware and minimizing its impact on the organization.

13. Invest in User Education

Employees and users are common attack vectors. Cybercriminals use phishing emails, scareware, malvertising, and more. Training these users on common ransomware tactics, and what to look out for, is the best way to reduce the likelihood they will expose your organization to threats. Implement ongoing education and consider periodic testing that mimics common attack strategies to keep users sharp.

How to Stay Up-to-Date on the Latest Ransomware Threats

Ransomware threats are changing rapidly. Businesses that can stay up-to-date on the latest threats will stand to fare the best in an evolving threat landscape. Cybersecurity teams should lean on reliable and reputable resources to stay current:

• CISA and NCSC: The Cybersecurity & Infrastructure Security Agency (CISA) in the US and the National Cyber Security Center (NCSC) in the UK are governmental agencies that provide alerts and guidance on ransomware threats and mitigation.
• CSA: The Cloud Security Alliance offers guidance on ransomware protection, as well as other cloud security best practices.
• SANS Institute: This cybersecurity institute publishes reports and research papers on ransomware threats.
• Threat Intelligence Feeds: Certain cybersecurity companies publish threat intelligence feeds with real-time updates on ransomware attack methods and current variants.

Leveraging IT Security Expertise to Avoid Ransomware

Staying one step ahead of ransomware threats requires a multi-layered approach and a wealth of experience. IT teams struggling to keep up with the latest news while keeping normal operations afloat can benefit from the advice and services of an external cybersecurity expert or team.

TierPoint’s IT security solutions can help you identify weaknesses, opportunities for more robust security measures, and best practices for responding to potential attacks. Whether you’re looking for the last pieces to round out your disaster recovery and business continuity planning, or you don’t know where to start, we can help.

Download our whitepaper to learn more about how to prevent, detect, and recover from ransomware attacks.

In these high-pressure scenarios, remediation should be the focus. We’ll discuss what ransomware remediation is, how it works, and the strategies organizations can implement to limit the impact of ransomware attacks.

What is Ransomware Remediation?

Ransomware remediation details the steps a business will take to recover from a ransomware attack. Even when businesses have plans to combat ransomware at its root, it can be difficult to avoid an attack. Hackers are constantly evolving their methods and approaches to find vulnerabilities in their victims’ systems. While it’s important to grow and change your cybersecurity methods over time, it’s equally important to be realistic and plan for the worst-case scenarios.

How Does it Work?

A ransomware remediation process starts with containing the ransomware, preventing it from spreading and encrypting additional files. From there, the ransomware should be removed. Then the recovery process begins, where files will be restored from secure backups. Finally, the attack may need to be reported to the authorities as well as all relevant parties, and the incident should be reviewed to identify and eliminate vulnerabilities that could cause future incidents.

Key Considerations for Effective Ransomware Remediation

Ransomware remediation can be most effective if you prioritize your recovery efforts, conduct an impact assessment, secure your evidence, communicate to necessary parties, and understand the full legal implications of ransomware attacks and your required response to them.

Prioritization for Recovery Efforts

Not every file or workload is mission-critical for your business. Your recovery efforts should be focused first on sensitive data and applications that are necessary to keep your core operations running. Prioritizing can speed up and simplify the recovery process.

Impact Assessment

Fixing the problems caused by ransomware attacks means that you need to start by assessing the damage. How many devices and systems have been affected by the ransomware? What data has been lost, either temporarily or permanently? And how severely are core operations impacted from the initial attack and its spread?

Secure Evidence

Businesses looking to mount a legal response to a ransomware attack will need to collect and document evidence along the way. Be sure to do this on a device that is not affected. It’s also a good idea to isolate the systems that have already been infected with ransomware to keep from tampering with evidence.

Communication Plans

Transparency and clear communication will help you build and secure trust with key stakeholders during the ransomware remediation process. Create a plan that can be executed as needed for communicating with employees, management, law enforcement, and important external relationships, including vendors, partners, and customers. Your remediation strategy should include a plan for who to share information with and when.

Legal Implications

Ransomware attacks can include legal ramifications. For example, you may be required to report the attack to authorities depending on your industry or the nature of your business. There may also be legal repercussions should you choose to pay the ransom.

Ransomware Remediation Strategies

After identifying the problem and alerting the proper organizational contacts to the ransomware attack, your business should engage in these 7 key strategies as part of a comprehensive ransomware remediation plan.

Containment and Isolation

Ransomware can spread quickly if not contained. Section off infected devices by disconnecting them from the network, or even taking the entire network offline in more severe cases. To aid in forensic investigations, capture system images and volatile memory contents of the infected devices. System images provide a complete snapshot of device storage, and volatile memory contents can hold forensic clues for what happened during the inciting incident.

Alert Law Enforcement and Cybersecurity Experts

Once you’ve contained and isolated problem devices, consult with security vendors and law enforcement authorities if required, who can provide further guidance and assistance with how to best approach remediation and potentially legal action.

Ransomware Identification and Eradication

After you feel like you’ve contained the problem, it’s time to identify and eradicate the cause, potentially with the help of outside experts. The type of ransomware infecting the system (such as scareware or lockerware) will also help you identify how to remove all traces of it from your systems. This might entail wiping your systems clean, rebuilding infected parts, resetting passwords, and addressing vulnerabilities in your current configurations.

Cybersecurity experts may have decryption tools your organization can use to restore your files. However, if decryption isn’t a possibility, you’ll want to restore data from backups to a clean environment.

Communication and Recovery

The recovery process takes time. Prioritize the systems that are most important to keeping your business functional, and communicate with employees, customers, and other key stakeholders so they know what to expect in the days and weeks to come.

Data Restoration and Backups

One of the best ways to defend your business against ransomware and other data breaches is by implementing a strong backup system that includes immutable and air-gapped backups. Now is the time to plan the failover to your recovery environment using your established recovery practices which should encompass your recovery point objectives (RPO) and recovery time objectives (RTO). Ensure that backups remain isolated to prevent them from being encrypted.

