[ NOTE: machine translation with the help of DeepL translator without additional proofreading and spell checking ]
Since the spread of "Locky," the use of extortion malware with an encryption function - so-called ransomware - has continued to increase in
cybercrime cases has continued to increase dramatically. This involves subjecting the IT systems of those affected to encryption, significantly restricting their availability and blackmailing the owners with a demand to pay a ransom to decrypt the data. In this approach, perpetrators exploit mistakes made by their "victims" such as operating errors, misconfigurations, outdated software versions or inadequate data backups.
The increasing use of ransomware in attacks is reflected in improved attack methods and constantly adapted procedures of the perpetrators and increasingly intensifies the threat of an attack. In addition to corporations, numerous small and medium-sized enterprises, hospitals, universities, municipal administrations and private users were also affected in Germany. To make matters worse, the Corona pandemic that occurred at the beginning of 2020 has created a state of economic and financial emergency for many organizations, which inhibits or even makes impossible any recovery that may be possible after a cyber attack. Several new reports on cybercrime victims can be found daily via the search engine:
Ransomware High Level
Ransomware is an advanced malware that uses various paths and methods to completely take over the network of the affected party in an automated manner - right down to the central components of user rights management (Active Directory). As a result, a corporate network is often completely compromised and ultimately no longer trustworthy. The attacker then has all the rights, for example, to create user accounts with administrator rights, to view data and let it flow away, or to set up backdoors. Ransomware often "nests" in the network for several weeks in order to analyze data streams and core components of the company so that the attack is most effective. Thus, database, file, directory servers, backups and their storage systems and backups are located and the latter password storage is spied on.
If the perpetrators realize that they can paralyze large parts of the organization by encrypting data and it is a solvent company that is potentially willing to pay a high ransom for decryption, they roll out their ransomware on all (server) systems simultaneously. In the process, due to the rights available to the attacker or insufficiently well thought-out backup concepts, all data backups are often also encrypted, unless they are kept offline. The ransom demands are often in the six-digit euro range, but can also be in the multi-digit millions (source BSI) - no upper limits.
If the entire productive environment was encrypted, but "clean" data backups are available, these must be restored after the network has been cleaned up in order to be able to use the data again. If the current data backups have also been destroyed, often all that remains is the reconstruction of isolated old, incomplete individual backups and a lot of manual rework. Increasingly, one has to realize that the backup systems used, especially tape libraries, are no longer "up to date" and do not meet the requirement of a fast data recovery.
This method of a cyber attack is used by many attackers and is always further improved by the hackers. The number of different types of ransomware continues to increase. However, many companies are now adapting to this by better securing backups and limiting the impact of a ransomware attack with a wide range of protection mechanisms.
However, over the last 1.5 years (personal impression), a significantly better (ransom) Awareness has already been created among IT managers and users! ... this is my personal impression.
If the essential principles, guidelines and recommendations for infrastructures are implemented, the risk of a successful attack is significantly reduced:
Establish and regularly review security policies and contingency plans.
Network segmentation and strict separation of rights in the Active Directory to prevent/prevent the spread of malware and compromise of the network
Well thought-out backup strategy with immutable backup storage or traditional offline backups (including recurring recovery tests)
Patch management - especially security updates for critical vulnerabilities need to be rolled out regularly
Implement logging mechanisms that can be used to track data leakage
Raise awareness/train employees and implement technical measures to harden clients/systems
Create management awareness to embed cyber risks as a component of risk and precautionary management
In the next part (2), I will show how you can use features such as Pure Storage "SafeMode" to achieve immutability of backup data and, in the event of encryption, retain control over your company's data or restore it without incurring additional monetary expenses for the extortionists.
If you do not yet have ransomware awareness in your company, you should definitely deal with the topic intensively right away and make the appropriate preparations, take hardening measures and implement protective mechanisms! In the event of a Ransomware attack, you will then have done everything possible - there is no such thing as 100% protection to prevent an attack in principle! Anyone who claims that is not being honest. BUT: there is definitely the possibility to minimize the damage! Similar to an insurance - prevent with tamper-proof mechanisms to protect your company data.
More info - Links
All officially published setting options in the GUI but also CLI can be read via the "on-board" user guides of the Pure Storage systems.
Click on "Help" in the Purity main menu.
The User Guide is structured like the main menu and can be opened downwards. A search function is also integrated - within here you can also search for keywords.
WEB: Pure Storage (Pure1) support portal - Ticket system and support *(requires registered FlashSystems)
PHONE: Pure Storage phone support: GER - (+49) (0)800 7239467; INTERNATIONAL - (+1) 650 7294088