Ransomware is a malware attack that uses a variety of methods to prevent or limit an organization or individual from accessing their IT systems and data, either by locking the system's screen, or by encrypting files until a ransom is paid, usually in cryptocurrency for reasons of anonymity.

By encrypting these files and demanding a ransom payment for the decryption key, the malware places organizations in a position where paying the ransom is the easiest and most cost-effective way to regain access to their files. It should be noted, however, that paying the ransom does not guarantee that users will get the decryption key required to regain access to the infected system or files.

In some instances, the perpetrators may steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors or the public, something that would inflict reputational damage to the organization.

The cybercriminals who commit ransomware cybercrimes are now becoming so proficient at what they do that they use artificial intelligence in analyzing the victim’s environment to ensure that recovering files is extremely difficult if not impossible. Additionally, cybercriminals are offering RaaS (ransomware-as-a-service) to organized crime and government agencies to help them launch an attack while they reap the benefits. That may explain why large organizations, which theoretically have large sums of money to pay ransoms, are currently more likely to be targeted than individuals.

However, the landscape is changing, and ransomware is no longer just about a financial ransom with attacks being aimed at public services, utilities and infrastructure undermining public confidence.

Is Ransomware different from malware?

Ransomware is a cyber-attack where the sole purpose is financial gain. The cybercriminals ensure a path to a decryption key is available that they can sell to victims. In many cases however, the decryption key does not help or even partially help depending on the level of damage incurred by the organization trying to recover before giving up and agreeing to pay the ransom. On the other hand, the malware’s purpose is to damage the victim organization where there is no decryption key, or the malware simply encrypts or deletes the victim’s systems beyond recovery and there is no demand for a ransom.

How does ransomware work?

Ransomware can be unwittingly downloaded by visiting malicious or compromised websites or by downloading from malicious pages or advertisements. It can also be delivered as an attachment or a link in an email which is known as a phishing attack.

Once in the system, ransomware can either lock the computer screen or encrypt predetermined files. The user will see a full-screen image or notification displayed on an infected system's screen, which states the method used to prevent the victim from using their system and will indicate how the user can pay the ransom. Alternatively, the ransomware will prevent access to potentially critical or valuable files like documents and spreadsheets.

1. Ransomware is downloaded from malicious/compromised site or via an email link or attachment.
2. Computer screen is locked or files are encrypted.
3. Notification displayed with information on how to pay ransom to unlock computer

Implications for data protection methods and/or disaster recovery

Ransomware attacks can sometimes use what is called a “Trojan”, where there is a time lag between the first system infected and the detonation (activation of malicious code). During that time, the malicious code copies itself to all connected systems to ensure maximum damage to the victim’s environment. Depending on the frequency of replication between the production and disaster recovery environment, the malicious code will use the replication to infect the Disaster Recovery (DR) environment. For example, if the victim’s disaster recovery uses synchronous replication the malicious code will propagate immediately to the DR site, and once the malicious code is activated, both the production and DR environments will be locked.

Moreover, if there is a time lag between infection and activation, the malicious code will likely be included in the backup. Additionally, in most cases, the cybercriminal will study the victim’s environment to understand the backup retention policy and extend the time lag between infection and activation to ensure all backups are infected. Once all backup generations are infected, the cybercriminal will have full control over the victim’s environment.

So rather than acting as a data protection procedure, disaster recovery can help spread the malicious code and any recovery/backup data will be equally affected along with production data.  

How to mitigate and recover from a ransomware attack

Businesses are now beginning to realize that it is no longer a question of if they will be attacked, but when. Given the scope and sophistication of current threats, what can businesses realistically do to prevent such attacks, or recover from them?

Payment of the ransom – As previously stated, depending on the motive for the attack, paying the ransom does not necessarily guarantee that the organization will get the decryption key required to regain access to the infected system or files. However, it is understandable that many organizations are placed in the unenviable position where paying the ransom is the easiest and most cost-effective path. To try and dissuade businesses from taking this path the US Treasury have issued guidelines that strongly discourages the payment of ransoms or extortion demands, with possible sanctions for businesses that do. They are instead encouraging businesses to adopt the CISA (Cybersecurity and Infrastructure Security Agency) recommendations and to report incidents to the CISA and the Federal Bureau of Investigation.

