E X P E R T G U I D E :

ENDING THE VICIOUS RANSOMWARE CYCLE REQUIRES A CHANGE IN BEHAVIORProactive Steps to Escape the Ransomware Predicament

2 EXPERT GUIDE | Ending the Vicious Ransomware Cycle Requires a Change in Behavior

CONTENTSExecutive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3How Criminals and Ransomware Gain Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Current Criminal Practices and Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Why Organizations Pay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Why Organizations Shouldn’t Pay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Formulating a Strategy to Combat Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Choosing Secure Data Platforms and Implementing a Backup Strategy . . . . . . . . . . . . . . . . . . . . . . .8Coming Together to Take Back What Has Been Stolen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Taking Proactive Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Ending the Vicious Ransomware Cycle Requires a Change in Behavior | EXPERT GUIDE 3

EXECUTIVE SUMMARYMany organizations have dug themselves into a cybersecurity hole and cannot find a way out . Ransomware is the cause . Organizations inadvertently dig a deep hole by trying to manage their way out of a ransomware attack . Ransomware is an adversary that is always looming and threatening, like a lion behind the tall grass waiting patiently for its prey . It has unequivocally become the biggest threat to enterprises alongside malware and phishing—a bigger threat than a natural disaster, hardware failure, or even a zero-day attack .

The highest ransomware payments reported in 2019 surpassed $10 million . Attacks using Ryuk, REvil, DoppelPaymer, and Maze malware demanded a combined $75 million in ransom .

In 2020, we saw an increase of 311% over ransomware payments compared to 2019 .1

Some attacks have targeted managed service providers (MSPs) with Ryuk, BitPaymer, or REvil malware . In these scenarios, criminals use one single point of entry and infect numerous companies by spreading ransomware or other malware . This approach has already destroyed businesses small and large as well as municipal departments, higher-education institutions, school districts, and healthcare organizations . One healthcare organization reported a death associated with inoperative medical equipment due to a ransomware attack .

Criminals, like predators, will always choose the weakest prey . They target understaffed and overburdened organizations, many of which know they will be repeatedly targeted by these criminals because they simply do not have the means to protect themselves proactively . While some criminals are “big game hunters” that ultimately target large enterprises, even these criminals sometimes practice in the SMB space .

Table 1 – Largest Ransom Demands Reported in 2019. In 2019, ransom demands reached $12.5 million. Source: CrowdStrike, “2020 Global Threat Report,” March 2020, https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

1 “Chainalysis 2021 Crypto Crime Report .”

4 EXPERT GUIDE | Ending the Vicious Ransomware Cycle Requires a Change in Behavior

In nature, even the smallest, most indefensible animal that is preyed upon acts, by running and hiding . It does not give up and resign itself to its destiny . Similarly, organizations should not bow down to the nemesis that is ransomware . They must learn to protect their most valued possession: data .

Ransomware attacks are becoming more insidious, making the situation worse for targeted organizations . Unfortunately, this criminal activity is very lucrative and very well-funded .

It is time organizations turn this trend around . In this guide, we will examine current practices and behaviors that organizations can take to minimize exposure and help address this predicament .

HOW CRIMINALS AND RANSOMWARE GAIN ACCESSWhich enterprise access points are the most vulnerable? Cyber criminals have many vector entry points, and the ransomware strain criminals unleash can determine the vector used . Phishing emails have often been the primary means of gaining access; it is easier to bypass a human than a machine or a network—and it requires little to no expertise .

Since the emergence of COVID-19, however, cyber criminals have increasingly gained access through remote desktop protocol (RDP) and server message block (SMB) vectors that are exposed to the internet . This shift follows a sudden influx in employees working remotely during the pandemic . An adversary can also masquerade and appear as the Windows shared-service host to evade detection .

Whichever methods criminals use, they are patient and persistent . They are laser focused on achieving their primary objective, whether it is financial or political . They will use encryption tools and masquerade through the entire process to avoid detection—they might even steal data for further extortion .

Figure 1 – TTPs Used by Attackers in 2019. Cyber criminals use a variety of tactics. Source: CrowdStrike, “2020 Global Threat Report,” March 2020, https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf.

Ending the Vicious Ransomware Cycle Requires a Change in Behavior | EXPERT GUIDE 5

CURRENT CRIMINAL PRACTICES AND BEHAVIORSCriminals can spend several months spying on a network completely undetected . Sometimes they will spy for more than a year, as was the case in 2016 with a Hollywood studio . Once they succeed with the initial intrusion, they will find ways to make lateral moves within the network, remaining masked and undetected while disabling, encrypting, extracting, or destroying data and systems .

