Will Ransomware Start Targeting Enterprise Backups?
Let’s start with the facts. On May 12th, 2017, a new ransomware variant known as WannaCry spread throughout the internet. It notably infected 60 organizations that were part of the UK’s National Health Service, shut down operations at FedEx, and brought Spain’s Telefonica to a halt.
Despite all of this damage, however—which may include up to $100 million in the UK alone—WannaCry itself was almost pathetically unsuccessful. At the time of writing, it has garnered only $120,000 in about three weeks.
By comparison, other forms of ransomware have been observed collecting as much as $30,000 per day for weeks at a time.
There are a number of theories as to why the WannaCry virus has become a failure, but there’s no real consensus. What’s notable, however, is the speed with which most affected parties restored their infected endpoints from backups. Does this mean that enterprises are adapting to ransomware? In turn will ransomware authors design their malware to target more advanced backup strategies?
How does ransomware target system backups?
When you’re attempting to hold a target’s data for ransom, it can be inconvenient for the target to restore that encrypted data from backup. Although home users and municipal organizations aren’t normally well-known for their investment in sophisticated data backup and recovery systems, many of them are protected by built-in, basic protection on their PCs, laptops, and servers.
This built-in system is known as the Windows Volume Shadow copy. Included in Windows editions since XP and Server 2003, this process takes unobtrusive snapshots of files on an endpoint. It’s an effective tool for home users and small businesses, which is why most types of ransomware, including WannaCry, have tools to delete it.
WannaCry, Locky, Cryptolocker, and CryptXXX all contain mechanisms that delete volume shadow copies using strings in command line (CrytpXXX, funnily enough, will attempt to delete shadow copies, but isn’t programmed well enough to pull it off). In theory, this could be one of the reasons why WannaCry didn’t make much in the way of profit—because most enterprises are going to be using more robust protections than shadow copies alone.
WannaCry biting off more than it could chew?
WannaCry did something that most ransomware variants haven’t yet managed to do. Instead of attacking low-hanging fruit such as home users, small businesses, and municipal organizations, it hit enterprises. Companies with thousands of employees and hundreds of global locations fell victim to WannaCry. These companies, however, also seem to be the ones with the best potential to shrug off a ransomware attack by restoring from backup.
Backup adoption is at high levels within the enterprise. Cloud backup and recovery services represent the second-highest percentage of cloud-based investments within companies, as well as the second-highest percentage of managed services investment. Meanwhile, the Uptime Institute reports that 68% of companies have implemented an IT resiliency plan that can instantly restore functionality to a compromised or underperforming application.
Therefore, the companies such as the ones that WannaCry affected, like FedEx and Telefonica, are among the ones most likely to be able to automatically bounce back from an attack that affects their data. Even the NHS, which is in the more traditional spectrum of targets affected by ransomware, was able to restore from backups with zero data loss after just one day.
Will ransomware evolve to strike the enterprise more consistently?
Here’s where we stand now: With malware like WannaCry, ransomware authors have proved that they can attack the enterprise. What they don’t have, however, is a persistence mechanism. Enterprise backups are generally too robust. Any encrypted data will be restored from backup within at most a day. There’s no way for ransomware to cause enough damage that enterprises would rather pay a ransom than restore their data.
Will this state of affairs continue? On the one hand, attacker have already enjoyed great success going after less tech-savvy companies and individuals. On the other hand, enterprises have deep coffers, and hackers have a great track record of innovating around technical obstacles. In other words, companies should anticipate the possibility that ransomware attacks might target their backups for deletion or encryption.
Find out more about how our appliance adds convenience and ransomware protection to your enterprise backups.