How to Stop Cyber Extortion with Datto Ransomware Protection
All it took was one click. During an otherwise normal afternoon in 2016, an employee at a New Jersey beverage distributor opened an email, and the company’s recently-installed Datto ransomware protection solution got its first major test.
The email was a phishing scam. Cleverly disguised as a legitimate message, the email contained links to a website embedded with malicious code. When the employee clicked on it, he inadvertently exposed the company’s computer systems to a nasty strain of ransomware.
The impact was felt immediately. The ransomware encrypted all of the company’s shared resources, including important financial files. It also locked them out of the back-office application that runs their operation. The business was dead in the water.
As the exclusive U.S. bottler for a popular soda sold in 32 states, the distributor faced a huge problem. They couldn’t access their inventory, accounts payable information or order records. Their entire operation, from the back office to the warehouse, was at a standstill.
Thankfully, the company was already using a Datto SIRIS to back up its data. And since SIRIS takes snapshots of the distributor’s data every 15 minutes, all they had to do was choose a recovery point from before the infection occurred. The distributor worked with its IT provider to identify the exact time of the attack, then rolled back to the clean data.
The recovery took only a matter of minutes. Within an hour, the distributor was back up and running again, like nothing had happened.
This is just one example of how Datto ransomware protection—built right into its data backup devices—is literally saving companies from one of the worst forms of malware today.
Why is Ransomware So Awful?
Ransomware is a form of malware that holds your data hostage.
After infecting your machine, ransomware works quickly to encrypt files and spread across your network. A message typically alerts users that the data has been locked, and it provides instructions for how to get it back—for a price (usually a Bitcoin transfer).
Cybercriminals use ransomware as a means to extort money from their victims, which include both everyday consumers and commercial businesses. Sometimes the attacks are random, sometimes they are targeted. Hackers are increasingly going after businesses—hospitals, schools, government agencies, and small to large companies—with the hope of extorting larger payouts.
And unfortunately it works. Today, data is the lifeblood of many businesses. Vulnerable companies are often willing to pay the ransom, believing it’s the only way to get their valuable data back.
But paying the ransom doesn’t guarantee you’ll receive the decryption keys that were promised. Some hackers are perfectly content with locking up your data, taking your money and throwing away the key.
How Your Systems Can Get Infected
Chances are you’ve already seen signs of ransomware right under your nose.
A recent IBM study found that 40 percent of all spam email now contains malicious links or attachments containing ransomware. These are the questionable “invoices,” “payslips,” “receipts,” unknown PDFs and Word docs that you’ve probably seen in your inbox or spam folder.
Many are phishing emails that look like real emails. But increasingly, ransomware is infecting systems by other means. The recent WannaCry and NotPetya ransomware attacks exploited Windows vulnerabilities to take control of computers, quietly spread the malware, and attack companies on a global scale—without a user ever touching a phishing email.
A Multi-Layered Approach to Preventing Ransomware
Once your data is encrypted, you don’t have many options. You can pay the ransom and cross your fingers. Or, if you’ve been backing up your data like you should be, you can roll back to a recovery point before the attack happened. Poof! Data restored, ransomware gone, back in business.
But combating ransomware should actually begin long before you’ve been infected. Three crucial measures to preventing an attack from disrupting your operations are: Education, Anti-Malware Software and Network Access Controls.
Here’s what each should look like at your organization:
Since most ransomware attacks still arise out of malicious emails, it’s important to train employees on safe Internet usage. First, they should understand the seriousness of the risks as well as you do: one seemingly harmless click could actually cripple the entire business. But also, they should be taught what to look for: how to spot a phishing email, when to trust an unknown sender, which websites and links to avoid. By educating your workforce on the dangers of malware, you can significantly reduce the chances of a successful attack.
