I’ve heard about the "ransomware as a service" concept before, and it was a big eye opener to me in regards to the real level of threat we could be facing soon. And, last week, I found this blog post that went into detail about RaaS and new threats. Take some time to read it, because I think RaaS will change IT as we know it.
With ransomware now so easy to create, there's no doubt we will see an escalation of insider threats. Previously, malware was something only skilled hackers could create — but now anyone's babushka can create a custom ransomware dropper because all it takes is a few clicks on a website! "Effortless" is a good word here. After that, everything that hypothetical, evil babushka needs to do is run the dropper on any computer and wait for the ransom payout! Are you seeing the issue?
Some of you may say this is not a new threat, and talk about how the principle of least privilege and physical server access restrictions are becoming more important than ever. But you would be wrong. This is in fact a dramatically new threat, because there is now money involved. Potentially, a lot of money.
To some extent, this concept is no different from deploying the letter bomb virus (thumbs up if you are as old as me) onto a computer class in your university. It was a common prank when I was a student. Then we all grew up and got a job in the exploding IT market. Some, however, got upset with their employers, and that's when businesses started to realize a potential threat coming from the inside. Many people did bad things just because they were upset with their bosses. This alone was enough for them to justify all the hassle and risk; money wasn’t even in the picture. In fact, this happened to my previous employer, resulting in major irreversible data loss of customer data. The company lost millions and the person went to jail, all because he was upset he got fired.
But now, having money in the picture will change everything. Thanks to the potential ransom, all of a sudden there is the real reason to take that risk. And, what's worse, using their intimate knowledge of a company's business process, insiders can purposely target systems containing data that is most precious to the business to ensure the company has no choice but to pay out some seven-figure ransom. Because, in the end, it is still going to be the cheapest way out.
So, what does it mean? For one, CIOs can no longer trust anyone. We all know the saying "everything has its price,” and it's unfortunately true. Even people with the highest moral standards sometimes cannot resist committing a crime when the reward is potentially high enough or badly needed enough (say, because a child needs expensive medical treatment). So, no businesses can risk having "trust" as a part of their IT strategy, and they must always be prepared for the worst things potentially carried out by their own employees for a very simple reason.
Just ask yourself: What is your plan if a colleague who has just left for a vacation remotely logs on to your network from some country in the Middle East, deletes all online backups (both primary and their copies) and sticks the dropper on the production servers? This is certainly a thousand times easier to pull in your environment than robbing a bank, wouldn’t you agree? Think about it. And, sadly enough, you can't really prevent this without making it impossible for your IT staff to perform its job duties.
So, how can businesses protect themselves against insider threats? Three words: Air gapped backups—"offline" backups that cannot be manipulated or deleted remotely. No, tight permissions won't help since the right credentials can be obtained with a keylogger or through social engineering. Yet, something as simple as external hard drives or tapes in the executive's safe solves the issue completely!
What if you have a lot of data and hate tape? There are storage systems with "read-only-ness" implemented in firmware, but you also need to ensure physical security. Or, you could simply go with a service provider that will keep a copy of your backups in a way that makes it impossible to manage the backups remotely (for example, on the private network with no Internet connection or on tapes). This will ensure that no one from your company can possibly delete the backups.
I will talk more about the importance of air gapped backups in my breakout sessions at VeeamON 2017. But you really should act now and implement them today because it might be too late tomorrow.
P.S. This post is guesting from the Veeam Community Forums Digest. Just register on Veeam Forums and get the future weekly updates and technical insights from Gostev.
As Vice President, Product Management, at Veeam Software, Anton Gostev is responsible for strategic planning and technical direction for Veeam products. He is well known in the virtualization community for leading Veeam Community Forums with over 23,000 registered members. Anton’s IT background includes various positions in software development, software analysis and program management, and now product management.
Follow Gostev on Twitter: @gostev