I’ve heard about the “Ransomware as a Service” concept before and it was a big eye-opener to me in regards to the real level of threat we could be facing soon. And last week, I found this blog post that went into detail about RaaS and new threats. Take some time to read it, because I think Ransomware as a Service will change IT as we know it.
With ransomware now so easy to create, there’s no doubt we will see an escalation of insider threats. Previously, malware was something only skilled hackers could create — but now anyone’s babushka can create a custom ransomware dropper because all it takes is a few clicks on a website! “Effortless” is a good word here. After that, everything that hypothetical, evil babushka needs to do is run the dropper on any computer and wait for the ransom payout! Are you seeing the issue?
Some of you may say this is not a new threat, and talk about how the principle of least privilege and physical server access restrictions are becoming more important than ever. But you would be wrong. This IS, in fact, a dramatically new threat, because there is now money involved. Potentially, a lot of money.
To some extent, Ransomware as a Service concept is no different from deploying the letter bomb virus (thumbs up if you are as old as me) onto a computer class in your university. It was a common prank when I was a student. Then we all grew up, got a job in the exploding IT market, and some got upset with their employer and that’s when businesses started to realize a potential threat coming from the inside. So many people did bad things just because they were upset with their bosses. This alone was enough for them to justify all the hassle and risk, money wasn’t even in the picture. In fact, this happened to my previous employer, resulting in major irreversible data loss of customer’s data. The company lost millions and the person went to jail, all because he was upset he got fired.
But now, having money in the picture will change everything. Thanks to the potential ransom, all of a sudden there is the real reason to take that risk. And what’s worse, using their intimate knowledge of a company’s business process, insiders can purposely target systems containing data that is most precious to the business to ensure the company has no choice but to pay out some 7-figure ransom. Because in the end, it is still going to be the cheapest way out.
So, what does Ransomware as a Service threat mean? For one, CIOs can no longer trust anyone. We all know the saying “Everything has its price,” which is unfortunately true. Even people with the highest moral standards sometimes cannot resist committing a crime when the reward is potentially so high, or so badly needed (because their child is dying and needs that expensive treatment). So, no business can now risk having “trust” as a part of their IT strategy, and they must always be prepared for the worst things potentially carried out by their own employees for a very simple reason.
Just ask yourself, what is your plan if a colleague who has just left for a vacation logs on remotely into your network from some country in the Middle East, deletes all online backups (both primary and their copies), and sticks the dropper on the production servers? This is certainly a thousand times easier to pull in YOUR environment than robbing a bank, wouldn’t you agree? Think about it. And sadly enough, you can’t really prevent this without making it impossible for your IT staff to perform their job duties.
So, how can businesses protect themselves against insider threats? Three words: Air gapped backups — “offline” backups that cannot be manipulated or deleted remotely. No, tight permissions won’t help since the right credentials can be obtained with a keylogger or through social engineering. Yet, something as simple as external hard drives or tapes in the executive’s safe solves the issue completely! What if you have a lot of data and hate tape? There are storage systems with “read-only-ness” implemented in firmware, but you do need to ensure its physical security too. Or, you could simply go with the service provider who will keep a copy of your backups in a way that makes them not manageable remotely (for example, on the private network with no Internet connection or on tapes), and this will ensure no one from your company can possibly delete those!
I will talk more about the importance of air gapped backups in my breakout sessions at VeeamON 2017. But you really should act now and implement them today, because tomorrow, it might be too late!