There are several particularly concerning ransomware strains and strategies in use today . For example, REvil is a data-locking virus that was first spotted in April 2019 by security researchers from the Cisco Talos Intelligence Group . Also known as Sodinokibi/Sodin, REvil started off by exploiting zero-day vulnerabilities . Attackers would remotely connect to an Oracle WebLogic server via HTTP access and inject the malware manually .2 As far as we know, there are no decryption tools available for this sophisticated threat, so you must have alternative methods to recover your data .

There are also malware developers offering ransomware as a service (RaaS), which enables smaller criminals to adopt big game hunting tactics . In this type of operation, the developer receives a cut of the collected spoils . Cyber criminals mostly use RDP to install RaaS malware families such as REvil . Targets range from SMBs to Fortune 500 companies in every sector . An average REvil ransomware demand is in the tens of millions of dollars . The payment demand was significantly larger in 2020 than in 2019 .

Ransomware schemes are smooth operations, though they are criminal ones . They are well funded and well organized . Criminal operations hire skilled individuals who have experience in corporate networking . They might even provide a help desk somewhere in the dark web to help increase the success rate of attacks . These individuals are highly motivated, and when they bypass your security software, your backup becomes your last line of defense .

Cybersecurity providers emphasize the importance of understanding how cyber criminals operate . Armed with behavioral insights, a network operator or security officer can implement security features necessary to prevent bad actors from executing malicious scripts and from elevating their privileges to target security software or OS features .

Once your data is held or encrypted, the criminal might demand ransoms ranging from hundreds of thousands of dollars to tens of millions . If your company has good cybersecurity software, you can thwart most attacks . In fact, most malware is detected . But as seen with REvil ransomware, it is getting harder to detect malware and to recover from it, especially when the breach involves edge data . This is usually because there is a human factor behind it . Thus, this makes a great way for criminals to make money and why many organizations are using cyber insurance to pay .

WHY ORGANIZATIONS PAYFor every ransomware attack we see in the news, there are hundreds of others that do not get reported . Unfortunately, there is a stigma in getting breached in a ransomware attack . Why? Because in many cases, the company breached gets put on display, exposing to the world its known vulnerabilities . Therefore, not many organizations want to talk about it, so many attacks go unreported . We only hear about a few incidents during a normal week, but there are many organizations who quietly pay up . An increasing number of organizations are paying ransom to regain access to their data . Some 58% of ransomware victims paid a ransom in 2020, up from 45% in 2019 and 39% in 2018 .3

2 2-Spyware, “Remove REvil ransomware (Removal Instructions) - Recovery Instructions Included,” https://www .2-spyware .com/remove-revil-ransomware .html .

3 CyberEdge Group, “2020 Cyberthreat Defense Report,” March 2020, https://media .bitpipe .com/io_15x/io_152789/item_2193329/ar-cyberedge-2020-cdr-report .pdf .

A reputable cybersecurity software solution will help block criminals, but that is only one half of the equation. The other half is your backup environment.

6 EXPERT GUIDE | Ending the Vicious Ransomware Cycle Requires a Change in Behavior

As organizations have continued to pay, ransomware threats have intensified . Cyber criminals have created several strands of ransomware as a service and demanded more money .

Did corporations turn their back on a rapidly growing threat? Probably not, but it certainly feels that corporations have become passive in the ransomware battle . Lacking knowledge about how cyber criminals operate, they focused on the decision to pay or not to pay . Meanwhile, over the last five years, many organizations reduced their IT spending on data protection .

Thieves are able to successfully extract ransom for data because many organizations are not maintaining their security policies and backup strategies . Organizations have no other choice but to pay . These companies, who seek only to recover their data and return to business as usual, often rely on cyber insurance to negotiate the ransom and then rebuild .

A successful attack results in downtime, millions of dollars in revenue losses, and a damaged reputation . We need to remove the stigma surrounding ransomware breaches . IT professionals must be proactive in how they approach cybersecurity and evaluate the defense mechanisms by layers .

Figure 2 – Growing numbers of organizations are affected by ransomware and are paying the ransom. Source: CyberEdge Group, “2020 Cyberthreat Defense Report,” March 2020, https://media.bitpipe.com/io_15x/io_152789/item_2193329/ar-cyberedge-2020-cdr-report.pdf.

