IT Briefcase Exclusive Interview: The Growing and Continuous Threat of Ransomware

A 2016 Osterman Research report entitled, “Best Practices for Dealing with Phishing and Ransomware” offered rather sobering statistics, including the fact that 51% of those surveyed had been successfully infiltrated by ransomware, malware, or a hacker one-to-five times.

Many businesses that are hit by ransomware have to pay ludicrous fees to restore operations – some are even forced to shut-down.  But, ransomware has one big weakness.  If you’ve got clean backups, you can simply wipe the infected system, and restore your data – all without paying a cent in ransom.  But, ransomware has gotten smarter – it knows this and now looks for ways to encrypt your backups too.

In today’s exclusive IT Briefcase interview, BackupAssist’s CEO, Linus Chang, shares his thoughts on the growing and continuous threat of ransomware – not only across enterprise environments, but the small-to-medium business (SMB) space as well; and what organizations can do to protect against infection and ensure they never need pay ransom again.

• Q. It seems that when you hear about ransomware attacks, they are either targeting the single user or the larger enterprise environment.  Is this an issue that is extending to the SMB and SME space as well?

 A. Absolutely, this is a huge issue for SMB and SME. It’s appealing for attackers because there are a much a larger number of SMBs and SMEs than large enterprises, and they are generally more vulnerable. SMBs and SMEs tend to have a wide variety of computer types (operating system versions, software installed, legacy and older systems, BYOD), when compared to large enterprises which tend to use SOEs. This means that SMBs and SMEs tend to have a larger attack surface.

We also find that the SMB/SME are not as well prepared, either. They don’t the budgets for a full time I.T. security department. Policies and procedures, if they exist, tend to be poorly documented.

• Q. Many users feel they are covered with anti-virus and anti-malware products — not so?

A. We definitely recommend our customers use anti-virus and anti-malware products – they can protect against some types of ransomware. But unfortunately no single solution can guarantee protection. When we discussed the situation with a major anti-malware vendor, they informed us that many strains of ransomware have managed to pass through their competitors’ detection methods.

More disturbingly, recently the types of infections have multiplied beyond the scope of anti-virus and anti-malware. It used to be that ransomware was social engineering – for example, a user would receive a Word or Excel document that looks like a legitimate “invoice”, with a message saying they needed to click “Enable Macros” to see the invoice contents. Then a macro would run, downloading malware and installing it, bypassing ransomware detection and running and corrupting files.

However, nowadays the methods are more sophisticated. Malvertising (malware in the form of advertising on legitimate websites) and cross-site scripting attacks mean infections can occur by simple web browsing. We’ve seen strains like WannaCry exploit vulnerabilities in the Windows Operating System, infecting and spreading automatically without human intervention. And recently, one of my acquaintances actually got hacked into – they broke into her server, disabled the anti-malware system, destroyed the backups and then installed ransomware and started encrypting. In that case, she was forced to pay 2 bitcoin – around $7,000.

• Q. What about backups – can’t you just restore data and operations from there?

A. In theory, yes. Backups are absolutely designed to be the last line of defense. But there are two separate failure points that many people overlook… until it’s too late.

Firstly, a normal backup program is designed to backup whatever the user selects for backup – like an entire hard drive, or specific folders. So if your files have been encrypted by ransomware, your backup program will back them up. Even though many backup programs keep version history using small incremental backups, when ransomware strikes it usually corrupts so much data that the incremental backup will be huge, deleting and displacing old restore points. We call that corruption on the “inside” of the backup, because while the backup is still readable, it contains corrupted data.

The second problem is as I described – ransomware can attack the backup files directly, or hackers can destroy the backups. We call this corruption from the “outside”, because your backup can no longer be read. On-premise backups are particularly vulnerable to these attacks, because the backups are connected to the server via USB/eSATA or via the network.

Corruptions from both “inside” and “outside” are bad news, as your last line of defense just got compromised.

• Q. You recently launched a solution to address exactly this situation, CryptoSafeGuard.  Can you tell us about it?

A. Absolutely! We saw these crippling problems in the marketplace and created a two-pronged solution to fix them. We call this solution “CryptoSafeGuard” – and it’s a new feature we introduced into BackupAssist version 10.1.

The first part of the solution is to shield on-premise backups from attack from the “outside”. On-premise backups provide a fast restore point, but are vulnerable to attack by ransomware as I explained earlier. Our shield blocks ransomware and hackers from corrupting or deleting the backups from the “outside” by intercepting operating system calls and only allowing legitimate requests through.

The second part of the solution protects backups from corruption on the “inside”. Every time a backup runs, we scan the file system to look for evidence of ransomware attack – everything from changes to the file and directory structure, renamed files, corrupted files, down to deep file inspection of the file format and contents. If we find evidence of attack, we immediately alert the administrator via email and SMS, and go into “lock down” mode, preserving existing clean backups and not backing up the corrupted files. Over time, BackupAssist learns what is typical behaviour and can detect anomalies, so our detection can improve over time.

Independent tests, run by a specialist independent malware research and testing firm, have shown our CryptoSafeGuard features successfully shielded the backups against all 15 of the most virulent ransomware strains tested. We also successfully detected and alerted the administrator, and most importantly, a full restore and server recovery was successfully done from the last clean backup.

Best of all, CryptoSafeGuard is available to everyone who already has a BackupAssist subscription – just upgrade to v10.1, with nothing more to pay. For businesses who want to try BackupAssist and CryptoSafeGuard, we have a 30 day fully featured trial available on our website, and a reseller and MSP program.

Linus Chang, Founder and CEO, BackupAssist (Cortex I.T. Labs Pty Ltd.), creator and original programmer of BackupAssist, the leading backup software product for Windows Servers. Since its inception in 2002, BackupAssist has provided a simple and cost effective way of backing up Windows Servers – famous for its value pricing, “it just works” user experience and outstanding customer support. BackupAssist has been sold to 165 countries – to small and medium businesses, schools, universities and government departments. Notable customers include NASA, NATO, US Department of Homeland Security, US Navy, US Department of State, GE, Pfizer, MIT, Stanford, UCSD, and Monash University.  Prior to BackupAssist, Chang served as EO Accelerator Chair, EO APAC Regional Director, Consultant, and Oakton Computing.  Chang attended the Macquarie Graduate School of Management, Monash University earning a B.Sc., Computer Science, Electrical Engineering, and Haileybury College.