June 19, 2017
In the wake of the WannaCry ransomware attack that hit 150 countries around the globe, Mindsight sat down with Matt Seeley, senior solutions architect for Carbonite, to discuss ransomware attacks and how backup solutions can protect your environment. When your critical data is either encrypted or deleted entirely, backups can be your only lifeline to restoring your data. As Seeley points out, however, not every backup solution will do.
Interview with Matt Seeley of EVault
Mindsight Blogging Team (MBT): Please introduce yourself and your role at Evault?
Matt Seeley (MS): Sure, so my name is Matt Seeley. I’ve been with Evault for six years, and I’m now here as a senior solutions architect covering the entire U.S. and reporting directly to the senior director of sales engineering and professional services.
My role here is designing, architecting, and vetting out different solutions as well as developing different answers to how we solve certain problems, such as the one we’re going to be talking about here today. Then I determine how those solutions can fit into different organization’s IT infrastructure and how they can manage the solution in their environment.
MBT: Well the topic of the day is ransomware. To begin, what makes ransomware such a persistent threat to modern business?
MS: First and foremost, ransomware does two things mainly. It can delete files, and it can encrypt files. The impact on businesses can vary depending on network connectivity, how the different file systems and servers are set up, and how those resources are connected to users.
Ultimately the ransomware attack starts as a maybe a malicious link or a file that’s emailed to someone. It then exploits things like SMB v1 if enabled as well as NetBIOS and Server Service. Then once inside, it proliferates across the environment, as it leverages different vulnerabilities within a system as previously discussed. A ransomware attack scans and looks for different types of files, and at that point, it starts encrypting the files to bring the company to its knees unless it pays the ransom.
Going back to something a little bit earlier in the year, you may have seen or heard that when the Presidential Inauguration was happening, a malware attack or ransomware attack hit the CCTV systems within the District of Colombia. It brought down the entire CCTV system for about 48 hours. They had to pretty much delete everything and recreate it from scratch. Just imagine that kind of impact on a business scale where it can attack things like your Quickbooks, your Excel spreadsheets, or your documents. True to its name, it can hold your business for ransom.
MBT: Is there a type or size of business that is more vulnerable or more often targeted than any other.
MS: Organizations are often targeted based on the nature of the business and the importance of their data. So, healthcare or financial institutions, I think, is the sweet spot for hackers. Capturing and holding for ransom patient data or stealing patient data not only can put a healthcare or financial organization at risk, but it can put the patients at risk especially if they are in for a treatment and there’s no history and no data.
Organizations that generally have very sensitive and or highly valued data within their infrastructure are targets for these kinds of attacks. The idea is that the data is so important that they would consider paying the ransom to get that data back.
MBT: On that point, what would you say are some of the best strategies or solutions to try and defend against the source of attacks?
MS: Well, backups are critical. You can employ the best anti-virus software in the world, but if you are the first company hit by the attack and that anti-virus software didn’t detect it, you could still be affected. The real question is, “when I am affected, how do I reverse that? How do I get back to the point before the ransomware has corrupted my data?”
The way that is easiest to approach is backup. When looking at backup, you need to ask yourself a few questions. How can I restore my data quickly? In the event that my data has been compromised, how do I know that I can get that data back to a point that doesn’t have the virus in it? The other thing you have to think about when employing some of these types of protection methods is what happens when it affects the backup server. How can I protect against that backup server becoming corrupted or encrypted as well? Your backup data has to be moved off site in a secure method and kept in a secondary location be it a private facility, another DR recovery center, or the cloud.
From a Carbonite perspective, one of the things that we have seen be extremely helpful in the event of an attack like this is being able to call whoever provides your backup and say “Hey, I’ve been attacked. I need to get my data back.” Without a real sound solution where I can ship that data back to you, you’re either left with one of two options. One, I would need to trickle all that data back down through your WAN or two, I have to try and recover from all the data that is lost. I’d say having a recovery option that is flexible is your best bet.
