Ransomware attacks are big news when they hit giant corporations, government services, and resources like gas pipelines. And when the focus is on apocalyptic attack scenarios, where sensitive data was ransomed or government services knocked offline, there’s a tendency to think that one’s own organization isn’t a likely target.
However, there’s plenty of evidence that no matter the size, profile, or market sector, ransomware attackers will eventually see any organization as being attack-worthy.
Libraries? Check. Art museums? Check. Orchestras? Check. Cultural institutions have recently become targets for ransomware, perhaps because of their hefty databases of patrons, which the bad guys see value in locking up. In October 2023, the British Library was hit by a ransomware attack that encrypted or deleted data and IT systems. The attackers also copied much of the library’s data, tried to auction it online, and eventually released it on the dark web.
Three months later, the library announced that it was restoring limited access to its online catalog, which provides access to the library’s treasured collection of books, maps, journals, musical scores, and more. It warned that it could take several months to make a full recovery from the attack.
Third-party Software: The Common Thread in a New Wave of Ransomware Attackers
While the British Library was targeted directly by ransomware, other cultural institutions have suffered the aftereffects of attacks because they deployed a software solution that was also the victim of ransomware. The Museum of Fine Arts Boston, the Rubin Museum of Art in New York, and the Crystal Bridges Museum of American Art in Arkansas all used software from Gallery Systems, creator of collection management solutions.
In late 2023, Gallery Systems suffered a ransomware attack, preventing these cultural institutions from displaying their collections. This supply chain attack was in the style of the SolarWinds attack in 2020, in that the damage spread to Gallery Systems’ customers. The continuing threat of supply chain attacks (not to mention ransomware) makes it all the more important to create resilience strategies that protect your organization before, during, and after a ransomware attack.
5 Steps to Reduce Ransomware Risks
A recent White House memo on cybersecurity outlined five steps for strengthening defenses against ransomware threats.
- Backup your data. If you do nothing else, back up data, system images, and configurations. Today’s sophisticated ransomware attacks are laser-targeted on backups, compromising them before taking over production environments.
A multilayered defense with a modern approach to backup and restore is critical. Backup data and backup metadata must be protected in an immutable state. By backing up files through frequent snapshots that can’t be deleted, encrypted, or modified, organizations gain peace of mind that their data is locked down from malicious attacks. That protected data must also be readily available in a time of need, requiring underlying infrastructure that delivers accessibility and speed. With this level of data protection and restore, businesses can avoid the major organizational, reputational, and financial impacts of a ransomware attack.
There are two critical components of backing up data:
- Proven recoverability: Organizations must have proven recoverability that goes beyond immutability. While sophisticated attackers can’t tamper with an immutable backup, they can delete it if they have the right credentials. A solution like Pure Storage® SafeMode™ Snapshots eliminates the ability for the attacker to delete your backups and is essential for recoverability.
- Ability to recover quickly: Along with having an immutable recovery point, you also need to be able to recover quickly. As we’ve seen with recent attacks, organizations have had to pay ransoms in an attempt to speed recovery times because their backup systems were so slow to restore. Therefore, backups and recoverability aren’t enough. Speed, like the petabytes of restore per day that you can achieve with solutions like Rapid Restore, is critical to getting key systems up and running faster.
- Update and patch systems promptly. This includes having visibility into your IT estate and staying on top of the security of operating systems, applications, and firmware—and applying critical patches as needed. A centralized logging platform that logs details about all systems and a patch management system can be beneficial. A risk-based assessment strategy that supports your patch management program and an effective security analytics program to identify anomalies in your environment are also key.
Pure1® can assist with patches, and a solution like FlashBlade® gives you the ability to log all your systems via a platform like Splunk or Elastic. It provides the critical, high-speed analytics processing required to help identify attackers in your environment, hopefully before they launch their attack.
- Create and test your incident response plan. Testing is a critical component of reducing ransomware risk. Along with creating an incident response plan, consider the infrastructure necessary to support it. Today’s best plans are highly focused on prevention with the solutions in place to catch issues before they occur. Testing your response plan must include testing the supporting infrastructure, as well as all components of the process. Just table-topping and testing the process isn’t enough as it won’t identify the real gaps that likely exist in the restoration capabilities.
- Check your security team’s work. You’ll want to double down on testing your internal security and ability to ward off an attack. A third-party penetration testing service is well worth the investment. Then, prioritize and address any identified vulnerabilities. Bug bounties can also be a valuable option that allows you to get a more “real-world” look into how vulnerable your organization is from the eyes of real, external attackers. Often, penetration testers take a fairly siloed approach to testing. They have a one-size-fits-all assessment methodology and tooling, which ultimately limits the outcomes that are available. Bug bounty programs, on the other hand, have no such guardrails and give full “creative freedom” to the attackers to find vulnerabilities that allow access into your environment.
- Segment your networks. With cybercriminals more focused on disrupting operations than just stealing data, it has become vitally important to separate corporate business functions from manufacturing/production operations. Carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised.
Keep in mind that the whole premise of segmentation is to ensure a degree of recoverability by limiting an attacker’s ability to destroy systems. Segmentation is both expensive and time-consuming. It requires continual care and feeding and resources to manage.
SafeMode offers the same technical result, without the overhead and complexity of virtual networking. SafeMode also creates out-of-band, multifactor-authentication-protected backup snapshots that can’t be deleted, even by an attacker who holds administrative credentials.