Cyber insurance - Some businesses have taken the approach of accepting they we will be attacked and lose data, and that cyber insurance will cover any loss. There is increasing evidence that the insurance companies are unwilling to meet those claims, especially where there is no motivation or strategy for risk management or at least minimum steps towards prevention of the threat.

Best practices - As an example of how to deal with a ransomware threat, CISA has issued a series of recommendations to protect networks from a ransomware attack:

1. Educate your personnel. Improve the workforce awareness through training and testing so that staff understand they are a target and are aware of the nature of the threat and how it is delivered.
2. Take preventative measures:
   • Risk analysis: Conduct a cybersecurity risk analysis of the organization
   • Incident response: Develop an incident response plan and exercise it
   • Vulnerability patching: Implement appropriate and timely patching of operating systems, software and firmware
   • Email: Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email and prevent email spoofing. Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
   • Firewalls: Configure firewalls to block access to known malicious IP addresses.
   • Anti-virus: Set anti-virus and anti-malware programs to conduct regular scans automatically.
   • Access controls: Manage the use of privileged accounts based on the principle of least privilege
   • Disable macros: Disable all macro scripts from office files transmitted via email.
   • Implement software restriction policies: SRP or other controls can prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers
   • Application safe-listing: Only allows systems to execute programs known and permitted by a security policy.
   • Operating Systems: Execute operating system environments or specific programs in a virtualized environment.
   • Logical and physical separation: Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.
   • Consider implementing “Zero Trust Architecture (ZTA)” in the corporate network to limit or even challenge the lateral network traffic and consequently challenge the spread of malware across all systems.
   • Penetration testing: Test the security of systems and the ability to defend against attacks.
3. What to do if you discover Ransomware

The next steps are to mitigate the threat through the processes of containment, eradication, and recovery. Containment means isolating the infection and so that it does not cause anything more to happen. Eradication means to eliminate and destroy all the malware software instances. Recovery tends to mean recovery from uncontaminated offline backups to regain the integrity and confidence.

The final step is to articulate the lessons learned and apply them back at the incident planning process in a cyclical manner.

• Isolate the infected computer immediately. Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or share drives.
• Isolate or power-off affected devices that have not yet been completely corrupted. This may afford more time to clean and recover data, contain damage, and prevent worsening conditions.
• Immediately secure backup data or systems by taking them offline. Ensure backups are free of malware.
• Contact law enforcement immediately. 
• If available, collect and secure partial portions of the ransomed data that might exist.
• If possible, change all online account passwords and network passwords after removing the system from the network. Furthermore, change all system passwords once the malware is removed from the system.
• Delete operating system configuration settings and files to stop the program from loading.
• Implement your security incident response and business continuity plan. Ideally, organizations will ensure they have appropriate backups, so their response to an attack will simply be to restore the data from a known clean backup. Having an immutable data backup can eliminate the need to pay a ransom to recover data.

Reference Material

• Cybersecurity and Infrastructure Security Agency Guidance, Ransomware Guide, September 2020
• SNIA Data Protection & Privacy Committee

Definitions

Malware, short for malicious software, is a blanket term for viruses, worms, Trojans, and other harmful software that attackers use to gain access to sensitive information illegally. Software is identified as malware based on its intended nefarious use (such as identity theft or even total data destruction), rather than a particular technique or technology used to build it.

SNIA Dictionary Definitions

            malware [Permalink]

            [Computer System]  [Data Security] 

            Malicious software designed specifically to damage or disrupt a system, attacking            confidentiality, integrity and/or availability. [ISO/IEC 27033-1]

            Examples are a computer virus, computer worm, Trojan horse, spyware, adware, ransomware, or scareware.

            ransomware [Permalink]

            [Data Security] 

            A type of malicious software designed to block access to data until funds are paid.