Anti-malware and anti-virus software remain a crucial line of defense against ransomware. Many ransomware variants use known forms of malware to infect computer systems. As long as you’re using a good anti-malware solution that is being updated regularly, then you’ll be able to fend off a lot of potential attacks. Keep in mind, however, that not all forms of ransomware are detected by anti-malware.
- Network Access Controls
The spread of a ransomware infection is often limited by the user’s folder access. In other words, if a user only has access to a few essential folders, rather than entire directories, then the ransomware can only go so far. This is why it’s a good idea to use access controls and network share permissions to limit each user to only the folders they absolutely need. By doing this across the organization, you can greatly reduce the scale of an attack when a machine has been infected.
Even the most aggressive preventative measures won’t guarantee you’ll be able to avoid an attack. This is why it’s critical to have a dependable system for business continuity and disaster recovery (BCDR).
Get Your Data Back with Datto Ransomware Protection
According to Datto, 96% of ransomware victims lose access to their data for more than a day. That’s simply not acceptable. For companies whose data is essential to their operations, this level of downtime can devastate the business.
Datto’s suite of data-protection technologies ensures that you can always get your files back after a ransomware attack. With the ability to restore all your data, from almost any point in time—minutes ago or years ago—and even virtualize your entire infrastructure locally or in the Datto Cloud in as little as 6 seconds, you can forgot about the risk of downtime.
Datto’s backup appliances have been helping businesses recover from ransomware attacks and other disasters for years. But in 2016, the company introduced a new layer to its Datto ransomware protection that goes even further to stop an attack in its tracks.
Automatic Ransomware Detection
Datto BCDR solutions now feature ransomware detection built-in, so that infections are identified and resolved at the earliest signs of an attack.
Here’s how it works:
- Datto’s devices detect and identify a ransomware attack automatically, even if users haven’t yet received the attacker’s ominous “YOUR FILES ARE ENCRYPED” message on their screens.
- The administrators are notified immediately, enabling them to see exactly when and where the attack has been detected, and directed to roll back to healthy data ASAP.
Remember, restoring a backup has always been an effective solution for resolving a ransomware attack. So, how much of a difference does it make if the backup system can also detect the infection? A lot.
By identifying an attack at the onset, Datto curbs the attack, shortens downtime and reduces the business impact. This ultimately saves money and allows the company to continue operating without flinching.
How Does the Detection Work?
Datto has programmed its systems to look for irregular patterns that wouldn’t ordinarily be caused by a user or application. It does this by keeping an eye out for changes in specific file types.
Here are some example actions that, if performed rapidly and simultaneously, would raise a red flag to the Datto device:
- File content is being rapidly overwritten by random data
- Only the file types commonly targeted by ransomware are being overwritten
- The original “modified” time stamps are being preserved, even though the file content is being overwritten
Upon detecting this behavior, the Datto device would alert the administrator of a likely ransomware infection.
Is it possible that these actions could be caused by a benign user or application? Sure, false positives can happen, though they’re pretty rare. Datto says it’s fine-tuning its algorithm to further reduce the chances of a false alarm.
Sorry, Ransomware isn’t Going Away
Back in June, pharmaceutical giant Merck was one of the many companies hit by the NotPetya ransomware attack. The impact was bigger than many knew at the time. Just last week, the company revealed it still hasn’t fully recovered, a month later. The attack disrupted its manufacturing operations worldwide, as well as its research and sales operations.
Cybersecurity company Malwarebytes also just announced new findings that ransomware hit nearly a third of all small-to-medium businesses in the last year. And among those, one in five had to stop operations completely.
Don’t expect these numbers to improve anytime soon. Ransomware is only getting worse, and attacks like NotPetya show that the malware is getting more sophisticated and more destructive. Businesses of all sizes need to be more proactive about implementing sound business continuity strategies and technologies that will protect them from an attack.
For more information on how your company can stay protected from ransomware and other disasters, contact our business continuity experts at Invenio IT. Call us at (646) 395-1170, email [email protected] or request a free Datto demo today.