Post-Incident Review and Reporting

While you can’t protect against every potential threat, a post-incident review can help you summarize what you’ve learned from the recent ransomware attack and what you are changing in the future to prevent similar events from happening.

How to Prevent Future Ransomware Attacks After Remediation

After the ransomware remediation process, it’s important to consider what changes you can make to prevent the impact or likelihood of future attacks. Don’t forget to take these preventative measures after the urgency subsides.

Perform Routine Updates and Patching

Zero-day vulnerabilities serve as a common entry point for ransomware. Some businesses engage in routine updates and patching on “Patch Tuesday,” the second Tuesday of the month, when companies like Microsoft and Oracle commonly release patches for their software. Keeping a regular schedule, no matter what it is, is a great way to address known security shortcomings.

Leverage Tools and Software

Much of the work needed to prevent ransomware attacks can come from security software, such as antivirus, anti-malware, and endpoint detection and response (EDR) tools. The right tools can identify and block incoming threats before they get on your radar.

Conduct Employee Security Training

Employees are another common attack vector. Cybercriminals will use social engineering tactics, including highly targeted messages (spear phishing) to try to gain access to your systems. By regularly training employees on what to look for and how to spot potential threats, you can greatly reduce the risk of attacks from employee sources.

Apply User Permission Restrictions

Restrict user permissions in your systems to only include what’s necessary for them to perform their job functions. If an account gets compromised, this can reduce the potential damage to the rest of your organization. For special cases, you can always supply temporary additional access.

Complete Regular Vulnerability Assessments and Tests

In addition to regularly patching, conduct vulnerability assessments to fix problems before they can be exploited. With penetration testing, organizations can simulate the impact of an attack and find issues before the “real thing” happens.

Implement Continuous Monitoring and Analysis

Continuously monitoring detects patterns and anomalies in your environment, which can allow you to more quickly identify suspicious behavior that may be indicative of:

• A potential ransomware attack
• A malware infection
• Or other cybersecurity threat

One way you can do this is by adding security information and event management (SIEM) tools to your processes.

Review and Update Your Disaster Recovery Plan

Penetration testing is one way you can review your preparedness for ransomware and other disasters, but it should also be part of a larger disaster recovery plan. Review your lessons learned, update systems before the next incident or attack, and remember that maintaining your security posture is an ongoing engagement, not a one-off project, so testing should take place often.

Don’t Wait Until It’s Too Late to Prepare for Ransomware 

The evolving threat landscape is likely to outpace your internal technologies and teams. Businesses need to work with strategic partners who can scale with the scope of new threats and secure trust from the inside out. TierPoint’s security and disaster recovery experts are here to help you stay ahead of the curve and meet new challenges proactively. Learn more about ransomware and our approach to emerging threats in our eBook.

Learn more about our Disaster Recovery as a Service (DRaaS) and other solutions that can mitigate ransomware’s effects. Download our infographic to learn 13 steps to creating an effecitve disaster recovery plan.

FAQs

Once a ransomware attack occurs, the clock starts on recovery. If your business doesn’t have a ransomware recovery plan, the fallout can be costly, resulting in a loss of revenue, productivity, and even trust in your organization. We’ll talk about the significance of ransomware recovery to your business and the essential components that should be included within your recovery plan.

What is a Ransomware Recovery Plan? 

A ransomware recovery plan is a framework that empowers businesses to regain control and restore business continuity, ideally, without succumbing to ransom demands from cybercriminals. It is best done long before a threat arises and should include any and all steps get your business back to normal after an attack. When creating a ransomware recovery plan it should outline all systems and data critical to your business, define a process for backing up your data, determine how ransomware will be found and removed, detail a plan for restoring systems and data, and dictate a communication plan that can be used to inform all key contacts about what to do during and after a ransomware attack.

This proactive approach not only protects critical data but also avoids the financial and reputational risks associated with ransom payments. Keep in mind that while paying the ransom may seem like the quickest solution, it’s a gamble with no guarantee of complete data recovery and further vulnerabilities down the line. So, the most empowering and ultimately cost-effective strategy lies in a robust ransomware recovery plan.

Why a Ransomware Recovery Plan is Essential

You may think that creating a ransomware recovery plan is excessive. Maybe you think your organization is small and will fly under the radar of bad actors. This is where most businesses go wrong. While the median size of companies that have been attacked by ransomware is increasing, according to Coveware, two-thirds of companies that are victims of ransomware have fewer than 1,000 employees, with 30% of companies having under 100 employees; and per a recent Business Impact Report, 73% of small business owners in the US reported a cyberattack in 2022. Regardless of your size, having a recovery plan for ransomware is essential.

How a Ransomware Recovery Plan Works?

Incident Response (IR) Plan

There should be no question about what your business will do next after discovering an attack. An incident response (IR) plan should include short-term and long-term actions you will take in response to an attack and reduce the likelihood of future attacks. Develop a plan of action, including immediate containment, to respond to an attack.

Make sure the IR plan answers the following questions:

• What steps will you take to collect the necessary data to understand the source, nature, and scope of the ransomware attack?
• How will you communicate the incident to internal and external stakeholders?
• What are you legally required to do after a ransomware attack to stay compliant?
• How will you keep business functions moving forward, and what will you need to do to restart or shift other functions?
• How will you decide what improvements need to be made to your security measures to keep these attacks from happening in the future?

After containment, the plan should also include steps for communications, analysis, and mitigation. Consider including answers to the following questions:

• Who needs to be informed about an attack?
• What needs to be audited?
• How can the negative impacts of the attack cause the least amount of fallout possible? 

