When the aluminium giant Norsk Hydro was hit with ransomware in March 2019, it signalled a landmark event in the way organisations responded to cyber attacks.
All the pieces were in place for Norsk Hydro to simply admit defeat and pay the ransom. It was a huge organisation that could ill-afford any delays, it had the money to make the payment and – to top it off – the president and CEO confirmed just days before that he was stepping down.
If ever there was a time where it was acceptable to defy expert’s warnings of never paying a ransomware demand, this was it. Who would begrudge the organisation for wanting to get the ordeal over with and giving the incoming president as easy a transition as possible?
After all, delays create a highly stressful atmosphere in an already tumultuous period caused by the change in leadership, and things certainly wouldn’t be helped by requesting that employees work late to make up for the loss in productivity.
Meanwhile, the problems no doubt resulted in lost sales opportunities, disappointed customers and missed deadlines. But despite all that, Norsk Hydro stuck to its guns, buoyed on by the fact that it had a plan for this exact scenario.
What followed was an “example for us all”, with Norsk Hydro rallying around its business continuity plan and ensuring that it persevered while the cyber criminals who attacked the organisation left empty-handed.
Backup solutions are the key to preventing ransomware attacks
Norsk Hydro only had that option of ignoring the cyber criminals because it was able to restore its systems from backups. Why did that make such a big difference?
A document is infinitely more valuable to you if only one copy of it exists. That’s why ransomware is so appealing to cyber criminals.
Sure, simply stealing a sensitive file will be useful; the crooks would certainly get a good price for it on the dark web. But they know that the breached organisation wants the file more than anyone else, and they’re willing to bet that it will pay accordingly.
- How does ransomware infect organisations?
- What should you do in preparation for a ransomware attack?
- Microsoft is the most frequently impersonated brand in phishing scams
However, if that stolen document isn’t the only copy the organisation has, the cyber criminals have much less leverage. Why would the organisation pay up, when it can simply isolate the infected machines, wipe the ransomware and rebuild its systems with backups?
It’s not an instant solution; you’ll still need to endure through the makeshift solutions for a few days, as the restore process will take time, but it’s a much better option than paying up.
For one, you retain control of the situation and can demonstrate leadership to your employees. You also avoid the risk of any tricks from the hijackers, who might take your money and run without giving you a decryption key.
Perhaps most importantly, though, you make yourself much less likely to be targeted again and you maintain your reputation among clients and in the media.
Norsk Hydro turned a potential PR disaster into a success thanks to its transparency with the media and investigators, its moral stance against ransomware and its swiftness in reporting the incident.
Protect your backups
As the threat of ransomware has grown, more organisations have come to understand the importance of backups.
Unfortunately, that hasn’t gone unnoticed by cyber criminals, who have responded by developing ransomware strains that seek out backups in addition to the original files. The way they do this depends on how the organisation backs up its files.
One of the most common ways organisations back up files is by simply creating copies, which might be saved in the same folder, another local folder or a network-connected file server.
This is fine if you’re worried about the file going missing or corrupting, but it won’t protect you from ransomware. The malware will soon spread through your organisation’s systems, encrypting everything.
Meanwhile, the Cloud has quickly become a popular solution for organisations that want to protect themselves from widespread problems in a server – such as in the above example – but it’s still not a foolproof option.
Many Cloud storage providers, such as Dropbox, OneDrive and Google Drive, automatically synchronise local files with those stored in the Cloud. If those local files are infected, the Cloud will apply those changes, encrypting your backups and rendering them unusable.
So what can you do to make sure this doesn’t happen? Here are our top tips for protecting your backups in the event of a ransomware infection.
1. Look out for suspicious backup activity
One of the biggest weaknesses when it comes to ransomware – your system’s willingness to replace clean backups with the infected originals – can be transformed into a strength.
When a malicious program encrypts your files, it is essentially updating it, which will trigger a warning that the new files needs to be backed up. If these alerts start occurring at a much faster pace than usual, this is a sign that something suspicious is happening.
If you open one of the updated files and discover that it has been encrypted, you should pull the plug on automatic backups and take your systems offline to isolate the infection.
2. Create multiple backups in different locations
Don’t just rely on one set of backups to protect your organisation. As we’ve seen, it’s possible for an infection to spread from the original files to backups even if they’re stored on the Cloud.
You should therefore have another set of backups that isn’t connected to your servers. This might be physical paperwork or an offline server.
It’s obviously harder to maintain these backups, so you’ll probably only do this for core information. However, the effort is certainly worth it when disaster strikes.
3. Establish a recovery time objective
An RTO (recovery time objective) is a key metric in business continuity planning, referring to how long it takes for a product, service or activity to get up and running again after a disruption.
In the case of ransomware infection, the RTO concerns the length of time it takes to wipe the infected machine and restore it in a safe environment.
Why does this matter? Depending on how much data was infected, it could take days to restore all your systems from backups – and that might ultimately cause more problems than it solves.
As such, it might be worth being selective with what information you back up. The less information you need to restore, the quicker the process will be and the sooner you can get back to work.
4. Regularly test your recovery process
Backups aren’t any help if they’re not reliable. The last thing you want to do is wipe your systems after an infection only to find that there’s a problem with the restore process.
Don’t leave backups as an automated task. The process should involve a manual test in which you make sure you can access backup files wherever they are being stored – whether that’s locally, in a separate server or physically.
What should you do next?
You can find out more about how to protect your organisation from infections by enrolling on our Phishing and Ransomware – Human patch e-learning course.
This online training course describes the link between phishing attacks and ransomware, giving your staff consistent, comprehensive training in just ten minutes.