IT professionals must be proactive in how they approach cybersecurity and evaluate the defense mechanisms by layers.

Ending the Vicious Ransomware Cycle Requires a Change in Behavior | EXPERT GUIDE 7

WHY ORGANIZATIONS SHOULDN’T PAYThink of this scenario: With tight budgets and IT priorities (since COVID-19) shifting to business continuity plans, IT professionals, together with their security teams, are working hard to maintain your organizations’ network integrity . There is a resolute dedication to protect your data center from all kinds of attacks, even during an IT security skills shortfall .

You have incorporated cybersecurity software (including software that supports zero-trust architectures) and cyber insurance into your data protection strategy along with solid data backup policies and practices . You are making best efforts to ensure there is no vulnerability in any vector—across server and network connections . But loss and theft still loom like dark clouds over the network .

Despite your best efforts to mitigate risks, data is still vulnerable because it can be accessed through your network . It locks you out of your data and leaves you paralyzed . Unknown to you, a command is executed and a stealth operation begins to extract files and purge or encrypt your backup files .

What do you do? The answer is different for each organization, but the moment you pay ransom is the moment you tell criminals “game on .” The likelihood of being attacked again increases substantially .

Organizations must unlearn the approach of dealing with ransomware through cyber insurance . Paying the ransom rewards attackers . In many cases, paying the ransom does not lead to a desired outcome . Of the companies that paid ransom in 2020, 66 .9% recovered their data . Of those that did not pay, 84 .5% recovered their data .4 The odds favor not paying .

The U .S . government is trying to discourage companies from paying ransoms . The U .S . Dept of Treasury has issued an advisory to alert insurers that make ransom payments on behalf of ransomware victims of the potential sanctions risks for making those payments .5 In other words, if you fund a terrorist organization on the blacklist by paying ransom, you will be fined . Some organizations are even calling for ransomware payments to be illegal . This is not all bad news . The government advisory and calls to make ransom payments illegal might help steer companies in the right direction, out of the cycle where paying ransom is funding further criminal activity .

FORMULATING A STRATEGY TO COMBAT RANSOMWAREWhat are companies doing to combat ransomware trends? IT security is having some success . But there is still room for improvement . Insights shared by a cybersecurity report that gauges peer internal practices and security investments across multiple industries indicate, “the greatest barriers to establishing effective defenses are: (a) lack of skilled IT security personnel and (b) low security awareness among employees .”6 It’s no surprise that people are the biggest problem, but we need to understand what is required to turn the tide . How can organizations minimize the exposure not only to these sanctions but also to the behavior that results in successful cyber attacks?

To combat the onslaught of these attacks, organizations need to be proactive and create a solid data protection plan. Continuously relying on an existing backup infrastructure is no longer enough. A backup and recovery plan evolves over time—it’s a live document that needs to be updated as your technology and storage platforms change.

4 Security, “End the vicious ransomware cycle,” December 4, 2020, https://www .securitymagazine .com/blogs/14-security-blog/post/94085-end-the-vicious-ransomware-cycle .

5 U .S . Department of the Treasury, “Ransomware Advisory,” October 1, 2020, https://home .treasury .gov/policy-issues/financial-sanctions/recent-actions/20201001 .

6 Security, “The Top Five Cybersecurity Defense Insights for 2020,” June 12, 2020, https://www .securitymagazine .com/articles/92582-the-top-five-cybersecurity-defense-insights-for-2020 .

Organizations must unlearn the approach of dealing with ransomware through cyber insurance. Paying the ransom rewards criminals for stealing data.

8 EXPERT GUIDE | Ending the Vicious Ransomware Cycle Requires a Change in Behavior

10 Guidelines to Securing All Possible EntrancesHere are 10 guidelines for getting started with better ways to protect your organization and its data . Remember the mentality is to fully secure all possible entrances to the network and the backup environment:

1 . Develop a well-conceived data protection strategy and plan .

2 . Present the plan to management to get buy-in and gain their support .

3 . Implement anti-virus software to close the front door entrance to the network .

4 . Leverage encryption technology in all stages of the data: at rest, in transit, and active .

5 . Provide security training and raise awareness among employees .

6 . Implement local disk backup with object lock for fast onsite recoverability (to meet RPO/RTO objectives) .

7 . Deploy cost-effective solutions that can truly air-gap data indefinitely for long-term protection .