Identifying and Isolating the Incident

With an IR plan, you need to understand the source of the ransomware attack and the full scope of the situation before disconnecting anything or taking any kind of drastic action. How did cybercriminals infiltrate? What machines are infected? Once the attack has been properly categorized, your organization can move on to disconnecting any systems that have been impacted to limit the harm done.

Disaster Recovery Plan

The end goal of any incident is to return to normal operations as quickly as possible. Determine your strategy to restore capabilities and services that were impacted by the attack. To ensure everything will work as planned, test your disaster recovery plan frequently and modify as you go, making improvements based on lessons learned.

Back-Up

A good ransomware recovery plan will ideally have at least two backups in place, and one ready to go quickly if an incident happens. Some organizations may choose to have two systems running at the same time for virtually instantaneous failover. Others may require additional steps to fill in where the primary environment left off. The bottom line is to keep data backups isolated to remain safe during an attack, and make them incrementally so that you don’t lose any data that hasn’t been backed up since the last session.

Data Recovery Software and Decryption

Even if something doesn’t go to plan, or if you’ve missed something in the ransomware recovery process, you may be able to restore some data to a set recovery point using other system tools native to a particular operating system, for example. However, this isn’t a good method to rely on, as ransomware may also impact the effectiveness of a tool like Windows System Restore.

Some software and decryption tools may also be able to restore data or undo the damage done by encryption. Not all versions of ransomware respond to these methods, either, so it’s good to include more than one method in your recovery plan to restore your workloads.

Boost Your Security

Make sure your ransomware recovery plan includes best practices for keeping security measures strong, organization-wide. This may include enacting two-factor authentication, requiring regular password changes, centralizing logging across your systems, and educating employees through cybersecurity training – more on that in the next section.

5 Steps to a Ransomware Recovery Plan Template

As you can see, ransomware recovery, incident response, and disaster recovery plans all share similar traits. However, when you’re thinking particularly about ransomware recovery, remember these steps.

Train a Ransomware Disaster Response Team

Your employees are your first line of defense against ransomware. The more they are able to identify potential ransomware attacks before they strike, the more likely it is they will be able to prevent these attacks. Each member of the disaster response team should have a clear defined role, the most common employee training will involve spotting phishing emails and maintaining password hygiene. Other employees may need to be trained on specific tools that identify software vulnerabilities and other potential side and back doors for cybercriminals.

Focus on Remediation and Prevention

Even if you have every cybersecurity tool in the world at your disposal to prevent attacks, you can still fall prey to ransomware. Prevention and remediation work best in combination. Immutable storage and disaster recovery are two remediating measures that can help you get your environments back to normal even if you don’t get your encrypted data back. You’ll also want to encrypt your data, so even if it’s intercepted, it’s less likely to be read by the attackers looking for a ransom.

Keep Data Resilience a Priority

The resiliency of your data is determined by how quickly you can return to usual operations after an attack. For some businesses, there may be some leeway on how resilient your data needs to be. Maybe there are some workloads you can do without for a day or two. For others, even a few minutes of downtime can harm the business. Resilience is all about prioritizing backup and recovery, as well as regularly testing these measures to make sure they work without a hitch in a critical moment.

Understand Your Critical Data

It may be that some applications and data are more valuable to you than others, and more essential for keeping your business moving. Understanding this, and prioritizing these workloads during an emergency, will help you develop a hierarchical action plan for ransomware recovery. For example, if you store your data in different tiers, you can put workloads that are less critical in less expensive tiers and focus more on recovering higher tiers when a ransomware attack strikes.

Create a Disaster Recovery Plan

One major part of your ransomware recovery plan will be drafting and regularly testing a disaster recovery plan. Figure out how often you need to back up your data and how it needs to be protected. You may want to follow the 3-2-1 system, for example: Having at least 3 copies of your data, 2 forms of storage media, and 1 version saved offsite in an isolated configuration. You’ll also want to figure out how often you need to back up your data. For some organizations, this may look like backing up every minute, whereas others can go a day or longer without a regular backup.

Testing this plan is a step that can’t be missed. When you test, you can verify that your recovery point objectives and recovery time objectives will be met in an actual ransomware attack, and it can help you find weak spots that may need to be revised to work properly after an attack.

Best Practices for Ransomware Attack Recovery

When a business experiences a ransomware attack, recovery comes down to the following five key steps: Preparation, prevention, detection, assessment, and recovery.

Preparation

Businesses should prepare for ransomware attacks by thinking that it’s not a matter of if, but a matter of when. With that, preparation well before a threat is on the horizon is the first and most essential step to recovering from a ransomware attack.

Essential components within preparation should include modernizing your infrastructure with a Zero Trust approach and completeing a thorough cybersecurity assessment to identify any threats and weaknesses.

Prevention

When you’re in the frame of mind that a ransomware attack will happen to you, the focus shifts to preventative measures, such as ensuring the latest OS is installed and patches have been updated. Third-party tools can identify ransomware attacks before they are able to do damage by noticing anomalies in user activity, finding attempts to access systems, flagging potential phishing emails, and so on.

Detection

These prevention tools can detect where a data breach has occurred, or where a ransomware attack has started to take hold. Robust monitoring and response capabilities efficiently gather, analyze, and respond to potential threats. For example, AI tools can be used to continuously monitor the environment and automatically send out alerts when an abnormality is first detected so efforts can be taken to quickly address and remove any threats.

Assessment     

Identify and document any threats, risks, and weaknesses. Decide ahead of time what pieces of your system are critical to your business. What data and applications need to be recovered first, and how long can you go without them working? Determine your recovery point objective (RPO) and recovery time objective (RTO), and note differences in these times based on your priorities.

Recovery

Once you are sure that the ransomware has been contained and will not infect any new data, it’s time to put a recovery plan into action. If you have failback to another system, the plan will include steps to recover workloads and bring the main site to its normal operation.

