Organizations today bear tremendous responsibility to integrate solutions that
enable coping with failures and malware by protecting data. The aim, on the one hand,
is to prevent the ability to change the data from the moment it is written into the system,
while on the other hand guaranteeing that recuperation time will be as brief as possible.
By Michael Levit, March 27, 2018
This is no longer only a trend, but reality:
Corporations are constantly harmed by viruses and malware.
In an industry where companies rely on information to be available 24/7,
every moment in which data is unavailable can lead to acute damage to
the organization and significant monetary loss.
The good news is that through a smart data managing system it is possible
to recuperate from such attacks without causing crucial damage to the organization.
Before we dive in, let’s try to understand this attack cycle and the problems it
creates for the organization.
As you can see, a typical attack consists of several stages:
the organization is hit by a virus, the systems are under attack and
information in the organization is no longer available.
At that moment the organization understands
it is under attack and the IT team begins implementing the policy prepared ahead
of time for just such a contingency, to prevent the virus from spreading
further throughout the organization and corrupting other systems. At this stage it is possible
that some of the organization’s systems, and with them – some of the data, is no longer available.
Once the company has halted the attack, it will have to update its defense system to prevent a recurrence of the attack. It’s likely that even when the systems are updated against the
loophole that enabled the attack to take place and after the organization recovers its systems,
the virus that infected the system is still ‘inside’ the organization – even if it has the most
sophisticated anti-virus systems.
An example of this is the infamous Stuxnet virus discovered in 2010,
which possibly began infecting computers around the world as early as 2007.
For this reason, many organizations focus on the need to prevent the virus in the first place
more than on the attempt to recover from it.
Unfortunately, quite a few companies find it difficult to cope with such attacks.
In January, the Hancock hospital in Indianapolis, USA, was attacked.
Hackers managed to infiltrate the hospital’s system, probably through a third
party’s user details. They infected the hospital with a malware by the name of SamSam.
The malware encrypted 1,400 files, some of which contained patients’ medical information.
The attackers did show a certain degree of sympathy in that the file names were changed to ‘I’m sorry’.
Initially the hospital tried to go back to working with paper and to patient care as had been done
up to a decade ago. Very quickly the hospital realized it had no choice.
“Reconstructing the data from discs would have taken us days, if not weeks”,
said Steve Long, hospital CEO and president. Having no other choice, the hospital paid some 4 Bitcoins,
which amounted to about $55,000 (at the time) in order to release the encrypted data.
It has now been discovered that the SamSam malware also managed to hit the Transport Department in Colorado, USA, infecting some 2,000 computers throughout the organization.
Having said that, at this stage the Transport Department claims that critical data was not harmed and they will not pay the ransom.
However, what would happen if organizations could change the cycle of attack?
Hancock implemented a widespread backup system that included
creating additional copies of backed up information in distant sites.
When the hospital understood that the data in the organization had been encrypted,
it had to decide whether to try and reconstruct the information or pay the ransom.
The hospital’s deliberation was not at all easy.
As the hospital’s CEO and president said, reconstructing the data would probably have taken too much time. At this stage the hospital decided to pay the ransom in the hope that it would get back the encrypted information.
After a comprehensive examination, it turned out
that the hospital’s backed up data was also encrypted by the malware so that even reconstructing the data would not have helped the organization recover.
Yet what would have happened if Hancock hospital could have restored the organization’s information systems to full use through its backup system within a short time, and be fully confident that the data was usable?
What is disturbing about the hospital’s story was that the data was backed up, yet the hospital deliberately decided not to carry out reconstruction steps due to the length of time it would take. It’s important to understand that organizations invest very significant sums in backup solutions for just such cases. If the organization ends up deciding not to use the system then why invest in it in the first place?
Today’s technology market includes advanced solutions that remove the painful parts from the equation. The kind that can guarantee:
Backing up data to magnetic media and locking it as read-only, professionally known as WORM (Write Once, Read Many)
Speedy reconstruction times and processes. The kind that can bring the systems back to full usability within a relatively brief time range.
In this situation the organization need not fear losing information, having it encrypted, or paying ransom.
The idea that the backup system can return the company to usability from a ransomware attack within a short time, while being fully confident that the reconstructed data was not corrupted in any way, is realistic. There are solutions nowadays that provide these abilities. The above solutions provide almost immediate access to information so there is no need to carry out a traditional reconstruction process. These solutions can mean the difference between paying the ransom and safeguarding the organization’s assets.
The greatest threat during an attack on an organization is the complete shutdown of the entire company. However it is important to remember that the information in the organization is divided into various levels of importance. When the organization is under attack we have no control over which systems within the organization will be damaged.
Also, as can be seen in the Hancock case, even if data backup exists, there is no guarantee that the organization would be able to reconstruct it. Taking into account that reconstruction processes take a long time – the organization may be forced to pay the ransom.
If organizations could significantly reduce the range of damage, based on reconstruction in a relatively short time and on the reconstructed data actually being reliable and uncorrupted, organizations would never consider paying ransom.
Reconstruction processes can take a long time especially when dealing with large volumes of data. However, the solutions currently on the market implement a wide range of options to overcome this limitation and try to make the data accessible instead of attempting to reconstruct it. It is important to understand the limitations of these solutions and guarantee that this ability is not limited and enables efficient and easy access to a number of systems simultaneously.
To conclude, organizations today bear tremendous responsibility to integrate solutions that enable coping with failures and malware by protecting data. The aim, on the one hand, is to prevent the ability to change data from the moment it is written into the system, while on the other hand guaranteeing that recuperation time will be as brief as possible.
The author is the Product Manager of Rubrik by Innocom, at Aman Group