How ransomware is creating a data backup explosion

While the WannaCry ransomware and Petya – a wiper disguised as ransomware – are two of the most recent headline-grabbers in the security world,  the truth is that we’ve been seeing this type of attack become more common over the past few years. Because data is the new oil in the digital economy, ransomware attacks that restrict access to important data until the attacker is paid are becoming increasingly common and creating a series of after-effects that will ripple out for some time. As these attacks become more common, everyone will need to better understand the types of ransomware, how they work, and what their broader effects will be on the IT and IT security industries. 

Lockers and encryptors: how they work

There are two types of ransomware currently in circulation; lockers and encryptors. Lockers do not actually encrypt the victim’s files, but rather lock them out of their operating system, making it impossible to access their desktop, apps or files. In this case, the ransom unlocks the infected computer. Some locker versions infect the Master Boot Record (MBR). The MBR is the section of a PC’s hard drive that enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual and prompts a ransom note to be displayed on the screen. Recent locker examples included the “police-themed” ransomware and Winlocker.

The other type, Encryptors, are based on advanced encryption algorithms and are designed to block a user’s files and demand payment to provide the victim with the needed decryption key. Encryptors focus on .doc .excl. .ppt. files and can also encrypt pictures and music. It can scramble your file names, so you can’t know which data was affected. This is one of the social engineering tricks used to confuse and coerce victims into paying the ransom. It will add a different extension to the files, sometimes signaling the specific ransomware strain;

Some recent examples of this include Cryptolocker, Locky and CrtyptoWall.

Back it up

The most obvious solution is to make multiple backup copies of data in many locations that are delay synced, and the simplest way to do this is in the cloud. Because of these attacks, there is going to be a significant increase in the need for delayed-sync backup solutions. The result will be more data, stored in more locations, unfortunately creating an even larger attack surface that enterprises to need to protect.

One way they’ll tackle this is through…encryption. If data is already encrypted, a ransomware encryptor is unable to locate, identify and encrypt the target file types. This provides an element of protection towards some ransomware vectors but is not a blanket solution. It does not, for instance, protect against lockers, since they do their work at the OS-layer.

The rush to back up will place pressure on administrators to ensure clear ownership and control of the backup data. Access to all of this data will need to be tightly regulated, creating a new challenge involving the authentication of user identities.

Ultimately, in locking so many people out of their data, the ransomware scourge just gave us a lot more data to protect. More of our focus now needs to be placed on on understanding what constitutes sensitive data and setting parameters for defining it. After that, we can discuss the questions around who has access to it, where is it and how do you protect it.