By Deb Radcliff, Creative Director, SANS Analyst Program
A small company with around 50 users was put out of business for a week last year because of ransomware that encrypted files on a local drive that then replicated back to other endpoints through the cloud.
The ransomware did not actually go into the cloud directly, but instead it just encrypted the local folder on the user's drive, which then synched to the cloud when the user accessed applications, according to Elisha Riedlinger, COO of NeuShield, who was called after the infection occurred. At that point, all the data in the cloud was then encrypted and the encrypted data was sent back down to all other systems requesting access to the data.
It was a harsh reality for the company, which before the incident was not running NeuShield products or other malware protection.
"The company lost about one week of worker productivity across the organization," said Riedlinger. "Many small companies keep most or all of their critical data in a shared location. If this data is not recoverable, then the company could go out of business."
Endpoints are particularly attractive targets for ransomware to take root and spread to other critical systems. In the the SANS 2018 survey on endpoint security, respondents selected ransomware as one of the top three most impactful attacks on endpoints.
According to an article in CSO magazine, most ransomware programs are now able to encrypt not only local and remote files, but also full drives, including those in the cloud. For example, attackers can program the Jigsaw ransomware program to encrypt the entire drive and specifically go after the cloud-based storage and backup drives, so that the victim can't recover.
Because most antivirus isn't catching ransomware until it's too late, security teams should take a second look at what makes their organization vulnerable to ransomware. In the case of cloud-spread ransomware, applications and files with shared access make it hard to protect against this type of spread.
So vendors like NeuShield (founded by some of the early guys who worked at Sygate, which Symantec later purchased) are taking a different approach. NeuShield uses agent-based endpoint technology to protect files and drives with a "mirror" shield. Instead of working with the data directly, users make file modifications in an "overlay," and
NeuShield keeps the original file intact. If ransomware is introduced in the file overlay, that overlay can be deleted and users can revert to the original file.
"Even with layered defenses, companies get infected. Usually they just pay the ransom," Riedlinger added. "The key is being able to recover without losing business."