Prevent and Isolate your Data from Ransomware Attacks with TierPoint

Ransomware attacks can strike without warning, which is what makes prevention so important. Prevention and remediation, working in tandem, can significantly limit your exposure to attacks and keep your business rolling. Learn more about TierPoint’s Disaster Recovery as a Service (DRaaS) and other solutions that can mitigate ransomware’s effects. Need help building your DR plan? Download our infographic to learn 13 steps that should be included within every resilient DR plan.

FAQs

For many of the reasons that cloud computing has grown in popularity, so too has the popularity of disaster recovery cloud vs on-premise. In fact, for many businesses, implementing disaster recovery in the cloud can provide an important step toward cloud migration – because data movers are a multi-use tool for IT. 

What is disaster recovery in the cloud?

Putting a mirror image of a production site on a second set of hardware in a data center was once a common disaster recovery technique. Now, such mirror images are often hosted in private or public clouds, ready to run on virtual machines at a moment’s notice.

Cloud-based disaster recovery as a service, or Disaster Recovery as a Service (DRaaS), is built to address the security and compliance needs of companies and to deliver quicker recovery of data and applications with less data loss than traditional IT disaster recovery.

DRaaS can compress traditional disaster recovery processes from days to minutes. With DRaaS, primary DR sites are replicated to the cloud, so data servers and applications can be restored as needed. As data changes at the primary site, the recovery site is updated to match.

Automation and orchestration allow for almost instantaneous failover to one or more clouds. When the primary site fails, control can rapidly switch to the secondary cloud site. When the outage is resolved, the primary site can regain control through a process called failback that ensures data stays current.

Virtual machines deliver recovery like a hot site, with much less overhead. Unlike cold sites and warm sites that take extensive engineering support and time to become functional, disaster recovery in the cloud can failover in minutes. Plus, maintaining and upgrading virtual machines is simpler than with physical hardware. Cloud-based storage doesn’t degrade like tapes and other media.

Cloud disaster recovery simplifies recovery for your IT staff, who won’t need to recover systems manually step-by-step during a high-stress outage. Instead, you set up automated failover, or place a single call to your DRaaS provider to say, “We need to recover.”

Types of DRaaS

Your primary site may be in a physical data center or in a private cloud, public cloud, or multicloud. Cloud-based recovery is a good choice for environments as wide-ranging as hybrid and multicloud. What’s more, if your production site is in a cloud, then disaster recovery in the same type of cloud offers additional advantages by allowing you to use the same security and compliance methods as your primary site.

The three main types of disaster recovery in the cloud differ by type of production environment. All of them can deliver near-zero data loss and fast failover with DRaaS. They include:

Cloud-to-cloud recovery

Powered by solutions such as Zerto’s IT Resiliency Platform and VMware’s vCloud Availability, a hypervisor manages replication to protect a virtualized production environment in a private or public cloud.

Hybrid cloud disaster recovery

Powered by a solution such as Azure Site Recovery (ASR), a cloud or hybrid environment is replicated and recovered to a cloud service such as Microsoft Azure. 

Server-to-cloud recovery

This type of disaster recovery in the cloud protects non-virtualized physical servers – including IBM, Oracle, and UNIX servers and mainframes – and multiple types of virtual servers, such as Hyper-V and VMware. 

How DRaaS manages replication

DRaaS replicates primary sites to the cloud, so your environment can be restored as needed when disaster strikes. When data is changed in the primary site, the recovery site also reflects those changes. 

Depending on how applications are tiered, some organizations might use multiple types of replication. Here are the three key types of replication, along with their pros and cons. 

Synchronous replication

Synchronous replication offers the shortest recovery point objective. Data is written to multiple sites at the same time, so the data remains current everywhere. It can be more costly and sensitive to latency, so it requires the sites to be closer to each other. 

Asynchronous replication

Asynchronous replication is often the preferred replication type. Data is written to the primary storage array first and copied to replication targets in real-time or at scheduled intervals. Asynchronous replication requires less bandwidth, is less expensive, and works over larger distances. 

Backup services

This type of replication limits data loss but doesn’t enable the best recovery. Data is archived and stored. This is only recommended for recovering non-critical data. Backup services include cloud storage/backup services and other online backup services, remote file backup, and local tape or disk backup. Backup as a Service (BaaS) offers the best protection from data loss. 

Cloud disaster recovery vs. cloud backup and Backup as a Service (BaaS)

The main difference between disaster recovery and a backup is that a backup only stores the data – without the IT infrastructure and applications that are necessary to make use of the data. Security of backup data has always been an issue. Backing up data in the cloud can better secure the data in motion and off-site storage than a physical drive, disks or tapes. 

Backups are known for being inadequate for businesses that need a short recovery time objective and minimal data loss. A nightly backup can result in the loss of a day’s worth of data. Although backups aren’t an effective recovery option, they are good for data retention and archives. Learn how backup and DRaaS can work together. 

Backup as a Services (BaaS) allows you to backup cloud, hybrid, and on-premises data to a private or public cloud. BaaS can improve security and reduce backup storage volume with deduplication and compression. An example of a BaaS solution is Veeam Cloud Connect. 

Cloud disaster recovery vs. cloud backup and Backup as a Service (BaaS)

• Recovery time objective (RTO) – The acceptable amount of time from failure to restoration of business systems and services after a disaster. 
• Recovery point objective (RPO) – The maximum amount of data loss the business deems acceptable following a disaster or failure. 

Also read: 3 RTO and RPO Considerations for Your Disaster Recovery Plan 

Find the best disaster recovery solution for your business

Your business is different from every other business and your disaster recovery plan needs to be customized to fit the goals of your business and your specific IT environment. Many of TierPoint clients find DRaaS can offer ROI in addition to its role as insurance against an outage or disaster. Beyond business continuity, for example, the replication and recovery infrastructure provided by DRaaS can also enable your safe and secure cloud migration, improve the rate of security patching and help mitigate losses due to cyber-attacks such as ransomware. 

