Know Your Ransomware Enemy: Getting Inside a Hacker’s Head


Cybersecurity threats are on the rise, with industry experts predicting that 2022 will see the dawn of a “golden era of ransomware”. Last year, 61% of businesses were affected by ransomware attacks. Yet with the rise of the ransomware-as-a-service (RaaS) model and politically motivated attacks, ransomware will only increase in volume and severity.

Faced with the reality that it is no longer a question of if, corn when attackers strike, IT teams face a critical task. Since reliance on cyber defense capabilities alone will not be enough to protect the organization, cybersecurity protocols must now include recovery as a priority. So when the inevitable happens, the business can resume operations with minimal downtime and data loss.

knowledge is power

As threat actors continue to refine and evolve their practices, finding new and innovative ways to wreak havoc, understanding the mind of the hacker is crucial to combating this danger.

In The Art of War, Sun Tzu states that “knowing your enemy” is the key to being properly prepared and ready for the attacks to come. With ransomware being a worst-case scenario, IT teams need to ensure they can get data and operations back online as quickly as possible.

Understanding the main stages of a ransomware attack is key to ensuring the right recovery options are in place to quickly get systems back online and with the most up-to-date “clean” replica of data.

Step 1: The calm before the storm

The first stage of a ransomware attack is initiated in different ways. These include targeting users via phishing email attacks and malicious websites, exploiting weaknesses in RDP connections, or attacking software vulnerabilities directly. The stealthy nature of these approaches means they will fly under the wire – no one sees them coming.

After infiltrating a system, ransomware can remain dormant and undetected for weeks or months. Meanwhile, it can move laterally through other systems, accessing as much data as possible along the way. This has important implications for organizations that don’t know when their last “good” backup was made.

The moment an attacker activates or executes the ransomware attack remotely, it will become a race against time to ensure mitigation and recovery efforts kick in.

Step 2: The Storm

Once an attack is activated, corporate systems and data are at risk. Different ransomware variants use different encryption methods, ranging from encrypting a file system’s master boot record to encrypting individual files or entire virtual machines. This leaves the organization with hard choices: pay the ransom and risk your organization or not pay the ransom and try to recover without prolonged downtime and staggering revenue loss.

Without an effective and fast data recovery method, the cost, time and effort required to bring systems back online can be prohibitively expensive. Last year, the total cost of recovery from a ransomware attack reached $1.85 million, 10 times the average ransomware payout, with organizations typically experiencing an average of 21 days of downtime after a attack. Among the organizations that paid a ransom to their attackers, only 8% managed to recover all of their data.

Recovery is resilience

Ransomware attackers are counting on the fact that legacy security thinking, where the focus is solely on prevention, means the organizations they target won’t have modern backup and recovery solutions.

For data to be truly protected, it must be fully recoverable within minutes. Using continuous data protection (CDP) will give IT teams the always-on replication and logging technology that can restore entire sites and applications at scale and with the least amount of data loss.

To improve overall business resiliency, IT teams today must be able to effortlessly create multiple copies both locally and remotely. Testing data in an isolated environment is essential for a risk-free recovery. Organizations need a sandbox environment where they can test for malware before recovery. They also need to take advantage of options like immutable copies of data that can’t be encrypted or corrupted so they can confidently recover with just a few clicks, up to a point seconds before an attack.

The current threat landscape is such that a ransomware recovery plan is now a must for any organization looking to minimize the impact of an attack. Unfortunately, when cybercriminals are successful, many businesses have no choice but to pay the ransom. Yet, by ensuring that corporate data is protected and quickly recoverable with CDP, IT teams will be able to select a checkpoint of their choice and resume business as usual within minutes.


About Author

Comments are closed.