According to the 2024 Data Protection Trends Report, only one in four organizations (25%) believe they have not been hit by ransomware. Believe is the key word here, because history shows that many bad actors are often in their victim’s environment for up to 200 days before an attack, gathering information, moving laterally across the environment, and elevating themselves to get to the highest of privileges. Then they just wait. The 2024 Ransomware Trends Report revealed that bad actors are targeting backup repositories in 96% of attacks. These attackers are waiting in your environment for the perfect time to strike, encrypt your data (especially your backups, so you can’t save yourself), and demand their ransom.
This blog will address prevalent methods used during ransomware attacks, the timeline of these disasters, and finally, the trends, tools, and challenges that organizations of all sizes should be aware of as they seek to protect their data from ransomware encryption.
Prevalent Encryption Methods Used by Ransomware
To encrypt your data, threat actors must first access your systems. Cybercriminals use a variety of tactics to infect victims’ computers via malware. The most common ways to gain access to an organization’s systems include:
- Phishing: Scam emails and text messages that trick users into supplying passwords and login credentials.
- Malicious email attachments: Emails with attachments that contain malware.
- Drive-by attacks: Malware downloaded from infected websites.
- Software vulnerabilities: Using unpatched vulnerabilities on servers to gain access to computer systems.
All these techniques and more give cybercriminals the opportunity to infiltrate your environment, perform reconnaissance, laterally move through your environment, and elevate their access into higher privileged roles to gain access to more data and secure a large ransom. To learn more about the different types of ransomware, check out this blog.
As mentioned earlier, bad actors often target your backup repositories. Simply put, if you can restore your own systems without issue, you won’t have to pay a ransom. The only logical solution for bad actors then is to go after your backups before you know your environment has been compromised.
From Breach to Encryption: The Ransomware Timeline
The ransomware journey from breach to encryption is as follows:
- Initial breach, often done through the methods mentioned above
- Gathering information
- Reconnaissance
- Initial compromise
- Privilege escalation
- Encryption
Steps one and two can be swapped depending on the sophistication of the attack. Generally, threat actors will first gather information on their target and then deploy methods like phishing and social engineering to access their environment. Then, they will create a base of operations and attempt to gain elevated access to higher stakes targets. They have also been known to do their own tests to see what target response times are for testing the user’s own security. Then they encrypt data, wipe backups, and demand ransom.
Currently, the established timeline for a cyber disaster on this scale can be several months. However, it’s important to call out that not all threat actors behave the same way. The timeline also depends on the type of attack, type of criminal, and the type of ransomware they use. Some will initiate a payload within hours/days of infiltrating an environment and others have been lurking in environments for over a year!
For more sophisticated attacks, bad actors gain access to your environment and then learn it. They make a lot of observations because they want to know all the logistics and ins and outs of what’s happening within your company before they make themselves known. This helps criminals get the biggest payout possible.
Once the breach has occurred, they lurk. (This kind of breach, by the way, is most commonly caused by someone clicking the wrong link in a phishing email). The longer they lurk, the longer they can explore and test your environment. Bad actors will test your systems to gather all sorts of information: Did you patch this? Did you use a default password? Is your password secure? Essentially, they’re looking around to figure out what they can hit. By doing this recon work beforehand, they are essentially putting a round in every chamber, so on the day they ask for your Bitcoin, they can pull all their triggers and the breach hits with devastating totality.
The worst part is, even paying the ransom won’t guarantee you get your data back. The 2024 Ransomware Trends Report noted that one in three organizations who paid the ransom could not recover their data even after paying. This means your organization’s ability to restore data safely from your own clean databases is one of the few options that ensure full data recovery. Even if you do get your data back after paying a ransom, that doesn’t guarantee that you won’t be hit again either.
While bad actors lurk in your systems, they are also setting themselves up for future success. Cybercriminals explore, test, and in some cases create backend passwords or vulnerabilities that will come back later so they can demand a ransom again. All these nefarious things are done in the shadows to ensure a payout once the payload is released.