As a DRaaS provider, TierPoint helps organizations plan for and limit the impact of interruptions to data, application, and infrastructure – in natural disasters, cyber disasters, cloud migration, and routine maintenance and security management.  

We’ll meet you where you are in your digital transformation journey, including any combination of public cloud providers, managed services, a fully-managed TierPoint private cloud, colocation, and on-premises solutions. Contact us to learn how TierPoint can help strengthen your DR plan and strategy. 

The major challenges businesses face when managing SAP ERP

Enterprises choose SAP because the product has the functionality they need for business operations. This is borne out in Software Review’s April 2021 Data Quadrant, which classifies SAP S/4HANA as a product innovator, thanks to its high ranking for product features and customer satisfaction. What keeps SAP S/4HANA from being classified as a Leader in Software Review’s April 2021 Data Quadrant is its fairly low rating for vendor experience and capabilities. 

This underscores an undeniable truth anyone who’s ever implemented an ERP system, like SAP S/4HANA (or SAP ECC previously), knows ERP functionality can only take you so far. Eventually, the capabilities of the implementer/service provider – whether that’s SAP or a third-party – have a significant effect on the success of the implementation. Here are five challenges we see most often in our work hosting instances of SAP S/4HANA: 

Challenge #1 – The instance of SAP is not customized for the enterprise

Just because you can customize an ERP application doesn’t mean it’s easy to do. This is especially true of a functional leader in the ERP space like SAP. In fact, the more customizable a solution is, the easier it is to misconfigure it, which can lead to application failures and IT security issues. And once configured, the system may need to be recalibrated to the needs of the business with every release of a new version or enhancement. 

Challenge #2 – SAP requires specific skills to architect, implement, and optimize

A mission-critical SAP business application will test every element of your IT from infrastructure, to application architecture, to cloud services, and beyond. It’s highly likely that your SAP implementation also includes other application dependencies, such as a third-party CRM or supply chain planning application, that will need to be accounted for during implementation and with every upgrade. 

Challenge #3 – SAP requires too many IT resources for day-to-day management

ERP systems have a lot of moving parts, and SAP S/4HANA is certainly no exception. Keeping up with the technical requirements of SAP S/4HANA can be a full-time job in itself. Then there are the day-to-day application requirements. For example, the very nature of the data housed in an ERP system makes it an attractive target for data thieves as well as other types of cyberattacks, including ransomware and Distributed Denial of Service (DDoS).  

Implementing patches as quickly as possible is one element of a defense-in-depth IT security strategy. Unfortunately, with so much on their plate, it’s easy for ERP systems administrators to delay patching while they’re handling “more immediate” challenges. 

Challenge #4 – Hardware obsolescence has an impact on SAP performance

Hardware plays a significant role in solution performance. Unfortunately for many enterprises, it’s challenging at best to gauge capacity requirements. They don’t want to tie up capital by overinvesting in hardware, but an IT team that’s stretched thin may not notice when SAP performance begins to degrade due to capacity issues. Just as detrimental to the business, your organization may not be able to scale up IT infrastructure fast enough to take advantage of a sudden, unexpected market opportunity. 

Challenge #5 – SAP doesn’t operate in a vacuum

When a mission-critical SAP system goes down, the company goes down. However, unplanned downtime isn’t always a function of the application or the vendor. It can be caused by the environment, such as when a provider loses connectivity, or an untested disaster recovery plan fails just when you need it. 

Managed SAP S/4HANA: The best of both worlds

At TierPoint, we have the skills and infrastructure to help you address all five of these challenges. We teamed up with NTT DATA Business Solutions, an SAP Global Platinum Partner, to provide an even deeper array of managed services for our enterprise customers. With the TierPoint and NTT DATA Business Solutions  Managed SAP S/4HANA solution, you’ll get: 

• A high-performing, secure private cloud environment
• Expert assistance implementing and configuring SAP to meet the needs of your business
• Ongoing monitoring of your SAP environment and instances to ensure optimal performance and availability 
• IT architectural expertise and regular hardware refreshes so you don’t need to worry about hardware-induced performance issues
• Day-to-day management of your SAP environment and instances (e.g., patching, updating, maintenance) so you can focus on more strategic IT initiatives 

To learn more about how our Managed SAP offerings can help your IT organization, reach out to one of our service representatives.

Almost all organizations today depend on their data backups, software, and the internet to conduct business. When those resources are unavailable, business grinds to a halt. Smart CIOs have disaster recovery and business continuity strategies and plan to quickly move business operations to a colocation data center during a disaster.

Colocation is safer by design

Colocation has become more popular as concerns over cyberattacks and climate change have grown. CEOs and CIOs want to achieve IT resilience, so their companies can continue to operate despite disruptions. IDC defines IT resilience as “the ability to protect data during planned disruptive events, effectively react to unplanned events, and accelerate data-oriented business initiatives.”

Colocation helps ensure IT resilience by providing disaster-resistant infrastructure and redundant IT systems, power, and networking. Many state-of-the-art colocation data centers also provide a backup workspace for customers impacted by a disaster.

Severe weather events and other disasters cost $155 billion globally in 2018. Likewise, cybercrime will cost the world $6 trillion annually by the end of 2021.

Moving a company’s primary IT equipment or data storage systems to a colocation facility is an attractive option for CIOs concerned about data loss and downtime. It reduces the need to invest CAPEX or financial resources to build, staff, and maintain an on-premises data center.

Having a colocation partner that is experienced in disaster preparedness can be a relief when a major event happens. Just ask Sam Bayer, CEO of Corevist, an eCommerce platform provider for manufacturers. Located in Raleigh, NC, the company has weathered several major storms in the past few years.

“Hurricanes in the area cause us and our customers a lot of stress,” noted Bayer.

