CTO Fraction

Menu

Are You Protected from Both Sides of a Ransomware Attack?

According to Statista:
“In 2022, roughly 68 percent of the worldwide reported cyberattacks were ransomware. In the fourth quarter of 2022, nearly 155 million ransomware attacks were detected worldwide. As of 2023, the highest share of companies victimized by ransomware were in Singapore and Austria, while the United States ranked first by the number of such attacks.”

What Are the Two Sides of a Ransomware Attack?

The goal of this article is not to give you specific “how-tos” of implementing Ransomware protection, as those can vary based on your specific environment and cloud provider. Its primary purpose is to point out that there are two sides of protecting against a ransomware attack: prevention and recovery.

This is similar to what we do in everyday life to protect ourselves from an auto accident. We take action to protect ourselves in both the prevention and the recovery phase. Here is what it looks like.

PREVENTION – we do what we can to prevent an accident occurring in the first place:

  • Use tires with enough tread to prevent skidding.
  • Maintain good brakes to enable quick stopping.
  • Ensure all lights (head, rear, blinkers) are operational to increase awareness – ours and that of others.
  • Maintain good wiper blades to increase visibility in bad weather.
  • Pay attention when driving.

RECOVERY – what we do in order to be able to recover from an accident if one occurred despite our best prevention efforts:

  • Wear a seatbelt.
  • Drive a car whose airbags have never deployed before.
  • Drive a car with high safety ratings.
  • Buy both auto and health insurance.
The stages of a ransomware attack are ingress, compromise, burrowing, lateral movement, command and control, exfiltration, encryption, and payment demand.

Image Source: Gartner

Prevention of a Ransomware Attack

As with the example above, when we want to prevent a ransomware attack, there are certain measures we must take in order to minimize the chance of one occurring in the first place. This is where the effort for ransomware protection begins.

While this is not an exhaustive list, some of the common examples are:

  • Endpoint Protection: Solutions that include antivirus, antimalware, and behavioral analysis to detect and block ransomware at the endpoint.
  • Network Segmentation: Segmenting your network to isolate critical systems and limit lateral movement in case of a breach. Also, using virtual private clouds (VPCs) and network security groups to control traffic between different segments.
  • Email Security: Solutions to prevent phishing attacks, which are a common entry point for ransomware.
  • User Training: Providing regular training to employees on how to recognize and avoid ransomware attacks, such as phishing emails and malicious websites.
  • Continuous Monitoring: Implementing continuous monitoring (Intrusion Detection Systems (IDS)) of the cloud environment to detect any unauthorized changes that could indicate a ransomware attack.
  • Principle of Least Privilege (PoLP): Restricting user and application access to only what is necessary for their roles.
  • Multi-Factor Authentication (MFA): Requiring MFA for all user accounts to add an extra layer of security against unauthorized access.
  • Encryption: Encrypting sensitive data both in transit and at rest to protect it from unauthorized access.

Recovery from a Ransomware Attack

Again, this is the phase where a ransomware attack has happened, even though we implemented prevention measures. If we find ourselves in this situation and then start asking the “What to do?” question, we are actually in trouble.

Therefore, it is important to take steps before an attack occurs in order to increase our likelihood of recovering after the unfortunate event of being attacked.

During a ransomware attack files, data, or systems are being encrypted. The attacker then demands money in order to provide a decryption key. It is as if the attacker locks our system and now wants money to provide the key that unlocks it.

Therefore, if this has happened, the goal here is to be in a position where we don’t need the key at all. This can be achieved IF we have taken steps to be able to completely reproduce our: environment, system, and data. If we have the ability to do so and do it fairly quickly, having the key of the attacker would not be necessary for business continuity.

So what can be done in order to not need the attacker’s key? The following measures can be taken long before an attack occurs.

Environment

Automate your infrastructure provisioning. Create an automatic process that allows you to quickly and easily recreate your entire Production environment, along with all of its configuration. Using Infrastructure as Code (IaC) tools to automate the provisioning of cloud infrastructure will help ensure a known good state and enable fast recovery in the event of a ransomware attack.

If you have a solid automated infrastructure process, you should be able to recreate your Production environment in a different data center region, which your attacker will not have penetrated. This will give you the base of rebuilding your entire system in a new environment.

System

Automate the deployment of your entire Production system. Create a solid CI/CD pipeline which allows you to deploy your entire Production system to any environment that you point it to. This way, if you have created and configured a brand new environment (using the step above) in a new data center region, you can now deploy the latest code, files, and data on top of it.

Source Code

In order to be able to execute the above two steps you need to ensure that your latest source code is also backed up. This is important because if the attacker manages to encrypt your source code, you will not be able to stand up a new instance of your production system, even if you have automated processes for both infrastructure and deployment.

Therefore, you need to have regular source code backup processes, which make copies of all your source code at an offsite location.

Example: In a previous software company where I used to work all of our systems, including the source code, were hosted in Azure Cloud. Therefore, we implemented a source code backup process, which created backup copies in AWS.

Data

Similarly to backing up your source code files you need to have backup processes for all of your data. This should include both databases and any data files.

Ensure regular and automated backups of critical data. Store backups in a separate, isolated environment to prevent ransomware from spreading to them. Also, regularly test the restoration process to ensure backups are functional.

Disaster Recovery Plan (DR Plan)

Create a step by step DR plan to ensure that your team is able to seamlessly execute the restoration steps in the event of an attack or disaster.

Ensure that all of the processes you have in place will actually work and that your team will have the ability to create a fully independent and complete instance of your production environment, system, and data.

Practice test runs of the DR plan twice a year, or once per quarter to make sure that it is being updated as your environment changes.

Having a solid DR plan will be helpful not only in the aftermath of a ransomware attack but also in the recovery effort of a disaster.

Example: Another real example from my work experience is – our Azure data center was completely shut down by a lightning strike in the midwest, which caused our system to be down for 2 full days.

Seeking guidance for your technology strategy?

If you are looking to boost your company’s technological capabilities and drive innovation, consider engaging a Fractional Chief Technology Officer (CTO). A Fractional CTO can provide strategic guidance, technical expertise, and leadership on a part-time basis, tailored to your specific needs and budget. By leveraging the experience and insights of a Fractional CTO, you can optimize your technology roadmap, enhance productivity, and stay ahead in today’s competitive landscape.

Want to know more? Explore my Fractional CTO services.

Let's Chat

Conclusion

No one is guaranteed immunity from a ransomware attack. If you don’t want to suffer the consequences of a ransomware attack, take some steps ahead of time. Create measures to prevent an attack, but also do not neglect the steps which would allow you to recover from one. Don’t be the company that implements only preventative measures and hopes they will never be penetrated. Be the company that can recover even in the face of an actual attack. Be the type of company that would not need the attacker’s key in order to continue to function.