  by Samuel A. Fineberg, Co-chair, SNIA LTR TWG Ten years ago, a SNIA Task Force undertook a 100 Year Archive Requirements Survey with a goal to determine requirements for long-term digital retention in the data center.  The Task Force hypothesized that the practitioner survey respondents would have experiences with terabyte archive systems that would be adequate to define business and operating system requirements for petabyte-sized information repositories in the data center. Time flies while you’re having fun.  Now it’s 2017, and the SNIA Long-Term Retention Technical Working Group (LTR TWG) and the SNIA Data Protection & Capacity Optimization Committee have teamed up to launch the 2017 SNIA Archive Survey. Back in the “first” decade of the 21^st century, practitioners struggled with logical and physical retention, but for the most part generally understood their problems.  Eighty percent of organizations participating in the 2007 survey had a need to retain information over 50 years, while 68% reported a need of over 100 years.  However, “long term” realistically extended to only about 2017-2022 to migrate and retain readability. After that, survey responders felt that processes would fail and/or become too costly under an expected avalanche of information. Fast forward to 2017 and new standards, storage formats, and software are in play; and markets like cloud services offer choices which did not exist 10 years ago.  Migration and retention solutions are becoming available but these solutions are not widely used, except in government agencies, libraries, and highly regulated industries.  Understanding what is needed and why is a focus of SNIA’s new survey. The 2017 survey seeks to assess who needs to retain long term information and what information needs to be retained, with appropriate policies.  The focus will now be on IT best practices, not just business requirements.  How is long term information stored, secured, and preserved?  Does the cloud impact long term retention requirements? SNIA’s 2017 Archive Survey launched at September 2017 Storage Developer Conference.  We’re sending out the call.  Are you a member of an IT staff associated with archives?  In Records and Information Management (RIM)? An academic? In Legal or Finance?  If long term data preservation is near and dear to your heart, you’ll want to take the survey, which covers business drivers, policies, storage, practices, preservation, security, and more.  Help SNIA understand how archive practices have evolved in the last 10 years, what changes have taken place in corporate practices, and what technology changes have impacted daily operations. Take the survey and join us at Storage Visions in Milpitas CA on October 16, 2017 where we’ll be discussing SNIA’s work in long term retention and data protection.  Finally, stay tuned - we’ll be publishing our results in early 2018!

Whether storage is already a main focus of your career or may be advancing toward you, you'll definitely want to attend the flagship event for storage developers - and those involved in storage operations, decision making, and usage  - SNIA’s 19^th annual Storage Developer Conference (SDC), September 11-14, 2017 at the Hyatt Regency Santa Clara, California. The SNIA Technical Council has again put together a wide-ranging technical agenda featuring more than 125 industry experts from 60 companies and industry organizations, including Dell/EMC, Docker, FCIA, Google, Hitachi, HPE, IBM, Intel, Microsoft, NetApp, Oracle, Samsung, SAP, STA, and Toshiba. Over four days, network with fellow architects, developers, integrators, and users, and choose from 100+ sessions, three plugfests, and six Birds-of-a-Feather deep dives on a wide range of cutting edge technologies. Current General Session speakers are Sage Weil from Red Hat on Building a New Storage Backend for Ceph and Martin Petersen from Oracle on Recent Developments in the Linux I/O Stack. Among the 15+ topic areas featured at the conference are sessions on: * Flash and Persistent Memory * Big Data, Analytics, and the Internet-of-Things * Storage Resource Management * Storage Performance and Workloads * Containers * Object and Object Drive Storage * Cloud Storage * Storage Security and Identity Management * Data Performance and Capacity Optimization Network with our sponsors Intel, Cisco, IBM, Kalray, Radian, OpenSDS, Celestica, Chelsio, MemoScale, Newisys, SerNet, and Xilinx. Check out special demonstrations in our “Flash Community” area. If you’re a vendor wanting to test product interoperability, grab this chance to participate in one or more of the SDC plugfests underwritten by Microsoft, NetApp, SNIA Cloud Storage Initiative, and SNIA Storage Management Initiative (SMI): Cloud Interoperability, SMB3, and SMI Lab focused on SNIA Swordfish^TM  open to all with SNIA Swordfish^TM implementations. Find all the details here. Plan to attend our Plugfest open house on Monday evening, welcome reception on Tuesday evening, and a special SNIA 20^th anniversary celebration open to SDC attendees and invited guests on Wednesday, September 13. Registration is now open at storagedeveloper.org. where the agenda and speaker list are live. Don't know much about SDC?  Watch a conference overview here and listen to SDC podcasts here. See you in Santa Clara!