When Hurricane Florence (a Category 4 storm) came ashore in 2018, Bayer was able to reassure customers that the IT systems were safe and secure in TierPoint’s Raleigh data center.

“We had confidence because [TierPoint’s people] were managing the situation,” said Bayer.

In fact, Corevist suffered no downtime at all, despite the storm causing $17 billion in damage elsewhere in the state.

3 reasons colocation is an effective disaster recovery solution

The biggest benefits of colocation for a disaster recovery strategy are:

Cost

For many businesses, maintaining an on-premises to manage data and applications can be expensive (think: internet connectivity, network equipment, real estate, power, etc.) One of the great advantages of colocation is that it allows multiple businesses to share in the cost of facility maintenance and operations.

Physical resilience

A colocation facility will be much better equipped to protect IT systems and data in a natural disaster than the average company can afford to be. It should also have redundancy built throughout the IT infrastructure. Read more about modern data center infrastructure must-haves. Depending on your geographic region, look for evidence it is built to withstand local disasters, such as a Category 4 or 5 hurricane and EF4 or 5 tornadoes.

The provider should be certified on IT industry standards such as:

• ISO 22301, an international standard for business continuity management for natural and man-made disasters, environmental accidents, and technology failures.
• The Uptime Institute’s Tier certifications for Tier IV-fault tolerant site infrastructure or Tier III-concurrently maintainable site infrastructure
• Trusted Site Infrastructure (TSI) – a list of requirements on ten different areas of a data center including areas such as environment, construction, fire-handling, security, cabling, energy, air, organization, and documentation.

Advanced security

Good colocation data centers have advanced security features. Physical security should include 24-hour electronic monitoring with onsite staff, locked cages for customer equipment, and access controlled by two-factor authentication. Two security standards that providers should meet are:

• The Center for Internet Security best practices on privacy and security.
• ISO 27001 — Information Security Management System (ISMS) for managing sensitive company information.

A colocation provider may also offer managed security services to protect against large-scale cybersecurity attacks. Managed security services can help IT departments stop cyberattacks before they do major damage to prevent and mitigate threats.

Improve your resilience against disasters

IT resilience is a critical factor in business success. Downtime can cost a company lost revenues as well as loss of customer trust and damage to the brand image. IT resilience and business continuity are driving businesses to colocation services as a key element of their disaster recovery plan.

Originally published in March 2019, this post was updated on June 1, 2021, to reflect changes in stats and to add more information on colocation and disaster recovery trends.

The impact of ransomware

Interviewer: First, what is ransomware?

Andrew: Ransomware is a type of malicious software designed to block access to computer data until a sum of money is paid. A cyberattack encrypts the data, and only the attacker knows the encryption key. The terms: send the ransom payment ASAP to receive the key to unlock the data. If the attacker also stole data prior to encrypting it, failure to pay can also result in public disclosure of sensitive data.

From a data storage perspective, ransomware is a problem requiring an unplanned restore of massive amounts of data from storage products not designed for the purpose. And that is the catch. Most businesses are not prepared to restore the data fast enough to be useful.

Ransomware trends

Interviewer: Why is ransomware so prevalent?

Andrew: Good question. We’ve had malware worms and viruses for a long time, so why ransomware, why now? There are four main factors, starting with how easy it is for attackers to get employee credentials through phishing attacks. That is a big part of it—the asymmetry of attack costs for the victim versus the value extracted by the attacker. There are real economic factors at play. For someone at a lower cost of living, a $17,000 ransom is a year’s salary.

Next is the complexity of the modern IT stack—so many assets to keep updated, patched, and hardened. Servers, storage, networking, legacy apps, cloud applications, multicloud computing, policies, procedures, and human factors. Ask a data center engineer or architect, is everything in your environment up to date and patched? It is not. There is too much to do, budget limitations, and so many attack vectors.

Third, cryptocurrencies make ransomware payments easy, reliable, and relatively anonymous. An attacker in one country can easily transact Bitcoin with a victim in the US.

And the fourth factor: Ransomware-as-a-Service kits are available for attackers on the dark web. These kits are created by “vendors” with feature sets and different levels of technical capability needed by the user. They have channel partners, including hosting services and solutions providers—an ecosystem for criminals with technical skills.

As a result of these factors, attackers have a lot of options, and defenders at the data center are stuck.

Also read: Should You Be Concerned About Ransomware as a Service (RaaS)?

Proactive ransomware protection to secure data

Interviewer: What can businesses do as proactive defense measures before a ransomware attack?

Andrew: This is scary stuff for worried boards of directors, but it is far better to be scared now than at two in the morning when you learn that your company’s data is locked by ransomware. Of course, there’s training: Do not click on that link. Macros can deliver malware. And if you get an email from an executive who you don’t work with regularly and they are asking for sensitive information, stop.

Technical solutions need to be in place before an attack. Antivirus, patching, firewalls, IDS/IPS, and more. This is why managed security services from service providers like TierPoint are so relevant—IT managers need help navigating the thousand-plus vendors in this space.

And a big part of the technical challenge is managing the risk of high operational overhead overtaking the benefits of the products you implement. False positives can overwhelm IT teams—I call it the barking chihuahua analogy—eventually you tune out the alerts, even the important ones. Pure Storage helps with this with solutions, like Pure Storage FlashBlade® – which crunches through massive amounts of data after an attack to help sort out the signal from the noise.

And then from a financial standpoint, there are cybersecurity insurance policies.

I’d rather mitigate the need for claims with data protection and fast restoration that match the customer’s recovery point objectives (RPOs) and recovery time objectives (RTOs)—what they need for business continuity.

Ransomware mitigation

Interviewer: Why aren’t businesses better prepared to mitigate ransomware?

