Locks and Security News: your weekly locks and security industry newsletter
23rd November 2022 Issue no. 632
Your industry news - first
We strongly recommend viewing Locks and Security News full size in your web browser. Click our masthead above to visit our website version.
The rise of ransomware decryptors: it's still not game over for ransomware, says Databarracks
Another major step in the fightback against ransomware, but decryptors will slow the growth rather than stop it altogether.
In recent weeks, cybersecurity firms have released a host of new ransomware decryptors, offering victims the chance to recover their compromised data at no cost.
While a significant development in the growing ransomware arms race, decryptors won't end the threat completely.
Peter Groucutt, Managing Director at Databarracks, said: "Ransomware has been growing rapidly because there was nothing to stop it: governments weren't doing much to counteract the threat, and insurance firms were often covering the costs of ransoms.
"Since governments started taking a more active role in combating threat actors and insurers set more stringent requirements for cover, growth in ransomware has slowed. Cybercriminals recognise the risk is higher than before and the chance of a pay-out is decreasing.
"The rise of readily available decryption software adds another string to the anti-ransomware bow, but it's not the end of the road by any means. The war on ransomware will continue as more of a chess-like battle, where both sides show cunning either to carry out new attacks or mitigate their impact."
As this arms race evolves, Groucutt believes there are other steps organisations should take to protect themselves, particularly when it comes to guarding backups of their data.
He added: "Cybercriminals know they need to compromise a company's backups to force a ransom payment. One way to prevent this is to use immutable storage, where data is stored in a Write Once Read Many (WORM) state and cannot be deleted for a pre-specified period. This means policies can be set in backup software or at the storage level, and backups can't be changed or encrypted.
"Another way is to add an 'air gap', which means separating backups from your production data so there is no way for an attack to spread from one to the other. This could mean physically separating your backups by storing them elsewhere (such as on tapes) or doing it logically by keeping data storage accounts separate from one another.
"A third option is to restrict access to your backup software. In a successful ransomware attack, your production environment has been compromised, so it's possible that key-loggers may have been used to access backup accounts. Using strong passwords and multi-factor authentication for backup administrator accounts helps keep them ringfenced.
"Finally, backup vendors are now adding innovative features to detect and prevent attacks. These include monitoring both backups and production storage for sudden changes in data, which can indicate a ransomware attack."
Groucutt concluded: "The growth of decryptors is welcome, but no-one should assume you can rely on one to recover from an attack. Organisations should focus on what they can control to defend themselves, to identify, protect, detect respond and recover."
17th November 2021