THE DEFINITIVE

IT GUIDE TO
RANSOMWARE

2018 © ioFABRIC Inc.

 Contents
Ransomware: The Threat 3
How Bad Is It, Really? 3

Inability to Recover 4

Anatomy of a Ransomware Attack 5

Ransomware: The Solution 7

IT Checklist 7
End-User Checklist 8
Protect Your Data 9

2
 Ransomware: The Threat
Everyone has heard of ransomware.

Six years ago, the term barely even registered on the map. But in May 2017, ransomware hit peak
heights with the WannaCry attack that targeted businesses worldwide. And the attacks are only
getting worse.

Barsky’s 2018 Cybersecurity Statistics

Every industry has been targeted and every size of business. While you have a lot of say over what
kind of devices, clouds, and systems you use, you have very little control over, for example, user
mistakes and human error, which leaves some pretty gaping holes in your systems.

What do these risks leave you open to?

How Bad Is It, Really?

The statistics are terrifying. And so are the predictions.

Juniper Research forecasts that criminal data breaches will cost businesses over $8 trillion within
the next 5 years. Small to medium enterprises are particularly at risk, spending less than $4000 on
cybersecurity and preventative measures.

ioFABRIC.com 3
Older infrastructures are even more at risk: “The attacks on
hospital infrastructure show that inadequate cybersecurity
can now cost lives as well as money,” remarked research 50%
author James Moar. met their recovery time
objectives after a failure
Another reason ransomware is so terrifying is
that law enforcement has little recourse.
The vast majority of ransomware crimes are initiated
85%
had no recovery plan or
overseas, which poses substantial challenges for law
enforcement with regards to prosecution – complicated by were less than 100%
the possibility of state-sponsored attacks. Cyber crimes confident in their plan
originate in over 190 countries around the world. Russia,

31%
Nigeria, China, and North Korea are the most publicized.

But ransomware itself is not the whole problem. Businesses of those who
are not confident that they can recover, even in the event of
experienced data loss
restoring all the data after a successful ransom payment and
unlocking of their data. said they lost a day or
more of data

Inability to Recover 75%

“The 2018 State of Resilience” report by Syncsort surveyed
were not able to recover
5,632 global IT professionals in 2017 and determined that all their data
“[o]verall, IT departments exceeded their maximum

22%
tolerance for downtime during a failure, a weakness that
must be addressed.”

The recovery process is broken. were not able to recover

any data
The IT resiliency report found that many of the reasons for
data loss involved lack of a quality backup.

A good recovery is hard to find

Primary reasons for
You work hard to ensure that these are the kinds of issues
you will never have to deal with. But validating backups –
data loss:
multiple copies in different locations – is challenging at best, •Old backup copy
a failure at worst, and time consuming on all counts. •Human error
Even if you know the backup is bootable and functional, is it •No memory backup
free of ransomware? What other malware may be hiding, made
lying in wait? In the next section, find out how one •Malfunction in data
manufacturing company and their service provider dealt protection
with the situation. •Backup not configured
properly

ioFABRIC.com 4
 Anatomy of a
Ransomware Attack
For one mid-size manufacturing business (that
prefers to remain nameless), it was an email to an
executive that set off a nightmare chain of events. “ Each time along the way,
[the pirates] released a
The email appeared to come from a customer – little bit more server
one the executive was familiar with – and it had an
information, but they
unsolicited attachment. The recipient was leery of
opening it, and “confirmed” via email that the knew exactly which
sender did indeed send the message. Fortunately, information was valuable.
nothing out of the ordinary seemed to happen.
They only released the
A short time later, however, the customer tells the most valuable data when
executive he didn’t send either email. The exec all the ransom was paid.
asked the IT team to scan the system for viruses
and malware, but nothing obvious was found. ”
Two weeks later, it hits. The company received notice that all its active data and offsite backups
were encrypted by hackers who demanded payment to recover business-critical information.

