When I ask people what they believe the primary goal cybercriminals have when preparing a targeted ransomware attack, the response I continually hear is, “For the organization to pay the ransom.” After all, the recent and extremely high-profile ransomware attack at Colonial Pipeline resulted in nearly $5 million USD being paid to European hackers in the hopes of getting them to release Colonial Pipeline’s encrypted data, allowing computer systems to come back online so the pipeline could resume normal operations. The impact of this attack was felt throughout North America and even globally.
The result of organizations paying ransoms is painstakingly clear: Many more high-profile attacks will follow with even more devastating impacts. Despite this, for many organizations, there is a strong temptation to pay the ransom. Once they do, their data is again available and operations can resume. Keep calm and carry on. Case closed, right?
Unfortunately, no. What so many people from some of the smartest and largest organizations incorrectly assume is cybercriminals are only interested in receiving a hefty ransomware payment, then they are off to their next unsuspecting target. This is simply not the case. While organizations are relieved once they have rid themselves of ransomware, the true reason for the attack and its long-term impact are usually not known.
All about the data
In many cases, the core objective and fundamental motive when planning a ransomware attack is to obtain something vastly more valuable and impactful than the payment itself: the data. For cybercriminals, headlines on front page news and the resulting socio-economic impact of digital extortion are mere secondary benefits to the real crime; stealing the data and its associated intellectual property.
In today’s data-driven world, where organizations are aggressively investing in supposedly comprehensive IT security solutions to protect themselves from criminals attempting to access to their data, how is it that so many organizations continue paying ransoms and, worse yet, in some cases, still lose their data permanently? Imagine the overwhelming impact of attacks when high-value sectors are targeted; such as banking, airlines, electricity distribution, government and healthcare.
Here’s a thought to contemplate: rather than organizations investing heavily in trying to prevent criminals from gaining access to their data, perhaps they should invest more significantly on solutions that keep legitimate copies of their data protected in a safe place. Similar to a vault, a place where it cannot be accessed or altered by anyone or anything, including ransomware. If that were the case, when a ransomware attack occurs, the organization can avoid having to pay the ransom – sometimes hundreds of thousands, or even millions of dollars worth.
You should still have security solutions in place, including application hardening, firewalls and monitoring. However, you also need to recognize that it will always be possible for a ransomware attack to bypass your security controls and access your data. That’s why you should have a detailed backup strategy in place that maintains a persistent copy of your data, ideally in multiple locations. This can be in the cloud, on-premises, or a combination of both, depending on your application priorities. An increasing amount of data is created outside the data centre. In 2019, Gartner estimated less than 10 per cent of enterprise data was created or processed outside a traditional data centre or cloud. But by 2025, the firm expects that figure to reach 75 per cent, so cloud-based backup will play an increasingly important role.
True detection and protection
You’re probably now scratching your head and rightly thinking, “Didn’t you just say the attackers have access to my data and intellectual property? How does having a copy of data readily available solve that problem?” You’re right, this usually is the case. However, if you collaborate with an organization that specializes in data management and protection, having an unaltered copy of your data means there is no need to pay a ransom. Instead, you can reestablish operations from a non-infected, immutable copy of their data.
Imagine for a moment if ransoms were never paid to cyber criminals, data was easily restored, and operations were brought back online in minutes or hours rather than weeks, months or worse yet, never. Where’s the incentive for cybercriminals, other than accessing and stealing information itself (which has been occurring well before the age of computers)?
Perhaps in the future ransoms will rarely, or better yet, never be paid. For this to occur, organizations will need to become more confident their data is truly protected. They will also need to develop a detailed plan to address how to bring their operations back online when a ransomware event occurs. Only then will we see a decrease in data extortion events and more importantly, a reduction in data theft.
There are organizations that exist to help companies develop a plan to proactively detect, act and quickly respond to these expensive and disastrous events. Solutions are available today that address how to reach that utopian self-assuredness so you can — yes— really keep calm and carry on.