8 . Replicate data offsite using a cloud or object storage solution for disaster recovery .

9 . Implement ransomware protection via air-gapped tape onsite for your backups or archive .

10 . Employ cyber insurance as the last resort .

CHOOSING SECURE DATA PLATFORMS AND IMPLEMENTING A BACKUP STRATEGYSecurity needs to be a key consideration when selecting data storage platforms . If you are leveraging the public cloud, or your workloads are spread across multiple clouds and compute environments, you will need additional privacy and security controls beyond those in your own network . You need a comprehensive approach that will require multiple departments, including security professionals, network administrators, and their leaders . Take the reasonable steps to educate yourself and your users, especially when you have a remote workforce .

1 . Identify where vulnerabilities might exist .

2 . Implement reputable anti-virus software—this should be non-negotiable .

3 . Conduct backups .

4 . Keep offline copies (as recommended by the FBI, CISA, and NCSC UK) .

5 . Determine whether disk, tape (onsite or cold storage in cloud), or cloud/object storage will be the best recovery method for your organization .

Securing the Front Entrance to Your NetworkTo secure your data against cyber attacks, start by understanding what is critical . Secure the front door entrance to the network—your main entry points . Make sure backup software and targets have necessary features to achieve your RPO and RTO while safeguarding your data . If your backup software cannot protect against ransomware, maybe it is not the right backup application for you .

Ending the Vicious Ransomware Cycle Requires a Change in Behavior | EXPERT GUIDE 9

Selecting a Data Storage SolutionWhich data storage platform is the right one for you?

• NAS should be employed for fast recovery, depending on your SLAs; however, data always remains online and with the profits criminals are earning, it's a matter of time before they focus efforts on figuring out how to breach an operational "air-gap" . This means, the space between the production storage and the "air-gapped" unaccessible storage . Many vendors have different ways to lock the objects or files in their systems, but because the data is always online, risk still exists . At the end of the day, however, this method of defending against ransomware will provide the fastest recovery after an attack .

• Tape has a physical air gap, so ransomware is unable to access that data because a virus cannot bypass a physical barrier formed between the data and the network . Tape is especially important to keep costs down for long-term archives that need ransomware protection .

• Object storage spreads the data across nodes and locks it, so it does not allow any changes . Depending on the solution and policies set, object storage can also recover data from a node if one or more nodes go down .

Budget ConsiderationsEach solution has its pros and cons, but what does the budget allow? Build a scenario and plan . Remember, your network is only as strong as the weakest link . So, let’s start with the lowest-cost option with air gap .

• Tape: Tape requires the smallest investment, and it provides a solid air-gap solution due to its inherent nature of separating data from the network .

• Disk: Disk solutions that claim to provide an air gap do not truly provide air gap . Some do have lock mechanisms, which lock the door behind them once data is written . But these capabilities increase costs substantially .

Solution providers can help you identify the best way to protect your network . But you must decide what is best and what is the most cost-effective for your organization, while also taking in consideration the skill set you have available .

Backing Up Your Backup – Use the 3-2-1-1 RuleTo stop paying ransom, you should also consider a backup for your backup . Criminal enterprises are fully funded . It’s only a matter of time before they attempt to breach another network near you . They have money to invest in circumventing the latest patches, and they will create a viral concoction to brutely force themselves into current online solutions .

For a solid data protection strategy, strive to meet the backup rule of 3-2-1-1 . Keep 3 copies of your data, 2 forms of media, 1 copy offsite, and 1 copy offline . This approach is similar to the 1-10-60 rule recommended for security teams: Detect threats in the first minute, understand the threat in 10 minutes, and respond in 60 minutes . In both cases, proactively implementing a strategy is key to staying ahead of threats .

Figure 3 – Recovery should be a key consideration in choosing data storage platforms.

10 EXPERT GUIDE | Ending the Vicious Ransomware Cycle Requires a Change in Behavior

Planning Ahead for Remote WorkUnderstanding that some targeted attacks are using backdoor methods is key . These attacks will rely on remote access or entry points to gain entry to the network . Before allowing more users to work remotely, organizations should implement processes and policies to address potential security vulnerabilities . Trying to create those processes and policies on the fly (in crisis mode) can lead to increased risk and exposure . Here are a few best practices:

• Encrypt data: When remote workers are accessing data over your WAN, data should always be encrypted—that includes active data, data at rest, and especially data in transit .

