Protecting Your Data Before a Ransomware Attack

Ensure Data Recovery with Resilient, Monitored Backups

Restoring all encrypted data in a ransomware attack is unlikely for a number of reasons, says John Shier, senior security adviser at Sophos, and the simplest reason is likely the most accurate.

“They’re criminals,” he says. “They don’t have to give data back if they don’t want to. And the problem is that, in some cases, they’re unable to decrypt all the files even if they intend to.”

Brian Kelly, director of the cybersecurity program at EDUCAUSE, agrees.

“The short answer is that you’re dealing with cybercriminals, and they either don’t have the best intent or they don’t have the right infrastructure to actually get that data back.”

The best way to ensure that as much data as possible can be recovered in the likely event of a cyberattack is to back up regularly, and monitor and test those backups to ensure they’re working as intended.

“All too often, we see institutions have a backup program in place, and they blindly trust that the backups are happening. And sometimes, they find out that they weren’t happening on the schedule they thought they were,” says Shier.

LEARN MORE: Universities share lessons learned from ransomware attacks.

Common mistakes can include failure to monitor whether files are being corrupted during the backup process, along with backing up files to the same network where cybercriminals launched their initial attack. The reasons these mistakes are made run the gamut, Shier says, but the only way to ensure data is being backed up correctly is to check.

“Having all the telemetry at your fingertips to know when something is wrong is supremely important,” he says. “You need to be able to put some reliable and sensible alerting into your process so that you’re not being alerted at every single little failure. Still, there are certain failures that you want to know about every time they happen, one of those things that you want to raise a red flag in the SOC to say, ‘We need somebody to look at this.’”

Dedicating a single person or a team of people on staff to review backups is a smart idea, Shier says, but part of the solution can and perhaps should also be found through automation.

“A lot of these tasks could possibly be automated, and the only one that requires a human is the one where you actually go for a proactive restore and just double-check that everything is good,” he says. “You can intelligently devote your human resources to the places where machines might be more prone to failure.”

Click the banner below to see CDW's roadmap for a multifaceted cybersecurity program.

Prevention and Detection Can Ward Off Attackers Before Data Theft

While having strong backups is essential for recovering stolen data, it’s only part of what experts like Kelly recommend as part of good cyber hygiene. While ransomware attacks are common and can be difficult to spot or prevent, that does not mean institutions should stop trying to fend attackers off before they can pull off their heists.

“We want to be resilient, we want to be able to recover and bounce back, but that shouldn’t be the primary focus,” says Kelly. “We try to pivot back to raising awareness with our end users. The vector for most of this ransomware is still an email sent to an institution and someone clicking on that email.”

Shier says a good ransomware defense should be three-pronged, including prevention, detection and recovery. While the backups provide data recovery and good cyber hygiene among users promotes prevention, detection can stop a cyberattack before it penetrates too deeply.

“You’re going to want to fully investigate some suspicious signals to make sure that it isn’t an attacker in your network, so that you’re able to stop them,” he says. “It’s that middle group of people that are being attacked, being breached, but not ending up as a full ransomware victim, if you will.”

Endpoint detection and response — including solutions from Bitdefender, Trellix, Palo Alto Networks, Trend Micro and others — is one area Kelly recommends institutions look to alert them as quickly as possible to network intruders.

“It’s anti-virus 2.0,” he says. “The endpoint detection and response solutions will actually detect and respond, so it gives you the opportunity to block those attacks as they’re happening, as they’re being detected on the systems. We’re seeing a move toward more of that adoption in higher ed.”

LEARN MORE: Ease the higher ed security burden with endpoint protection.

At the end of the day, a comprehensive solution focused on prevention, detection and recovery is the recommended course for colleges and universities. Both Shier and Kelly say that the pendulum of attention can swing from one area, like prevention, to another, like recovery, but that being able to focus on all three answers simultaneously provides the best protection.

“Let’s just focus on our core competencies in each domain and let’s make sure we do those really well, and then let’s have a plan for when things go wrong,” says Shier. “You’re going to exercise that plan, you’re going to test it, you’re going to make sure that it works as intended. And if it doesn’t, you’re going to tweak and repeat. Knowing who to call, what to do and in what order is paramount because speed is of the essence when it comes to restoring your environment.”