What We Get Wrong About Ransomware

Information security focuses its efforts around three pillars: prevention, detection and recovery. With ransomware, the first two receive far more attention than the third. This misguided focus results from a lack of understanding about how ransomware really works. This article will explain how ransomware operates at the file system level, how this impacts ransomware recovery and why paying the ransom is not a viable option.

May 4, 2022

We live in the age of ransomware. This persistent threat remains top of mind for CEOs, their boards, CIOs, CISOs and everyone in the line of fire in IT. Yet we still get so much wrong about ransomware and why it’s devastating to businesses.

Information security focuses its efforts around three pillars: prevention, detection and recovery. With ransomware, the first two receive far more attention than the third. This misguided focus results from a lack of understanding about how ransomware really works. This article will explain how ransomware operates at the file system level, how this impacts ransomware recovery and why paying the ransom is not a viable option.

Prevention is not enough.

The common misconception about ransomware is that it compromises organizations at the software level, somehow defeating the security controls of the file storage systems. The genius of ransomware is that it takes advantage of the normal operating procedures of storing and accessing files. Ransomware begins as a social hack, circumventing normal safeguards via impersonation.

Typically, when an employee wants access to a file, they first obtain clearance through systems like Active Directory (AD). With the proper permissions, AD allows access through the file server, and the employee gets to work. Hacking AD is possible, but it’s much harder than tricking one of the thousands of employees to click on a link or picture. If AD is the unassailable fortress, end users have the keys to the gate.

So, ransomware aims for people. An end user clicks on the wrong link and the malware compromises that individual’s computer, impersonating that individual and, potentially, other employees with broader permissions.

File systems are designed to allow users with permissions and authority to make changes to files. So when the malware impersonates an end user with high-level permissions, the file server naturally assumes the malware is that user and allows changes, including encryption. Everything in place to protect against infiltrations—the prevention part of security—is rendered useless or ineffective. The system believes it is operating normally. By assuming the identity of the user, ransomware has AD clearance and can move through the file system, encrypting additional files and folders.

While it used to be easy to detect the anomalous rewrite pattern of a ransomware attack, hackers are becoming more sophisticated. They’re making the software behave more like regular users. Hence, prevention, like any pure defensive strategy, can never be enough.

Ransomware does not destroy, extract or leak data.

The hackers don’t alter the code of the file server and trick it into deleting volumes or files. Ransomware keeps everything in place. This is what makes it so efficient. No data leaves the organization—if it did, most companies have tools that would detect the leak early and stop the attack before much damage is done.

With ransomware, files are locked and made inaccessible within your security perimeter. The Hollywood heist equivalent would be a band of thieves who change the code to a bank’s safe, rendering the valuables inside inaccessible, and only offer to provide the combination in exchange for a fee. The money is still in the bank. The data is still in the file server. You just need a way to recover it that is practical—and doesn’t take forever.

Trying to break ransomware’s encryption is a fool’s errand. However, if you can recover the versions of your files stored just before being encrypted and do so quickly—within minutes or hours, not days or weeks—then it should be possible to clear the effects of the attack from systems. Rapid recovery is the single most important offensive weapon against ransomware.

Paying the ransom is a risky option at best.

Most organizations understand that paying the ransom doesn’t guarantee file recovery. The decryption keys might not work if the hackers even provide them. Yet there are additional issues to consider. Are you and your organization behaving lawfully by engaging with the criminals? In paying the hackers, you would be encouraging the behavior and effectively funding future attacks. Are you then complicit in these future schemes? Barring legal ramifications, the potential damage to your personal and company brand is equally powerful. No one wants “funding a global criminal organization” as part of their company values.

Rapid recovery turns ransomware from a threat into a nuisance.

As explained above, ransomware doesn’t destroy or steal data. It makes recovery so long and cumbersome that organizations see no alternative and cooperate with the criminals. Enterprises may protect themselves by storing previous versions of files in additional locations or in the cloud. Then IT can restore the versions saved prior to the encryption.

This works beautifully in theory, but in practice, these restores might take days or weeks. Many solutions demand wholesale rollbacks of the entire file system, meaning unimpacted files or new changes are lost. The potential business disruption may be more damaging than paying the ransom. This is the crack in the armor that ransomware targets.

The good news is that it is possible to recover quickly from an attack without paying a ransom. A more efficient approach is to focus protection at the level of the file system and store immutable, unlimited versions of each file in cloud object storage. This allows you to surgically restore only those files and folders that were encrypted. This significantly accelerates recoveries because no files have to be moved. The file system is simply redirected and pointed to those “clean” unencrypted versions in the cloud.

If a modern solution like this exists, why are so many organizations still vulnerable? One word: inertia. The traditional way of protecting files relies on backups, which tend to be unreliable and slow to restore, especially if many files, or worse, file servers across many locations are affected. Yet organizations stick to the traditional backup model because it’s what they have always done. It’s what they know.

In the age of ransomware, the old ways of protecting files no longer apply. A new threat demands a modern solution.

Ready to dive deeper into a new approach to data infrastructure?