Responding to Ransomware with DataTrust Solutions
By: Jay Barrett – President and CEO of DataTrust
Responding to ransomware attacks require advanced planning and methodology for recovering lost data. Ransomware is one of the most common methods of profit for cybercriminals. Ransomware is a type of malware where a bad actor compromises a computer system and encrypts the data with a strong form of encryption and demands payment in exchange for the decryption key. Usually, this type of behavior does not prevent using the computer, but it effectively renders all the information on the computer inaccessible.
System Security Solutions are Crucial for Responding to Ransomware
A bad actor must penetrate the organization’s network and system security to be effective. Here, we are strictly conversing about ransomware at the system level. We will assume that complex administrator passwords, best practices for Active Directory administrations have been implemented and the system is updated with patches. A bad actor can gain control of a system by phishing, social engineering, or exploiting vulnerabilities. Education and diligence are critical to avoid giving the “exploiter” free access to the network and systems.
Do You Have a Vulnerable System?
Testing for access vulnerabilities like SQL injection, session hijacking, and cross-site scripting are the responsibility of the system provider and should be table stakes for being in the market. Cyber Security tools for static, dynamic, and penetration testing are readily available. Has the system or storage been tested for Common Vulnerability Enumeration (CVE) vulnerabilities, as published in the National Vulnerability Database? Historically, security requirements have taken a back seat to typical speeds/feeds, IOPS, and scalability metrics. Unfortunately, when none of your data is available, these metrics do not matter.
How To Protect Data Beyond Backups
Many IT professionals have been led to believe that backing up your data is adequate protection against ransomware. Simply find the last backup before your data was encrypted and restore the data and the problem is solved. Unfortunately, if the system has been zeroed out, the policy information is lost, or the attacker has reformatted to much of the configuration; it will have to be recreated before the data can be restored and used.
Typically, this means the vendor’s support organization must provide a new software install. Then the system admin must review the OPS documents to find the configuration, settings, used ports, and firewall rules to recreate the system. Only then can the restore of the backup be started. The system is not usable until the backup restore is complete, which could be days or weeks for billion-file systems. The second challenge for just relying upon backups is most systems are only backed up nightly. This means that 24 hours of data could be lost.
DataTrust Will Protect You from Ransomware
At DataTrust Solutions, we do not believe in silver bullets, rather we believe that security is a layered process. Our data management application, Secure Archive Manager, was developed with a security strategy front and center. As a preventative measure, all external and internal communication is encrypted. Data in flight and at rest can be encrypted. Responding to ransomware is secondary to preparedness and planning. We conduct extensive cybersecurity tests and stay up to date with the National Vulnerability Database. We have external third-party security experts test our system and provide recommendations.
Like other vendors, our system can be backed up and restored. We also back up everything required to automatically restore the system to its previous operating condition including all configuration info, policy settings, and ACLs/permissions. If the system had to be zeroed out and restored from scratch, it is a very fast process due to the fact Secure Archive Manager uses a virtual file system, e.g., filter driver and database instead of using the file system of the host Operating System. To restore our virtual file system, we import a backup of the database, which is very fast.
However, recovery from a backup may not be necessary. Secure Archive Manager provides file versioning. This means when the ransomware encrypts files it does not encrypt the original file, it instead creates a new file version that is encrypted. A Support call to DTS and we can simply go into the database and remove all new encrypted versions of the files from the database.