Ransomware attacks are on the rise, according to recent reports. Cybercriminals often favour these attacks, because they find them to be effective and lucrative. They gain access to an organisation’s files, encrypt the files with a key that is unknown to the organisation, and then demand a ransom payment in exchange for the key and the decryption.
The ransom money is then paid into an anonymous credit card account or via an untraceable Internet currency. Even powerful agencies like the FBI have been stumped when trying to come up with ways to help victims.
Experts have been divided, some suggesting victims take a firm stance, others recommending that the ransom be paid. However, there is a better solution.
A hospital in Kentucky, US, was recently attacked in this way. However, instead of paying up, the hospital moved over to its backups of data. Within five days of the attack starting, the hospital was running again with uninfected, unencrypted data, and consequently refused to pay the ransom.
Another hospital in Ottawa, Canada, was able to avoid having to pay too, by deleting all data on the hard drives concerned and restoring earlier data. It seems that hospitals are attractive targets for hackers, whose other tactics include bringing down voice-over-IP (VoIP) communications and only moving on after being paid off.
Of course, a backup strategy must be properly thought out and executed, if it is to successfully beat off ransomware attacks. RTO, RPO and RCO, if appropriate, must all be defined and planned for in advance.
Backups must be regularly tested in realistic restore exercises, to make sure that correctly working systems really can be recovered. There is no denying either that emergency procedures to restore backups take more time and effort than normal day-to-day running of systems.
On the other hand, with the use of ransomware by cybercriminals increasing by as much as 58% (Q2 2015 figures from Intel Security), extra work with backups still looks like the lesser of two evils, compared to being caught out by infected and encrypted files.