Andrea Danti - Fotolia
Ransomware continues to dominate the IT landscape, and it is getting smarter. This two-part series explains what vendors will have to do to improve their recovery products, and what customers will need to do to keep up with protection against ransomware. Part one discussed the benefits of offline backup.
Endpoint backup software is the answer to protection against ransomware, data loss and employee downtime. This will bring a mobile device or server back to the last backup state, overwriting the encrypted files and removing the ransomware in the process.
Characteristics of a top-notch endpoint backup product include:
- Data encryption for the backup images: malware sometimes wants to read that data!
- Compression of data before moving it to the cloud or backup storage; this speeds up recovery, which is I/O-limited in performance.
- Centrally controlled restoration of data, with the ability to select recovery targets if the attack has been contained to just part of IT.
- The ability to drive the backup frequently, even using any dead time on a device to keep the backup current. This limits the user's pain and protects data almost in real time.
Even with good endpoint backup, we are still shutting the stable door after the horse regarding protection against ransomware. We need ways to detect the attacks as early as possible.
These ransomware detection tools need to be very generic, given the nature of the attack code. In fact, the best detection method is to spot the early results of the attack and respond by shutting down network access for the attacked device, and limiting internal operations on the affected nodes.
Unfortunately, we are mostly talking futures here. An app running in the background on a mobile device or server can detect if its own data files are corrupted, so the idea of a canary program that triggers a protective response makes sense. Done correctly, this can save most of the attacked data on the spot, since typical ransomware tends to follow a sequence of folder attacks based mainly on the operating system file structure in its initial steps.
Curb your users' storage access
Another method of protection against ransomware is to tighten up access to network storage as much as possible. Firewalls and antivirus code may protect against the attack code moving from server to server, while limiting storage access on a need-to-know basis is a good way to limit damage. Moreover, restricting access to apps only to the time they need for processing, rather than leaving shares open persistently, reduces the attack surface of the storage pool dramatically.
Administrators and users are, at best, lax in the area of file access control. Generally, the tendency is to leave access on all the time. Here again, for better protection against ransomware, we could use tools that identify the vulnerability points and either recommend action to add controls or provide automated access constraints. This is a question that could reach into an operating system's design, compilers and apps.
The impact of ransomware can be contained. With attacks becoming bolder and more sophisticated, it is crucial for good governance that we pay attention to the issue with a sense of real urgency and develop an organization-wide response to the risk.
See how organizations have recovered from ransomware
Backup, backup, backup for better ransomware protection
Key data protection measures to fight ransomware