The company decided to pay the ransom of 10 bitcoins, at the time the equivalent of around
$50,000. Cryptocurrency is preferred by ransomware perpetrators because it’s untraceable, and
once payment is made, payments can’t be revoked. It can be “spent” throughout international
marketplaces and can be quickly split apart and traded away, making it nearly impossible for
authorities to intervene.

What happens after you pay?

Because bitcoins are still a bit hard to come by, the company turned to Xenium, a premium IT
provider, to obtain the cryptocurrency, satisfy the ransom request, and recover the data. There
was a delay in acquiring the currency, so, the pirates increased the ransom by 50%. It was now
$75,000 in bitcoins to recover their data!

“The pirates were very savvy,” said Frank Kuschmierz, CEO of Xenium. “The first step was to show
that they had the data. They said, ‘Here’s one server, here’s one password for it so you can
unencrypt it and read it again.’ After knowing that they had the information, 10 bitcoins were
paid and the pirates released five more servers.

“Because it took two days to get everything arranged, and to get the bitcoins, the pirates literally
said, ‘OK, we want 5 more bitcoins.’ Each time along the way, they released a little bit more
server information, but they knew exactly which information was valuable. They only released the
most valuable data when all the ransom was paid.”

ioFABRIC.com 5
Even after recovering all of the hijacked servers, the nightmare continued. The pirates inserted
some malicious code that caused the restored servers to crash, so recovery took three times longer
than expected. Kuschmierz said that it is common for pirates to come in and hit again if companies
are not quick enough to put in preventative measures.

“We’ve heard of cases where the pirates allow

companies to recover and then hit them again
We’ve heard of cases
and say, ‘Hey, we want more money,’” said
Kuschmierz. “That’s very common. That’s a very
“ where the pirates allow
big risk.” companies to recover
and then hit them again.
The company estimates this week of downtime
resulted in a million dollars in lost revenues on top
of all the other costs.
”

Implement a data protection solution to avoid ransomware in

the first place
This company was among the lucky ones. An estimated 20 percent of companies that pay
ransoms still fail to recover their data. Law enforcement is not able to help much with
ransomware attacks originating from outside their jurisdiction, oftentimes from international
locations. Normal business insurance also typically does not cover incidents such as ransomware
– that requires specialized, and expensive, cybercrime insurance.

Kuschmierz says that fortunately, effective cyberattack protection is much the same as everyday
data protection processes already in place at most organizations: protect data offsite, educate
users, use firewalls to secure points of entry.

“It’s a similar scenario

to a house,” said
Kuschmierz.

“To protect from

thieves a homeowner
will lock the doors,
close all the windows,
protect all the
valuables on the
inside, and put money
in a safe. Similarly, this
is what IT service
providers do for your
business—provide
network and data
protection.”

ioFABRIC.com 6
 Ransomware:
The Solution
While you know you have done everything to ensure your data and systems are safe and protected,
there are still very real risks.

We have put together a short list of do’s and don’ts. It’s a simple list that educates on the risks that
human error can pose in the context of data loss and ransomware. Check out the next page to see
and print that.

In the meantime, here are some basic questions for you to make sure you have thought of
everything.

Are your systems fully patched and up-to-date?

This may seem like an obvious question but many people think backups will still save them in this
scenario. They don’t. Ransomware can infect your backups as well as your main systems, so spend
some time getting your systems up-to-date.

Are your backups in an immutable format that cannot be

accessed or altered by ransomware?
One way to minimize damage from ransomware is with
immutable snapshots. If your data management or backup
system can’t create these, you may find yourself with a big price
tag to pay.

You might even have immutable files, but if the whole disk is
encrypted under that, it won’t help. What you need is
immutability, where the backups are stored in a format only
accessible by the recovery mechanism, not by the normal disk
techniques that ransomware can exploit.

Have you tested your disaster recovery plan recently?

Natural disasters are not the only threat that can wipe out an entire data center. When
ransomware hits, it’s pay big or lose big – and in some case, even if you do pay and get access to
your backups, your recovery process won’t work. So what do you do?

