Interview: Asigra’s Eran Farajun on Ransomware Defense

Eran Farajun is Executive Vice President of Asigra. Asigra is a company that offers backup and recovery, as well as data protection solutions. The nature of ransomware attacks is changing, and to stay afloat, organizations must cultivate the skills to properly defend themselves. With more than 20 years of experience in cloud-based data protection, Farajun provided insight on ransomware defense.

In regards to the incident in Atlanta, Daphne Rackley, the Deputy Chief Information Officer stated that the city had a “cloud strategy” in place, but this clearly wasn’t enough. What could the city of Atlanta have done differently to defend themselves from this attack?

The best and most often-used defense is to ensure there is a reliable and timely backup available to recover from. This, however, is becoming increasingly difficult as many new ransomware strains target backup data. Because this is a relatively new and significant threat, organizations must take extra steps to ensure backup data is clean before conducting a recovery.

Regardless of the backup platform used, there are a number of backup strategies that can be employed to ensure a clean restore. One approach requires that at least three current copies of the company’s mission-critical data are created. These backup sets are typically stored on multiple media formats, such as secondary disk storage or the cloud with at least one of the backup data set stored in an offsite location. Once in place, data policies should be enhanced to include more regular test recoveries to determine the effectiveness, quality, and speed of the recovery.

The cost of implementing a disaster recovery plan seems to deter some organizations from putting a plan in place. What advice would you give to someone with this mindset?

Having a disaster recovery plan in place is critical to ensuring a clean recovery of backup data, regardless of the cause – including malware. Many modern data protection solutions include test recovery capabilities that allow for very cost-effective recovery testing so that organizations can ensure their data will be available should ransomware like SamSam (which was the variant behind the recent Atlanta attack) impact your business.

Preparing for a ransomware attack is daunting; the stakes are high and an attack can occur at any time. Are there any simple or basic recovery strategies that organizations can use as preventative measures?

To avoid Ransomware or other malware variants entering your network(s) in the first place, [Beazley’s 2018 Breach Briefing] revealed a number of actions that organizations should take immediately to protect their IT systems against attacks, including:

• Training employees on the indicators of ransomware and malware, how to identify phishing emails, and how to report suspected incidents;
• Keeping systems up to date, patching as soon as possible, and enabling automated patching for operating systems and browsers;
• Segregating networks based on functionality and the need to access resources, including physical or virtual separation of sensitive information;
• Limiting unnecessary lateral communications within the network;
• Managing the use of privileged accounts [by] implementing the principle of “least privilege;”
• Configuring access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access;
• Hardening network devices with secure configurations, including disabling unnecessary services and remote administration protocols. Always change default passwords, and
• Requiring two-factor authentication for external access to all applications.

How are businesses, (or the market in general), responding to this increase cyber attacks?

With the rise in ransomware, businesses are improving both their preventative strategies as well as their approaches to recovering data quickly in the event of a ransomware attack. As a result, the entities behind such attacks have made headway in seeking out and infecting backup data. This has resulted in a recovery attack-loop that re-introduces time-delayed, undetected ransomware onto the network from the backup data. This has negatively impacted recovery for many organizations as it renders the recovery of encrypted files useless, allowing the malware to re-constitute and re-encrypt the primary data again. Therefore, organizations are now implementing or strengthening the redundancy of their backup strategies as this allows for the proper preventative measure against infected primary and secondary data.

Are businesses gravitating towards a specific type of recovery plan? If so, why?

Yes, the recovery plan typically being employed is one of redundancy and backup data isolation, where select backup sets are provided with air gaps to keep this information from direct attack and successful infiltration by malware.

In the event of a ransomware attack, what are the first steps that organizations typically take to recover? Is there any way to improve upon those steps?

Step number one is to remove impacted computing systems from the network. Next, it is recommended that a copy of the infected disk be copied/mirrored to another hard drive. After this, determine if a healthy system restore point is available and see if you can go back to an unaffected state. If not, access recent backups of your data, re-format your drive(s) and institute a clean reinstall of your OS so that data can be recovered to a clean environment. Should the malware block access to your computer use a Windows unblocker tool, as it can clean up a ransomware infected registry. Finally, there are free ransomware search tools which can remove any existing instances of ransomware as well as ransomware-encrypted files in order to migrate them to another hard drive for safe keeping and monitoring.

As cyber attacks evolve and change, how do you think organizations will adapt in terms of recovery strategies?

Organizations are rapidly evolving their preventative data protection and recovery strategies in response to ransomware. For one, IT security solution vendors are becoming much more proactive in their defense using some of the approaches mentioned in this article. They are also evolving their data recovery infrastructure to better equip themselves for threats in this area. As we progress, backup and recovery software will also evolve with new anti-malware technologies to ensure clean, viable recoveries are available. These new solutions will gain rapid adoption to finally silence ransomware with more resilient solutions for business continuity.