SNIA's Storage Developer Conference (SDC) offers exactly what a developer of cloud, solid state, security, analytics, or big data applications is looking  for - rich technical content delivered in a no-vendor bias manner by today's leading technologists.  The 2016 SDC agenda is being compiled, but now you can get a "sound bite" of what to expect by downloading  SDC podcasts via iTunes, or visiting the SDC Podcast site at http://www.snia.org/podcasts to download the accompanying slides and/or listen to the MP3 version. Each podcast has been selected by the SNIA Technical Council from the 2015 SDC event, and include topics like:

• Preparing Applications for Persistent Memory from Hewlett Packard Enterprise
• Managing the Next Generation Memory Subsystem from Intel Corporation
• NVDIMM Cookbook - a Soup to Nuts Primer on Using NVDIMMs to Improve Your Storage Performance from AgigA Tech and Smart Modular Systems
• Standardizing Storage Intelligence and the Performance and Endurance Enhancements It Provides from Samsung Corporation
• Object Drives, a New Architectural Partitioning from Toshiba Corporation
• Shingled Magnetic Recording- the Next Generation of Storage Technology from HGST, a Western Digital Company
• SMB 3.1.1 Update from Microsoft

Eight podcasts are now available, with new ones added each week all the way up to SDC 2016 which begins September 19 at the Hyatt Regency Santa Clara.  Keep checking the SDC Podcast website, and remember that registration is now open for the 2016 event at http://www.snia.org/events/storage-developer/registration.  The SDC conference agenda will be up soon at the home page of http://www.storagedeveloper.org. Enjoy these great technical sessions, no matter where you may be!

Posted by Marty Foltyn Security is critical in the storage development process - and a prime focus of sessions at the SNIA Storage Developer Conference AND the co-located SNIA Data Storage Security Summit on Thursday September 24. Admission to the Summit is complimentary - register here at http://www.snia.org/dss-summit. The Summit agenda is packed with luminaries in the field of storage security, including keynotes from Eric Hibbard (SNIA Security Technical Work Group and Hitachi), Robert Thibadeau (Bright Plaza), Tony Cox (SNIA Storage Security Industry Forum and OASIS KMIP Technical Committee), Suzanne Widup (Verizon), Justin Corlett (Cryptsoft), and Steven Teppler (TimeCertain); and afternoon breakouts from Radia Perlman (EMC); Liz Townsend (Townsend Security); Bob Guimarin (Fornetix); and David Siles (Data Gravity). Roundtables will discuss current issues and future trends in storage security. Don't miss this exciting event! SDC's "Security" sessions highlight security issues and strategies for mobile, cloud, user identity, attack prevention, key management, and encryption. Preview sessions here, and click on the title to find more details. Geoff Gentry, Regional Director, Independent Security Evaluators Hackers, will present Attack Anatomy and Security Trends, offering practical experience from implementing the OASIS Key Management Interoperability Protocol (KMIP) and from deploying and interoperability testing multiple vendor implementations of KMIP . David Slik, Technical Director, Object Storage, NetApp will discuss Mobile and Secure: Cloud Encrypted Objects Using CDMI, introducing the Cloud Encrypted Object Extension to the CDMI standard, which permits encrypted objects to be stored, retrieved, and transferred between clouds. Dean Hildebrand, IBM Master Inventor and Manager | Cloud Storage Software and Sasikanth Eda, Software Engineer, IBM will present OpenStack Swift On File: User Identity For Cross Protocol Access Demystified. This session will detail the various issues and nuances associated with having common ID management across Swift object access and file access ,and present an approach to solve them without changes in core Swift code by leveraging powerful SWIFT middleware framework. Tim Hudson, CTO and Technical Director, Cryptsoft will discuss Multi-Vendor Key Management with KMIP, offering practical experience from implementing the OASIS Key Management Interoperability Protocol (KMIP) and from deploying and interoperability testing multiple vendor implementations of KMIP . Nathaniel McCallum, Senior Software Engineer, Red Hat will present Network Bound Encryption for Data-at-Rest Protection, describing Petera, an open source project which implements a new technique for binding encryption keys to a network. Finally, check out SNIA on Storage previous blog entries on File Systems, Cloud, Management, New Thinking, and Disruptive Technologies. See the agenda and register now for SDC at http://www.storagedeveloper.org.

