Ransomware, a form of malware that encrypts a user’s or organization’s most important files or data rendering them unreadable, isn’t a novel threat in the world of computer security. These destructive, financially-motivated attacks where cybercriminals demand payment to decrypt data and restore access have been studied and documented for many years. Today’s reality shows us that these attacks have become more pervasive, impacting essential services like healthcare or pumping gasoline. Yet despite attempts to stop this threat, ransomware continues to impact organizations across all industries, significantly disrupting business processes and critical national infrastructure services and leaving many organizations looking to better protect themselves. Organizations that continue to rely on legacy systems are especially vulnerable to ransomware threats, as these systems may not be regularly patched and maintained.
For more than 20 years Google has been operating securely in the cloud, using their modern technology stack to provide a more defensible environment that can protect at scale. Google Cloud strives to make security innovations available in its platforms and products for customers to use as well. This underpins the work to be the industry’s most trusted cloud, and while the threat of ransomware isn’t new, Google’s responsibility to help protect you from existing or emerging threats never changes. In this post, we share guidance on how your organization(s) can increase their resilience to ransomware and how some of Google’s Cloud products and services can help.
Robust protection against ransomware (and many other threats) requires multiple layers of defense. The National Institute of Standards and Technology (NIST) outlines five main functions in the Cybersecurity Framework that serve as the primary pillars for a successful and comprehensive cybersecurity program in any public or private sector organization. Below are the recommendations from NIST and examples of how our Cloud technologies can help address ransomware threats:
Pillar #1 – Identify: Develop an understanding of what cybersecurity risks you need to manage for the scope of your assets, systems, data, people, and capabilities. In the case of ransomware, this covers which systems or processes are most likely to be targeted in a ransomware attack, and what the business impact would be if specific systems were rendered inoperable. This will help prioritize and focus efforts to manage risks.
CISO Guide to Security Transformation whitepaper(click here to download whitepaper) outlines steps for a risk-informed, rather than risk-avoidance, approach to security with the cloud. A risk-informed approach can help you address the most important security risks, instead of addressing the risks that you already know how to mitigate. Cloud service providers make this risk-informed approach easier and more efficient for you by developing and maintaining many of the controls and tools that you need to mitigate modern security threats. Services like Cloud Asset Inventory provide a mechanism to discover, monitor, and analyze all your assets in one place for tasks like IT ops, security analytics, auditing, and governance.
Pillar #2 – Protect: Create safeguards to ensure delivery of critical services and business processes to limit or contain the impact of a potential cybersecurity incident or attack. In the case of ransomware, these safeguards may include frameworks like zero trust that protect and strongly authenticate user access and device integrity, segment environments, authenticate executables, reduce phishing risk, filter spam and malware, integrate endpoint protection, patch consistently and provide continuous controls assurance. Some examples of products and strategies to involve in this step include:
Pillar #3 – Detect: Define continuous ways to monitor your organization and identify potential cybersecurity events or incidents. In the case of ransomware, this may include watching for intrusion attempts, deploying Data Loss Prevention (DLP) solutions to detect exfiltration of sensitive data from your organization, and scanning for early signs of ransomware execution and propagation.
The ability to spot and stop malicious activity associated with ransomware as early as possible is key to preventing business disruptions. Chronicle is a threat detection solution that identifies threats, including ransomware, at unparalleled speed and scale. Google Cloud Threat Intelligence for Chronicle surfaces highly actionable threats based on Google’s collective insight and research into Internet-based threats. Threat Intel for Chronicle allows you to focus on real threats in the environment and accelerate your response time.
DLP(Data Loss Prevention) technologies are also useful in helping detect data that could be appealing to ransomware operators. With data discovery capabilities like Cloud DLP, you can detect sensitive data that’s accessible to the public when it should not be and detect access credentials in exposed code.
Pillar #4 – Respond: Activate an incident response program within your organization that can help contain the impact of a security (in this case, ransomware) event.
During a ransomware attack or security incident, it’s critical to secure your communications both internally to your teams and externally to your partners and customers. Many organizations with legacy Office deployments have shifted to Google Workspace because it offers a more standardized and secure online collaboration suite, and in the event of a security incident, a new instance can quickly be stood up to provide a separate, secure environment for response actions.
Pillar #5 – Recover: Build a cyber resilience program and back-up strategy to prepare for how you can restore core systems or assets affected by a security (in this case, ransomware) incident. This is a critical function for supporting recovery timelines and lessening the impact of a cyber event so you can get back to operating your business.
Immediately after a ransomware attack, a safe point-in-time backup image that is known not to be infected must be identified. Actifio GO provides scalable and efficient incremental data protection and a unique near-instant recovery capability for data. This near-instant recovery facilitates identifying a clean restore point quickly, enabling resumption of business functions rapidly. Actifio GO is infrastructure-agnostic and can protect applications on-premises and in the cloud.
In Google Workspace, if files on your computer were infected with malware but you sync them to Google Drive, you may be able to recover those files. Additionally, ensuring that you have a strong risk transfer program in place, like Risk Protection Program, is a critical element of a comprehensive approach to managing cyber risk.
As you plan for a comprehensive defense posture against ransomware threats, here are some key questions to consider:
Recently, ransomware groups have evolved their tactics to include stealing data prior to it being encrypted, with the threat of extorting this data through leaks. Additionally, some ransomware operators have used the threat of distributed-denial-of-service (DDoS) attacks against victim organizations as an attempt to further compel them to pay ransoms. DDoS attacks can also serve as a distraction, occupying security teams while attackers seek to accomplish other objectives such as data exfiltration or encryption of business-critical data. By deploying Google Cloud Armor which can scale to absorb massive DDoS attacks you can help protect services deployed in Google Cloud, other clouds, or on-premise against DDoS attacks.
Protecting against ransomware is a critical issue for all organizations, and these questions and best practices are only the start of building a mature and resilient cybersecurity posture.Â It’s important to remember that you can’t focus on a single piece of defense; you need a comprehensive cybersecurity program that enables you to identify, prevent, detect, respond, and recover from threats. Above all, you need a range of solutions from a battle-tested and highly-resilient cloud platform that works across these elements in an integrated way with your business. To learn more about how Google Cloud can help you implement a comprehensive cybersecurity program to protect against threats like ransomware. For more, visit our PawaIT Solutions Ltd support center.