The only way to recover from that data loss is to go in and undelete certain information. There are forensic applications out there that will allow you to pull deleted data back. Now that doesn’t protect you from encrypted data, so I would say backup is the most important strategy but not just backup alone. You need backup with offsite capabilities where you can send that data back to your core datacenter for LAN speed recoveries.
Speed is an issue here. Say I have a 50mb or maybe a 100mb link, but I’ve got 3, 8, 10, 20 terabytes of data that needs to be recovered. At 100 mbs, how quickly am I going to get that back? The solution needs to also provide for the ability to take that data, pull it from the remote site or cloud and ship it back to the core datacenter. That way you can restore all of the data at LAN speeds and keep your downtime minimized.
A second approach to that same threat is having a cloud or Disaster Recovery as a Service offering that your organization can employ in the event of an attack like this. Whatever the malware or ransomware has done to your infrastructure, you can now recover in a cloud environment all of your servers, your platforms, you applications, bring them up online, connect that through an IPSEC tunnel or an SSL VPN back into that particular disaster recovery as a service infrastructure. Then you’re now back up and running in a matter of hours versus days.
When you have a good disaster recovery solution that allows you spin that up in the cloud, it’s also going to give you that really quick recovery to where you can start putting the pieces back together. Once everything is back up, you can just take all of the data that you have been running on in the cloud and move that back into the core datacenter and then come back up. You’ll have lost very little data and little time.
The other thing we don’t think about is the time aspect in this, right? One of the things I had mentioned earlier was the ransomware attack on D.C. CCTV system. It took them 48 hours to recover that. Imagine if that was a business where every hour costs you even $10,000. This can cripple small to medium sized businesses.
MBT: The most recent ransomware attack of note would be the WannaCry attack. Is WannaCry pretty typical of ransomware attacks or was there something unique about it that made it so successful?
MS: Well, it exploited the Microsoft security hole in their file sharing or SMB v1 and their discovery. If you’ve ever set up a computer or a server on a network, a notification pops up and says, “Would you like to discover nodes on your network?” With one click, they’ve opened the door to the possibility of infecting their network, and that’s problematic.
WannaCry was so successful, because all it took was one click of an email to open up that ransomware. The minute it hit that machine, it would then scan for all of the other machines on network that had the vulnerabilities, proliferate through the network, and lock down your files. Again, you only have two options: pay the ransomware and possibly don’t get your data back or have a good recovery process that allows you to completely wipe that out of your system and revert your data back to the last known safe point.
What’s even worse about it is that the folks that built this are working like a company. They’re actually going out and saying, “Hey they’ve thwarted us on this front. Let’s patch the malware virus.” They’re patching the virus, so it can cause further havoc. I think the first numbers I saw were somewhere around 200,000 systems in 150 countries affected but that could be higher than originally thought.
MBT: Do you have any final thoughts or last pieces of advice?
MS: It’s definitely scary, and I know that there’s really no true way to completely get rid of the threat of ransomware, because it’s ever evolving. You’ve got ransomware out there that deletes files. You’ve got ransomware out there that encrypts files. You’ve got ransomware that does both. You’ve got ransomware that looks for documents and Excel spreadsheets and ransomware that looks for different drive types. You’ve got ransomware that looks for network connections and secondary devices. They are even writing certain ransomware codes that attack specific backup files. That’s why the whole solution needs to protect information at the local source and take that same data off-site and out of region. It’s the only way to protect your environment across the board from anything that may happen and still allow you to recover that data very quickly.
A Persistent Threat
As Seeley describes, ransomware is an evolving threat, and this is true across the data security industry. There is a constant arms race between hackers and data security professionals, and it is unlikely to ever stop. As IT professionals, it is our responsibility to do whatever possible to protect the environment, knowing full well that 100% guaranteed security forever isn’t actually possible. In this case, to protect against a ransomware attack, the only real option on the table is a comprehensive data backup solution.
Like what you read?
Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our highly-certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for an emerging business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
Contact us at GoMindsight.com.