Ransomware attacks are on the rise, especially for targets in the Healthcare and Public Sector. The CISA, FBI and HHS are tracking a dramatic increase in Ransomware attacks targeting organizations responding to the COVID-19 Pandemic. Read the full report here. CISA has also published a Ransomware Guide with useful high-level information.
The renewed Ransomware attacks are targeting large organizations and the Public Sector using ‘TrickBot’ and ‘BazarLoader’ malware, often resulting in the encryption of large amounts of data and disruption of business continuity.
These malicious cyber campaigns are largely propagated through phishing (email) containing links to websites that host the malware.
Malicious actors are using DNS Tunneling (“anchor_dns”) as a means of enabling unfiltered communications between victim devices such as point-of-sale systems and the malicious actors where the malware originated.
What you can do to mitigate the threat
Store at least one backup state of your critical systems using a means where those files are not directly accessible or alterable by users on your network.
Ideally, keep at least one Air Gapped or WORM backup of critical systems
Comply with the 3-2-1 Rule and keep at least one backup on a system which is NOT part of your organizational AD.
Keep Replica Virtual Machines for period of time long enough to roll back to an unaffected replica.
Do not use systems past the vendor ‘End of Life’ and ‘End of Support’ for those systems.
Patch operating systems, software, and firmware as soon as manufacturers release updates.
Limit Internet port exposure
Run network penetration tests to monitor open ports
Implement network segmentation. Sensitive data, email and backups should all reside on different network segments, separated by a stateful firewall
Update malware definitions regularly
‘Air Gapped’ backups
Air Gapped backups refer to a specific type of backup which can not be changed once written. At one time, this meant writing a backup to tape, ejecting the tape, and storing it in a safe location. Now there are logical solutions available which provide virtual Air Gapped backups via Write Once Read Many (WORM) technologies.
The problem with Air Gapped Backups and Ransomware
Air Gapped Backups are inherently slow to create and slow to restore. In the event of a major Ransomware event, where many systems are affected requiring terabytes of data to be restored; it will take at least many hours and may take many days before normal functionality is restored!
While Air Gapped backups serve a critical function, organizations requiring rapid recovery should consider Replication, with an RPO and Retention Policy configured to provide protection from Ransomware.
Replication stores your critical systems as immediately powerable Virtual Machines, in a separate location, and using a dedicated filesystem. Ransomware is not able to encrypt Replicas because Ransomware acts within the Operating System and not on the disk sub-systems or hypervisors where those systems run. While hypervisor-level Ransomware is theoretically possible, it is extremely unlikely due to separation of management networks, and default air gapping of storage networks.
While Ransomware is not able to affect the Replica VM directly, if replication continues after a Ransomware event, eventually all of the Replica restore points will be overwritten, rendering the Replicas useless!
For example: If you are keeping 7 Replica Restore Points and have a 1-hour RPO, every seven hours the oldest Replica Restore Point is overwritten! If Ransomware occurs overnight and is not detected until morning, there may be no unaffected Replica Restore Points to fail over to!
What VMsources Recommends
At VMsources, we’ve been in the Continuity Business for over a decade. We are here to help our clients overcome and sustain events like Ransomware. Here’s our best recommendation:
Use a Veeam Server on a dedicated and isolated Active Directory domain.
Keep one copy of backups on-premises using a Veeam Repository which is NOT part of your organizational Active Directory Domain. Use either local system accounts with strong passwords or a dedicated AD domain. The on-premises backups will serve to provide rapid restores of files or even full systems and it will likely be protected from Ransomware by strong and separate authentication.
Keep one copy of backups offsite, segmented both from your organizational network and Active Directory. The offsite backups can serve both as a long-term archive and full-system recovery in the event on-premises backups are lost.
Keep at least one Replica of all critical systems with an RPO and Retention policy designed specifically to sustain Ransomware events. Bearing in mind the technical limit of 28 Replica Restore points. Policy suggestions include:
28 Restore Points with an hourly RPO, providing effective protection for a period of 28 hours
28 Restore Points with a RPO of 2-hours, providing effective protection for 56 hours
Both of these Policy suggestions depend upon the frequency which the environment is monitored, and how long a Ransomware event could go on before being detected. As a worst-case scenario, your offsite backup MSP should be able to restore your offsite backups directly to functional VMs, albeit at a much slower pace than failing over to Replicas.
Configure WORM backups for essential systems.
Call VMsources today to schedule a review of your protections against Ransomware, as well as a free 33-point health check of your VMware or Hyper-V environments. I will personally see to it that you get the best advice and service!