• Ensure there is sufficient security for cloud access: Accessing data in the public cloud has its own set of security issues that must be addressed, but the additional layer of protection to further secure compute workflows in the public cloud is still in its infancy stage .

• Establish the right attitude: Defending your network or data center requires the correct mentality: Do not negotiate or pay ransom .

Of course, you are only empowered to stand firm on refusing to pay a ransom if you have your data protected outside of your network—whether it is offline or you segmented the network . If data is adequately backed up, your organization can begin to restore servers and data from backed up OS images . Still, be prepared for retaliation . In one recent case where a software company refused to pay a hefty ransom, the criminal published private information on the dark web .

If you rely only on your anti-virus software and your cyber insurance policy to pay the ransom, then a big gap is left behind in your ransomware protection strategy—one that could be exploited at the cost of millions of dollars . Cyber insurance should be used only as an absolute last resort .

COMING TOGETHER TO TAKE BACK WHAT HAS BEEN STOLENJust like efforts to protect the Earth’s climate, combating ransomware requires everyone’s cooperation . We all need to work together to protect the cyber climate for the next five to ten years . We need to empower enterprises and SMBs to implement solid proactive strategies and guidelines that can be cost-effective .

We have a lot of information now from cybersecurity companies that can help us navigate the murky waters of our cyber climate . We know how bad actors work and we have pinpointed their methods . As those methods evolve, we need to employ technologies, such as machine learning (ML) and artificial intelligence (AI), to provide the advanced security analytics needed to stay ahead of the criminals .

But of course, mitigating risk takes multiple technologies . Not one single solution can achieve the protection you will need for the assault organizations are experiencing . Ransomware protection must come in layers .

Bringing this dark market to a halt also requires changes in our processes and attitudes . Many IT professionals need to change the way they have perceived certain technologies or backup methodologies . Investing in training will also be key . And because these attacks are no longer isolated incidents, we can no longer work in isolation . We must document and share knowledge about our unfortunate ransomware experiences so we can begin the work to recover from this cyber crisis .

Mitigating risk takes multiple technologies. Ransomware protection must come in layers.

Ending the Vicious Ransomware Cycle Requires a Change in Behavior | EXPERT GUIDE 11

And again, IT professionals should refuse to negotiate with criminals . Criminal schemes will keep growing into a multi-billion-dollar industry if we keep the status quo . There is a better way than to pay a thief for what is rightfully yours .

Meanwhile, don’t be fooled by reports that certain ransomware families are closing operations . These operations are very likely merging with other families and will emerge stronger than ever under a different name . If there is one thing we have learned in the last few years is that criminals are persistent . Unless behavior changes inside organizations, the volume of ransom payments will continue to increase rapidly . All reports point to more aggressive cyber spying and targeted attacks with insidious methods that bypass behavioral algorithms used by cyber software companies .

Together we can protect our corporate communities . Though attacks today might be more prevalent this year than last, small steps can take us a long way . The first step is always the hardest . But in the long run, together we can bring this criminal activity to its knees and end the vicious cycle of paying ransomware that provides cyber criminals’ revenue streams .

For more information about ransomware and how to mitigate the threat, see the ransomware guide from the U .S . Cybersecurity and Infrastructure Security Agency (CISA): https://www .cisa .gov/publication/ransomware-guide

TAKING PROACTIVE NEXT STEPS Learn more about Quantum ransomware solutions to implement reliable, secure methods for storing data offline and with air-gap security: www .quantum .com/ransomware-protection

Ending the Vicious Ransomware Cycle Requires a Change in Behavior | EXPERT GUIDE 12

©2021 Quantum Corporation . All rights reserved . Quantum, the Quantum logo, and StorNext are registered trademarks, and ActiveScale is a trademark, of Quantum Corporation and its affiliates in the United States and/or other countries. All other trademarks are the property of their respective owners. WP00263A-v01 Feb 2021

www.quantum.com • 800-677-6268

ABOUT QUANTUMQuantum technology and services help customers capture, create and share digital content – and preserve and protect it for decades at the lowest cost . Quantum’s platforms provide the fastest performance for high-resolution video, images, and industrial IoT, with solutions built for every stage of the data lifecycle, from high-performance ingest to real-time collaboration and analysis and low-cost archiving . Every day the world’s leading entertainment companies, sports franchises, research scientists, government agencies, enterprises, and cloud providers are making the world happier, safer, and smarter on Quantum . See how at www.quantum.com .