Andrés Rodríguez is founder and CTO of Nasuni.
We live in the age of ransomware. This persistent threat remains a top priority for CEOs, their boards, CIOs, CISOs, and everyone on the front lines of IT. However, we still get a lot wrong about ransomware and why it is devastating to businesses.
Information security focuses its efforts around three pillars: prevention, detection and recovery. With ransomware, the first two get much more attention than the third. This flawed approach is the result of a lack of understanding of how ransomware actually works. This article will explain how ransomware works at the file system level, how this affects ransomware recovery, and why paying the ransom is not a viable option.
Prevention is not enough.
The common misconception about ransomware is that it compromises organizations at the software level, somehow bypassing file storage system security controls. The genius of ransomware is that it takes advantage of normal file storage and access operating procedures. The ransomware starts out as a social hack, bypassing normal safeguards through impersonation.
Typically, when an employee wants to access a file, they first gain authorization through systems like Active Directory (AD). With the proper permissions, AD allows access through the file server and the employee gets to work. Hacking AD is possible, but it’s much more difficult than tricking one of thousands of employees into clicking on a link or image. If AD is the impregnable fortress, the end users have the keys to the door.
So the ransomware targets people. An end user clicks the wrong link, and the malware compromises that person’s computer, posing as that person and potentially other employees with broader permissions.
File systems are designed to allow users with permissions and authority to make changes to files. So when the malware impersonates an end user with high-level permissions, the file server naturally assumes the malware is that user and allows changes, including encryption. Everything that is in place to protect against infiltrations, the prevention part of security, becomes useless or ineffective. The system thinks it is working normally. By assuming the identity of the user, the ransomware is AD authorized and can move through the file system, encrypting additional files and folders.
While it used to be easy to spot the anomalous rewrite pattern of a ransomware attack, hackers are getting more sophisticated. They are making the software behave more like regular users. Therefore, prevention, like any pure defensive strategy, can never be enough.
Ransomware does not destroy, extract, or leak data.
Hackers do not alter the file server’s code or trick it into deleting volumes or files. Ransomware keeps everything in its place. This is what makes it so efficient. No data leaves the organization; if it did, most companies have tools that would detect the leak early and stop the attack before much damage was done.
With ransomware, files are locked and made inaccessible within your security perimeter. The equivalent of the Hollywood heist would be a gang of thieves changing the code on a bank safe, rendering the valuables inside inaccessible, only offering to provide the combination for a fee. The money is still in the bank. The data is still on the file server. You just need a way to get it back that’s convenient and doesn’t take forever.
Trying to crack the ransomware encryption is foolish. However, if you can recover the versions of your files stored just before they were encrypted, and do so quickly (within minutes or hours, not days or weeks), then it should be possible to remove the effects of the attack from systems. Fast recovery is the most important offensive weapon against ransomware.
Paying the ransom is a risky option at best.
Most organizations understand that paying the ransom does not guarantee file recovery. Decryption keys may not work if provided by hackers. However, there are additional issues to consider. Are you and your organization behaving legally by engaging with criminals? By paying hackers, you would be encouraging the behavior and effectively funding future attacks. Are you then complicit in these future schemes? Barring legal ramifications, the potential damage to your personal and company brand is just as powerful. No one wants to “finance a global criminal organization” as part of your company values.
Quick recovery turns ransomware from a threat to a nuisance.
As explained above, ransomware does not destroy or steal data. It makes recovery so long and cumbersome that organizations see no alternative and cooperate with criminals. Companies can protect themselves by storing older versions of files in additional locations or in the cloud. IT can then restore the versions saved before encryption.
This works very well in theory, but in practice these restores can take days or weeks. Many solutions require massive rollbacks of the entire file system, which means that unaffected files or new changes are lost. Potential business interruption may be more damaging than paying the ransom. This is the chink in the armor that the ransomware is targeting.
The good news is that it is possible to quickly recover from an attack without paying a ransom. A more efficient approach is to focus protection at the file system level and store unlimited, immutable versions of each file in cloud object storage. This allows you to surgically restore only those files and folders that were encrypted. This significantly speeds up recoveries because there is no need to move files. The file system simply redirects and points to those “clean” unencrypted versions in the cloud.
If a modern solution like this exists, why are so many organizations still vulnerable? One word: inertia. The traditional way of protecting files relies on backups, which tend to be unreliable and slow to restore, especially if many files are affected or, worse yet, file servers in many locations. However, organizations stick to the traditional backup model because it’s what they’ve always done. It’s what they know.
In the age of ransomware, the old ways of protecting files no longer apply. A new threat demands a modern solution.
The Forbes Technology Council is an invite-only community for world-class CIOs, CTOs, and technology executives. Do I qualify?