Decryption Tools and Challenges
It is not a question of if but when an organization will be targeted by ransomware nowadays. In fact, surveys show that ransomware is an “equal opportunity attacker” that targets everyone from enterprises to small businesses with relative consistency. Since this is ultimately inevitable, the key question to ask is whether your data protection solution allows you to recover quickly, meet recovery time objectives and recovery point objectives (RTOs and RPOs), and keep your business running effectively. There are several tools currently available to organizations to aid in the fight against ransomware, including:
- Data encryption: Employ robust encryption mechanisms to render sensitive data indecipherable to unauthorized users, ensuring your data remains secure both at rest and in transit.
- Ransomware identification: By identifying and blocking suspicious file activities or unauthorized encryption attempts, DLP helps mitigate the risk of ransomware attacks that can encrypt valuable data and extort organizations for financial gain.
- The 3-2-1 rule: This is an industry-standard data protection strategy that recommends having three copies of your data, stored on two different types of media, with one copy kept offsite. This rule is a robust guideline for data protection that ensures redundancy, resilience, and the ability to recover data even in the face of unexpected events or disasters.
While these tools are all effective in their own ways and should absolutely be considered best practice cornerstones for data protection, IT and cybersecurity professionals can still face a wide range of challenges despite having these tools in place.
One of the largest of these challenges comes in the form of cross-team collaboration. Implementing the required security measures and processes demands collaboration and buy-in from all levels of your organization. IT, security, and operations teams must also work together to implement security, backup, and encryption measures effectively. Said another way, cyber resiliency is a team sport. However, it turns out that for most organizations, IT, security, and leadership teams — as well as teams like legal, compliance, and procurement — aren’t as aligned as they should be.
For the third year in a row, the Ransomware Trends Report noted that more than half of organizations (63%) believe that there is either a “significant improvement” or “complete overhaul” needed for their organizations to be aligned between their backup and cybersecurity teams. It is worth noting that, of the three roles surveyed, backup administrators were the least satisfied with the alignment of these teams. This suggests that backup, while important, may not be as involved in the preparedness strategy as it should be. Looking deeper, the survey then asked why teams were not better aligned, to which the most common response was a lack of integration between backup tools and cybersecurity tools.
The Role of Encryption in Ransomware Operations
Veeam is purpose-built to mitigate encryption before, during, and after an attack.
- Before: We’ve included inline detection mechanisms as part of the backup stream to help identify possible malicious activity in production.
- During: In the event of the attack, we provide myriad options for providing a hardened or immutable repository that’s immune to cyberattacks.
- After: We embed detection technologies during our staged or quarantine restore to ensure that encryption and malware is not reintroduced into the environment.
- Bonus: Veeam partners with security vendors in a multitude of areas including SIEM, XDR, EDR, SOAR, KMS, etc. to identify indicators of compromise during an attack
Coveware by Veeam can be your partner in incident response by specializing in expertise and patented tools that are designed to drive decisions that minimize damage and can determine the right recovery path forward.
As of this year’s Ransomware Trends Report, 85% of folks utilize a cloud that is capable of immutability, and 75% folks have an on-premises disk that offers immutability. This shows that many organizations are indeed laying the necessary groundwork for a more resilient modern data protection and recovery plan. Unfortunately, not all of them have turned on their immutability option yet — which in Veeam’s case is quite literally a checkbox in the UI. That said, it is heartening to see organizations embrace the industry-standard 3-2-1 Rule of having multiple media types, regardless of whether those media types are immutable or not.
Conclusion
Understanding the reality of threats like ransomware encryption is a powerful first step in the fight against data loss. By understanding prevalent methods used during ransomware attacks, the timeline of such disasters — as well as the trends, tools, and challenges that all organizations should be aware of — plays a key role in how your organization’s comprehensive cyber security strategy should be built.
The final piece of the puzzle is how you plan to implement this understanding when it comes to retrieving your data. There are several ways to get your data back:
- You can pay in Bitcoin to get the magic wand from the bad guys and hope it works. But, as mentioned earlier, 75% of those who followed that plan still could not recover their data.
- You can use Coveware, which is a company made up of people with expertise in forensic analysis, negotiation, and settlements that’s now under Veeam.
- Or, you could recover without paying, which — according to the Ransomware Trends Report — is the least common answer reported by cyber victims. Last year, only 15% recovered without paying, and candidly, that should be everybody’s goal.
Bottom line, you’re going to have to pay somebody. Wouldn’t you rather pay nickels up front as opposed to Bitcoin later? Or, put another way — wouldn’t you rather pay the good guys a little versus paying the bad guys a lot?