Andrew: IT departments are busy, and it is not uncommon for backups to be incomplete—it is a daily frustration. Plus, backups need to be protected from malicious deletion or encryption. Having gained access, attackers often spend months on reconnaissance and planning before triggering the ransomware. Do you have backups to service your replicated storage? Those backups may be encrypted by ransomware, too. It can even jump a replication boundary, crossing domains. The attacker may take your disaster recovery system offline.

And then there is the issue of speed of recovery. What is the cost of downtime? How much data can the business afford to lose? How far back in time do you need to go? How long does it take? What we see with ransomware is massive amounts of data locked up that all needs to be restored quickly—without a fast-to-recover data storage system, it could take months.

Interviewer: So, what can IT leaders do to provide business continuity in the face of ransomware? Tell us a bit about Pure’s solution.

Andrew: To effectively recover from ransomware, the system put in place before the attack needs to be simple because IT departments are busy and any technology that requires care and feeding but isn’t top of mind every day will be overlooked. It needs to be immutable because attackers are motivated to disable your protection—they can charge a bigger ransom. And recovery needs to be fast—even for massive amounts of data—because your business can’t operate without data and waiting months for recovery is like the backup does not exist.

Pure Storage focuses on all three requirements—simplicity, immutability, and speed of recovery. Our solution is simple enough that it will be there when you need it, without daily care. And Pure Storage keeps data safe even if an admin is compromised, from FlashBlade credentials all the way down to the backup target where the data is sent, as well as the backup server itself.

Pure Storage provides inbuilt security specifically designed to counter ransomware threats. We developed SafeMode snapshots with the purpose of protecting backup data and metadata and minimizing loss of data. Ransomware can’t eradicate (delete), modify, or encrypt SafeMode snapshots. The result: Your backups stay safe. Plus, FlashBlade is a throughput beast when you need to recover. For one customer, our solution is 76 times faster than their previous recovery solution.

How vulnerable is your business to ransomware?

Managed services providers, like TierPoint and Pure Storage, will work with you to look at your IT environment and identify areas that need better security and disaster recovery to protect against data loss. Contact us today to learn more.

Ransomware trends in 2020 – looking back

While nearly every industry has been hit with ransomware, the most targeted organizations are professional services firms, medical providers, local governments, and logistics companies, said Mazzucco. According to a report on the top 11 ransomware attacks in 2020, five out of the 11 organizations were municipal governments, while the remaining victims included legal, manufacturing, financial services companies, IT services, facility management, and higher education. Healthcare organizations, schools, and municipal and government agencies are often targeted by ransomware due to the highly sensitive, and valuable, data they store and their often limited IT budgets, and weaker cybersecurity.

In October and December of 2020, the FBI and other federal agencies issued alerts warning that healthcare and K-12 schools were in imminent danger of ransomware attacks. This happened at the same time that hospitals were dealing with the second wave of Covid-19 patients, and while schools were struggling to create quality distance learning environments for their hundreds or thousands of students.

New variants of ransomware can also target Internet of things (IoT) and smart devices. That can cripple organizations that are heavy users of IoT infrastructure, such as manufacturing companies and smart cities. A big part of the problem is that IoT devices often have little to no security.

“These are small chipsets with a Unix overlay and often little else. Things like traffic management and security cameras are not very well protected, and the cities themselves are often not prepared to mitigate these attacks,” said Mazzucco.

A city that has invested in smart infrastructure—such as traffic congestion sensors, smart lighting, air quality sensors, trash bin monitoring for waste management, and smart parking—is extremely vulnerable to a ransomware infection, which could paralyze the infrastructure.

Unfortunately, ransomware attacks are cheaper and easier to deploy than ever. A novice hacker can attack a major company or municipal government without much money or even technical expertise. There’s a booming market for ready-to-use ransomware kits and Ransomware as a Service products on the Dark Web.

Also read: Should You Be Concerned About Ransomware as a Service (RaaS)?

“For less than $1,000 anyone can get on the Dark Web and download a ransomware toolkit, often with support services included,” said Mazzucco.

Newer ransomware products have advanced features that make them harder to defend against, said Mazzucco. “They’re self-replicating and self-protecting and can spider your network and encrypt your files with a random AES encryption key so it’s almost impossible to decrypt with a standard key.”

What should an organization do when it is hit with ransomware?

One option is the pay the ransom. However, there’s no guarantee you’ll get your data back. Often, the attackers take the money but never send the decryption key, or they may demand more money after the first payment. Some attackers will threaten to release your data onto the Dark Web–which is why it’s critical to encrypt sensitive information.

If you have a reliable and current backup of data and systems, you can skip the ransom and go straight to recovery. Unfortunately, backups often fail, so it pays to test your backups regularly, instead of discovering you have no backup or one that is two months old after you’ve been hit with ransomware.

A Gartner survey cited by Mazzucco found that nearly 40% of IT departments back up their data only annually or semiannually–making them nearly worthless for most businesses. Another 20% either do not bother to backup or do not know. That means that 60% of IT departments could lose 100% of their data in a ransomware attack.

In addition to an enterprise-level backup-and-recovery solution, a ransomware defense strategy should include multiple layers of security, including:

• next-generation firewalls
• web content filtering
• email spam filters
• vulnerability scanning
• zero-day anti-malware

Standard anti-malware applications may fail to detect ransomware, or any malware if it’s a new variant, which is why malware developers often modify their code. Zero-day anti-malware products get regular updates on the latest variants and may look at behavior and file integrity to determine if it’s suspicious.

Data encryption helps ensure that, if your data is stolen, it can’t be sold on the Dark Web. Mazzucco also recommends encrypting your backups.

“If your backup infrastructure is not encrypted and if the backup is attached to the network or system that is infected by ransomware, then your backup systems are likely infected as well,” he explained.