Make sure your data is safe, replicated, immutable, and with regular backups stored offline, at
another site, or on another network.

Test your recovery process to make sure it works. Validate that your backups can boot and the data
on them is uncorrupted. Mishandling a recovery will lead to corrupted data, which may be just as
bad as the encryption from the ransomware.

ioFABRIC.com 7
 Ransomware: A Checklist
You may not know it, but YOU are the first line of defense against viruses and ransomware at your
organization.
Be the hero who keeps your own safe! Use this checklist to stay ahead of the latest threats.

Learn to identify a suspicious email

So what exactly is a suspicious email? It is more than just spammy junk mail, or the obvious scams.
There are a few typical forms:
1. The email will pose as a site or app that you use – e.g. Dropbox, your HR department portal.
2. It might appear to come from a coworker. Or a vendor. Or a boss. But something seems off about it.
3. It might pose as the IT Help Desk, asking you to update your email password.

No matter how the email arrives, there are a few ways you can deal with it:
1. Contact the person or department who sent you the email – but don’t “reply to” their email
address. Instead, use a secondary form of communication to contact them. Text them, phone them,
send them a tweet – but verify that they actually sent the email.
2. If the boss asks for a big money transfer and you can’t (or don’t feel comfortable) getting in touch
with them, check with other VPs to be sure.
3. If there is a link to a website with an account portal for logging in, don’t just trust that it looks like a
portal you have used before. Check the URL address to see if there is https or http. If it is http, you are
in trouble. The biggest signifier of a “look-alike” site is that it won’t be secured (you won’t see the
“s”) – it is much harder to fake a website if you have to secure it.
4. See a Microsoft Word attachment? Don’t open it until you know where it’s from. Hackers can put
scripts into Word documents that will execute programs and open your computer to attacks.

Never fall for malvertising

Malvertising applies not just to banner ads or pop ups – it is appearing more and more in SEO
results, such as paid ads on Google, using your own search results against you.
Regardless of which way malvertising shows up, there are a number of steps you can take to
prevent it from tricking you:
1. Use an ad blocker.
2. Make sure you are using antivirus software – even if you are on a Mac!
3. Keep your plugins or extensions in your browser updated. They are easy, weak spots that hackers
will exploit, but if you have the latest version, you are likely to be protected against most of the
already known weaknesses.
4. This goes ditto for your browser – keep it up to date!
And the last – but most important – thing you can do to stay on top of ransomware
is listen to your IT team! They have your back, and they want to keep everyone safe.

ioFABRIC.com 8
 Protect Your Data
Since ransomware even penetrates into backups, it can be hard to trust that your trusted and true
safety blanket is actually without malware.

How do you fight back against this? Some products allow you to ransomware scan, but if the
encryption only kicks in later, you will likely still get hit. You can’t be there 24/7 to manually validate
that every single backup is bootable and without ransomware.

Enter: ICAS by ioFABRIC – The Intelligent Cloud Archive Solution

ICAS by ioFABRIC
ICAS serves as an on-premise backup, replication, and archival target for your existing backups and
file services. As either a virtual or physical appliance, the data-aware ICAS classifies, analyzes, and
indexes files. All files are scanned, indexed and replicated offsite.
ICAS is not a backup product. ICAS is an intelligent archive that delivers always on data for
companies who value their data.

3-2-1 Compliance
ICAS helps customers comply with backup best
practices by automating the creation and
placement of two additional copies, an additional
format, and a copy offsite.

Reduce Risk
By validating the backup is bootable and
ransomware scanning it for encryption activities,
ICAS gives you tested, secure, immutable, and
continuously available data, ready to recover.

All-in-One Pricing
Predictable monthly pricing includes cloud
subscription and hardware, making it an easy
decision.

Protection Archive Search

• Offsite protection • Compression • In documents
• Snapshotting • Dedupe • In tar, zip images
• Write-once files • Encryption
• Ransomware scan • SAN/NAS sync

1-833-IOFABRIC sales@ioFABRIC.com CloudArchiveSolution.com

ioFABRIC.com 9