The anatomy of a ransomware attack – keeping your organisation immune

Ransomware is here to stay - can your data say the same?
Mike Rees, Territory Account Manager for SA at Commvault.


Mike Rees, Territory Account Manager for SA at Commvault.
Mike Rees, Territory Account Manager for SA at Commvault.

Ransomware is a type of malware that, as the name suggests, takes a user’s data hostage and then holds it for ransom. If users do not pay the ransom, hackers threaten to delete their information. This type of malicious software is by no means a new phenomenon. However, the recent WannaCry ransomware attack, which affected hundreds of thousands of organisations across the globe has brought it back under the spotlight. While there are varying degrees of sophistication when it comes to ransomware attacks, and therefore different ways of protecting against the threat and dealing with the problem, one thing is certain. In today’s world where data is the currency of business, organisations need to effectively safeguard themselves and their data from malicious intent. This requires a multi-layered approach and effective security, nevertheless it is also essential to have backup and recovery in place to deal with an attack if and when it occurs.

The anatomy of a ransomware attack

Ransomware comes in many different forms, from simple attacks that are not very sophisticated or difficult to reverse, to the more advanced, including WannaCry. This attack is an example of cryptoviral extortion that encrypts the files of its victims, which makes recovering the files extremely difficult without a decryption key; the hackers will only divulge on payment of their ransom.

Regardless of the sophistication or otherwise of the attack, however, ransomware itself has a predictable way of taking control of data. It generally begins with an email that has an enclosed, infected link or attachment. If a user opens the file or link, the malicious software is then installed on the computer and creates a vulnerability that exploits any flaws in the user’s operating system. Including things like a missed security patch, out of date protection software or generally ineffective security. Once the ransomware code is running in the system, it quickly replicates, encrypting data so that only the hacker can unlock it. Hackers demand payment in untraceable virtual currency such as Bitcoin in order to unlock the files, and data is now effectively being held hostage. The two choices affected users are given: pay the ransom or lose your files.

The third option

Neither of these are appealing choices, however, an effectively protected system has a third option – the ability to recover and restore data on an uninfected system backup to a point before the attack occurred. While it is absolutely essential to have security in place, including firewalls, threat detection and so on, the reality is that it may not be enough, and an attack may breach your defences. In these cases mitigating the risk and damage of a ransomware attack becomes critical, and the ability to recover data is absolutely essential.

In order to achieve this, effective backup and recovery must be in place, and ways to improve the frequency with which data is backed up and projected needs to be examined. Recovery points for key systems, files, cloud environments and end points need to be created multiple times a day, as this will drastically reduce the potential impact of ransomware on your data. In addition, the ability to recover hinges not only on making copies of files, but utilising technology to make backup and recovery more effective. Storage snapshots and replicated data themselves may be susceptible to attack, so it is essential to look into combinations of solutions such as more frequent backup copies, replicas of files and co-location of backed up data. This helps to minimise the potential impact of ransomware attacks since the loss of data can be far less severe and recovery can take place quickly.

Securing what matters

Another important point is to ensure that how and where backup data is stored is secure, since ransomware can attack not only file systems and production systems, but also backed up data. If these are not secure they are susceptible to attack, and ransomware can then attach to these files and encrypt and infect them. Data protection needs to be secured from ransomware attacks to ensure that it remains available, whether it is stored on premises or offsite.

In addition, if ransomware breaches defences, it is essential to have detection and alerting tools in place to identify when and how the attack occurred. It is also paramount for businesses to understand exactly when data needs to be recovered. To neutralise the threat and minimise the impact of lost data. Watching the data itself can be an indication of a problem. For example, having an understanding of how data change rates occur and how systems perform and execute can alert to a problem, or if unusual activity occurs in either of these spaces is key. Even monitoring data snapshots can be telling, as if a storage array suddenly consumes far more data than previously, it can point to a problem.

In summary

Protecting your organisational data from ransomware attacks not only requires adequate security, but also a plan for if and when a malicious attack breaches defences. There are three crucial elements to this: securing how backup data is stored, protecting it frequently, and having awareness and detection in place. It is essential for organisations to ensure their backup provider can deliver the very best levels of protection for data, so that they are able to recover in the event of a ransomware attack or other data loss event. Some elements to look out for include secure disk storage, effective encryption, intelligent replication, detection and risk mitigation. Ransomware is just one of many issues that can affect data, and organisations need to protect it, back it up and be able to recover it in order to minimise business impact and mitigate the risks involved.


By Mike Rees, Territory Account Manager for SA at Commvault