The battle cry after WannaCry: How to get past ransomware attacks
The WannaCry ransomware that just hit more than 150 nations serves as a
sobering reminder of the damage cybercriminals can inflict. Apparently
stolen from the National Security Agency, the malicious software shut
down government computers from Brazil to Russia, along with hospitals
and financial institutions worldwide. It took a 22-year-old British
security researcher puttering around on vacation, no less to stop
WannaCry by tripping a kill switch in its code.
The biggest attack of 2017 follows a year when ransomware which
encrypts an entire company database until a ransom is paid became a
billion-dollar business. Lest anyone thinks this is a big-bank problem,
cybercriminals have increasingly put smaller banks and financial
institutions in their crosshairs.
While the FBI recommends against paying ransom, banks have reportedly
become so concerned with the threat that many now buy cryptocurrency
specifically to pay off criminals in case of attack. The reason, most
likely, is to avoid the potentially large costs and risks in not paying.
These include more than just the temporary or permanent loss of data,
but also operations disruption, the cost of restoring systems and files,
and harm to the institution's reputation should word of the attack
Large institutions have implemented technical controls to deal with
ransomware and keep an attack from escalating to crisis level. While
smaller institutions might not be able to afford as much technology,
people and processes, many can probably afford cloud-based Disaster
Recovery as a Service (DRaaS) to back up data as part of a complete
business continuity/disaster recovery (BC/DR) solution.
Getting back up: In case of attack, you only have your backup
Banks, of course, should take every preventive measure to secure systems
and data against viruses and malware. Today's best practices include
• Employee education
• Anti-virus technology
• Content scanning and filtering on email servers
• Limiting access to mapped drives
• Implementing endpoint security
Working together, these efforts can reduce, though not eliminate, the likelihood of a successful ransomware attack.
Still, as Gartner reported in 2016, "the primary defense for ransomware
infections (and potentially future coordinated attacks) is backup. In
these types of attacks, the hacker may have compromised or encrypted
your production data; therefore, you only have your backups to revert
That is: In case of a ransomware attack, you can take infected systems
offline, go back to your last known clean copy, restore from that, and
be back in business without paying ransom. The FBI, Gartner and pretty
much everyone involved in cybersecurity recommend backing up important
data "at least once" a day.
From disaster to DRaaS: Fighting ransomware
If your bank finds it unacceptable to lose up to a day's worth of
constantly changing transaction data, you will want to contract for a
shorter recovery point objective (RPO) with your DRaaS provider. RPO is
the amount of time in the past in hours or minutes you want to go
back following a disaster. You would notify the provider of the attack,
declare a disaster to put your BC/DR plan into action, and count on
using a sufficiently recent, uninfected backup to restore and resume
operations. Your bank could even run the backup as production in the
cloud until the primary data center is known to be clean.
Frequent testing, which every good DRaaS provider should allow, can give
you confidence in your ability to load the backup into a safe "sandbox" for verifying its integrity and confirming the ability to recover
successfully in case of a ransomware attack.
Assuring the integrity of backups requires its own best practices. Organizations should follow the 3-2-1 backup rule:
Three copies of data on two different media, with one copy offsite, preferably stored in systems disconnected from the production environment.
For additional safety, the DR provider should, in turn, store multiple copies of the data.
Ransomware fighter: The right provider
While protection of a bank's own systems, networks, devices,
applications and data against infection is the bank's responsibility, DR
providers can help increase customers' security by using backup
technologies that incorporate anti-malware and anti-ransomware
safeguards, or that are structured to reduce the risk of infection.
Veeam Cloud Connect is one technology DRaaS providers use that
incorporates such a safe design. Its "out-of-band" protection
establishes a secure channel to automatically transfer data to and from
the cloud repository and offers data encryption to protect data at rest.
In evaluating a DRaaS provider's ability to help protect you against
ransomware, look for use of this backup technology, or solutions with
More than that, ask what precautions the provider has in place to
prevent its own systems or your backed-up data, from becoming infected
with ransomware viruses. A provider should use the most up-to-date
versions of leading anti-virus, vulnerability scanning, intrusion
detection and prevention, log management, and security information and
event management tools from vendors such as McAfee, Alert Logic,
Symantec and CommVault, among others.
Do not merely trust a provider's claims and assertions. Rather, ask to
see third-party certifications that the provider in fact has in
operation technological and procedural safeguards that meet stringent
industry and government information security standards, such as SSAE 16
SOC2; Payment Card Industry Council Data Security Standard (PCI PSS)
Version 2.0; FISMA; and FedRAMP. Ask for certification that the
provider's facility meets Uptime Institute Tier III standards for
concurrent maintainability, as well. This means that there's sufficient
redundancy in systems so that any element of the physical plant can go
offline for maintenance without impact to your contracted backup and
A word of precaution…
Banks need to do all they can to implement the physical, technical and
administrative precautions to safeguard their data against the
ransomware threat and comply with all relevant security requirements. A
qualified DRaaS provider can help banks defend against and respond to
ransomware attacks by offering the services, systems and technologies to
keep their backups secure and provide the space and support for
In the meantime, there is no turning back to a less volatile time.
Analysts, media, and cybersecurity experts called 2016 the year of
ransomware. In 2017 and in the wake of WannaCry attacks could well
increase to record levels. For many financial institutions under siege,
the only going back and the best way forward comes from smart backup
Marc Langer is the founder and president of Recovery Point Systems, a
company that helps customers resume operations following any
interruption in their IT environment. He developed the concept of the
Integrated Disaster Recovery Supplier, which enables clients to engage a
single vendor to provide an all-inclusive, economical suite of recovery