People are also a critical component of a cybersecurity strategy. A “human firewall” of end users who follow good cybersecurity practices and are up to date on the latest cybersecurity threats can prevent most ransomware attacks. Prevention and recovery will also depend on people outside of the IT department, such as human resources to develop end-user education programs, legal professionals to ensure the company follows all data security regulations, marketing to communicate with customers, cybersecurity forensics professionals to investigate how the attack occurred, and even law enforcement in some cases. Mazzucco notes, “Ransomware recovery is a group effort.”

Protect your business from Ransomware

Want to learn more about cybersecurity for your organization? Read our Strategic Guide to IT Security.

Contact us to learn more.

The worry over remote access security is well justified, said TierPoint’s CSO Paul Mazzucco, because home-based workers often lack the layers of security that exist in office networks. That leaves organizations vulnerable to simple employee mistakes, such as clicking on malware attachments, exposing login credentials to a phish, or being taken in by bogus invoices. So, IT departments everywhere got a crash course in cybersecurity for remote workers.

A lot of other things happened in 2020, of course. Following is a review of the key cybersecurity threats, technologies, and trends from the year past.

Top 2020 cybersecurity threats

Following are the key cybersecurity concerns and technology trends in 2020:

Ransomware

Ransomware has been a top threat since 2017 and this year was no different.  In fact, ransomware attacks increased 40% to 199.7 million cases globally in Q3 of this year. U.S. organizations suffered 145.2 million ransomware hits in Q3– a 139% increase.

This year also brought us more sophisticated ransomware. It used to be simple: encrypt a victim’s data and demand a bitcoin. Now, ransomware can lock up your entire corporate network, along with attached backups, and the perpetrators might threaten to sell your data on the Dark Web if you don’t pay up. They might sell it even if you do pay the ransom. Worse, today’s cyber-criminals can buy ransomware-as-a-service or as a pre-packaged kit. So, anyone from a novice hacker to an international crime gang can launch a ransomware campaign.

Also read: Should You Be Concerned About Ransomware as a Service (RaaS)?

Smarter AI

Cybercriminals use artificial intelligence (AI) to create smarter, faster, self-adapting attacks capable of learning to evade anti-malware and other security software, finding and stealing sensitive data, and remaining undetected for weeks or months at a time. AI is also used in crimes that depend on social engineering. The rise of deepfakes—or fraudulent videos, audio, and photos– is a good example. AI with machine learning has been used in business scams. For instance, AI can learn an executive’s voice—often taken from legitimate online podcasts or videos—and replicate it in order to trick a subordinate into transfer corporate funds to another account or wiring them to “the boss” in Nigeria. Deepfake technology can also convincingly modify photos and videos for nefarious purposes. Fortunately, AI can also help the good guys. Technological advances in AI and machine learning provide faster and more accurate threat detection capabilities.

Attack of the intelligent bots

The latest generation of “smart bots” use AI and machine learning to mimic human behaviors, including misspelled words and random mouse movements. This can enable a hacker to slip through a firewall and launch an application layer attack—the level that handles HTTP requests or SQL queries. Here are some of our thoughts on the rise of bots:

• The Next Generation of Bot Attacks
• Which Cybersecurity Threats Keep This CSO Up at Night—and Which Don’t

5G security risks

As 5G becomes increasingly available, CIOs and CISOs worry about the potential security risks of 5G networks. 5G architecture uses software-defined networking (SDN) to create multiple “slices” of bandwidth for different types of traffic. 5G also relies on short-distance transmission across a network of small base stations located on buildings, traffic lights, etc. Using both SDN and base station locations, a hacker could potentially target a base station close to a selected victim and identify traffic specific to that company. SDN also, however, enables more granular policy-based security, which can defend against such attacks.

Also read: New Cybersecurity Challenges: 5G, IoT, and AI

Remote working risks

While not a threat per se, the boom in usage of collaborative applications is making it easier for criminals to access confidential data. Remote workers now use Zoom, WebEx, Skype, Slack, and various teamwork applications to share a variety of enterprise information, including recordings of private meetings. With so much sensitive information available in unsecured cloud applications, it’s no surprise that cybercriminals target them.

The biggest cybersecurity priorities in 2020

End-user security moved to center stage in 2020 as remote and mobile work became the de facto standard—and is expected to be popular through 2021. The first security challenge that CISOs faced was ensuring that home-based workers had up-to-date anti-virus software and encrypted virtual private networks on their laptops and home desktops. They then moved onto other important end-user cybersecurity defenses, including multifactor authentication, identity and access management (IAM), and role-based access management tools. Adoption of these solutions increased in 2020.

• IAM authenticates all end users, devices, and applications before permitting them access to IT systems.
• Role-based access tools restrict end-user access rights and permissions, to limit the amount of damage that any one individual can do with stolen credentials. No single set of credentials should provide a hacker with the “keys to the kingdom.”
• Advanced cloud-based multi-factor authentication methods such as facial recognition and fingerprints also improve end-user security without overly burdening users.

Many IT departments partner with managed security services providers to improve their cybersecurity. IT departments are frequently ill-equipped to take on the work of evaluating, deploying, configuring, and integrating enterprise security solutions. Security services providers take on security tasks that are outside of an IT department’s capabilities, whether that’s monitoring network security, providing cloud-based security applications, conducting vulnerability testing, or managing all of a company’s security applications and processes. Security services providers typically have in-depth knowledge of the latest cybersecurity threats and technologies.

A security services provider such as TierPoint can help you craft a cyber-security strategy and evaluate, deploy, and manage cyber-security solutions. We provide proactive security services that include advanced detection and remediation technologies capable of protecting all your IT environments. Here are some of our thoughts on other trends in cybersecurity:

• A Strategy to Overcome Cloud Computing Risks
• What You Need to Know About Cloud Security Architecture

Bolster your cybersecurity strategy for 2021

Learn more about IT security technologies and strategic planning by reading our Strategic Guide to IT Security. Learn how TierPoint can help improve your IT security with IT security compliance and management services. Contact us to learn more.