The rise of solid state storage has been incredibly beneficial to users in a variety of industries. Solid state technology presents a more reliable and efficient alternative to traditional storage devices. However, these benefits have not come without unforeseen drawbacks in other areas. For those in the data recovery and data erase industries, for example, solid state storage has presented challenges. The obstacles to data recovery and selective erasure capabilities are not only a problem for those in these industries, but they can also make end users more hesitant to adopt solid state storage technology.

Recently a new Data Recovery and Erase Special Interest Group (SIG) has been formed within the Solid State Storage Initiative (SSSI) within the Storage Networking Industry Association (SNIA). SNIA’s mission is to “lead the storage industry worldwide in developing and promoting standards, technologies and educational services to empower organizations in the management of information.” This fantastic organization has given the Data Recovery and Erase SIG a solid platform on which to build the initiative.

The new group has held a number of introductory open meetings for SNIA members and non-members to promote the group and develop the group’s charter. For its initial meetings, the group sought to recruit both SNIA members and non-members that were key stakeholders in fields related to the SIG. This includes data recovery providers, erase solution providers and solid state storage device manufacturers. Aside from these groups, members of leading standards bodies and major solid state storage device consumers were also included in the group’s initial formation.

The group’s main purpose is to be an open forum of discussion among all key stakeholders. In the past, there have been few opportunities for representatives from different industries to work together, and collaboration had often been on an individual basis rather than as a group. With the formation of this group, members intend to cooperate between industries on a collective basis in order to foster a more constructive dialogue incorporating the opinions and feedback of multiple parties.

During the initial meetings of the Data Recovery and Erase SIG, members agreed on a charter to outline the group’s purpose and goals. The main objective is to foster collaboration among all parties to ensure consumer demands for data recovery and erase services on solid state storage technology can be performed in a cost-effective, timely and fully successful manner

In order to achieve this goal, the group has laid out six steps needed, involving all relevant stakeholders:

1. Build the business case to support the need for effective data recovery and erase capabilities on solid state technology by using use cases and real examples from end users with these needs.
2. Create a feedback loop allowing data recovery providers to provide failure information to manufacturers in order to improve product design.
3. Foster cooperation between solid state manufacturers and data recovery and erase providers to determine what information is necessary to improve capabilities.
4. Protect sensitive intellectual property shared between data recovery and erase providers and solid state storage manufacturers.
5. Work with standards bodies to ensure future revisions of their specifications account for capabilities necessary to enable data recovery and erase functionality on solid state storage.
6. Collaborate with solid state storage manufacturers to incorporate capabilities needed to perform data recovery and erase in product design for future device models.

The success of this special interest group depends not only on the hard work of the current members, but also in a diverse membership base of representatives from different industries. We will be at Flash Memory Summit in booth 820 to meet you in person! Or you can visit our website at www.snia.org/forums/sssi for more information on this new initiative and all solid state storage happenings at SNIA.   If you’re a SNIA member and you’d like to learn more about the Data Recovery/Erase SIG or you think you’d be a good fit for membership, we’d love to speak with you.  Not a SNIA member yet? Email marty.foltyn@snia.org for details on joining.

SSDs present particular challenges when trying to erase all data or attempting to recover data from a broken drive. To address these issues, a new Data Recovery/Erase Special Interest Group has been formed within the SNIA Solid State Storage Initiative.

The goal of the SIG is to provide a forum in which solution providers and solid state storage manufacturers can collaborate to enable data recovery and erase capabilities in solid state storage in such a way as to ensure that customer demands for these services can be met in a cost-effective and timely manner, with a high likelihood of success. A key to the success of the SIG is obtaining input and participation from all of the key stakeholders: solid state storage manufacturers, data recovery and erase solution providers, and solid state storage customers.

The SIG will be having a limited number of conference calls that will be open to non-members. Go to http://www.snia.org/forums/sssi/dresig for more details and to register for the first open meeting.