Tag Archives: BusinessBackup

Guide to How to Recover and Prevent a Ransomware Attack

Post Syndicated from original https://www.backblaze.com/blog/complete-guide-ransomware/

A decorative image with the title "The Complete Guide to Ransomware."

This post was originally published during April of 2019 and updated in July of 2022 and July of 2023. Unfortunately, ransomware continues to proliferate. We’ve updated the post to reflect the current state of ransomware and to help individuals and businesses protect their data.

In today’s interconnected world, where our professional lives revolve around technology, the threat of ransomware looms large. It is a profitable business for cybercriminals, causing billions of dollars in damages. You might not have been subject to a ransomware attack yet, but that may not always be the case—unfortunately, the odds are against you.

This comprehensive guide aims to empower you with the knowledge and strategies needed to prevent and recover from ransomware attacks. With preparation and the latest cybersecurity insights, you can safeguard your digital world.

This post is a part of our ongoing coverage of ransomware. Take a look at our other posts for more information on how businesses can defend themselves against a ransomware attack, and more.

In their 2023 Ransomware Trends Report, Veeam found that only 16% of organizations attacked by ransomware were able to recover without paying a ransom. That means, despite almost every business having backups of some kind, only one in six of them were able to use their backups to resume business operations after an attack. As a cloud storage company where many customers store backups, we think that number should be closer to 100%. That’s why we created this guide—getting that number closer to 100% starts with knowing what you’re up against and putting strategies in place to protect your business. 

The Ransomware Threat

In 2022, the FBI’s Internet Crime Complaint Center received 2,385 ransomware complaints with adjusted losses of more than $34.3 million, and those are just the ones that got reported. Cybersecurity Ventures expects that, by 2031, businesses will fall victim to a ransomware attack every other second, up from every 11 seconds in 2021, every 14 seconds in 2019, and every 40 seconds in 2016. This exponential rise in victims translates to nearly $265 billion in ransomware damages by 2031 according to Cybersecurity Ventures.

Individual and average ransom amounts are also reaching new heights. In Q1 2023, the average ransom payment was $327,883, up 55% from Q1 of 2022 ($211,529) according to Coveware, a cyber extortion incident response firm. And, 45% of attacks had an initial demand over $1 million. 

A graph showing ransomware payments by quarter through Q1 2023.

Ransomware affects all industries, from the public sector (state and local government and educational institutions) to healthcare and technology. No group is immune, as seen in the chart below.

A pie chart showing which industries are affected by ransomware as of Q1 2023.

Ransomware continues to be a major threat to businesses in all sectors, but the greatest impact continues to be leveled at small and medium businesses (SMBs). As the table below notes, a vast majority (66.9%) of all the companies impacted by ransomware attacks are SMBs with between 11 and 1,000 employees.  

A pie chart showing ransomware impact by company size.

Regardless of your firm’s size, you’ll want to understand how ransomware works, including ransomware as a service (RaaS), as well as how recent developments in generative artificial intelligence (AI) tools are changing the ransomware landscape.

Ransomware as a Service

Ransomware as a Service has emerged as a game changer in the world of cybercrime, revolutionizing the ransomware landscape and amplifying the scale and reach of malicious attacks. The RaaS business model allows even novice cybercriminals to access and deploy ransomware with relative ease, leading to a surge in the frequency and sophistication of ransomware attacks worldwide. 

Traditionally, ransomware attacks required a high level of technical expertise and resources, limiting their prevalence to skilled cybercriminals or organized cybercrime groups. However, the advent of RaaS platforms has lowered the barrier to entry, making ransomware accessible to a broader range of individuals with nefarious intent. These platforms provide aspiring cybercriminals with ready-made ransomware toolkits, complete with user-friendly interfaces, step-by-step instructions, and even customer support. In essence, RaaS operates on a subscription or profit-sharing model, allowing criminals to distribute ransomware and share the ransom payments with the RaaS operators.

The rise of RaaS has led to a proliferation of ransomware attacks, with cybercriminals exploiting the anonymity of the dark web to collaborate, share resources, and launch large-scale campaigns. The RaaS model not only facilitates the distribution of ransomware but it also provides criminals with analytics dashboards to track the performance of their campaigns, enabling them to optimize their strategies for maximum profit.

One of the most significant impacts of RaaS is the exponential growth in the number and variety of ransomware strains. RaaS platforms continuously evolve and introduce new ransomware variants, making it increasingly challenging for cybersecurity experts to develop effective countermeasures. The availability of these diverse strains allows cybercriminals to target different industries, geographical regions, and vulnerabilities, maximizing their chances of success. 

The profitability of RaaS has attracted a new breed of cybercriminals, leading to an underground economy where specialized roles have emerged. Ransomware developers create and sell their malicious code on RaaS platforms, while affiliates or “distributors” spread the ransomware through various means, such as phishing emails, exploit kits, or compromised websites. This division of labor allows criminals to focus on their specific expertise, while RaaS operators facilitate the monetization process and collect a share of the ransoms.

The impact of RaaS extends beyond the immediate financial and operational consequences for targeted entities. The widespread availability of ransomware toolkits has also resulted in a phenomenon known as “ransomware commoditization,” where cybercriminals compete to offer their services at lower costs or even engage in price wars. This competition drives innovation and the continuous evolution of ransomware, making it a persistent and ever-evolving threat.

To combat the growing influence of RaaS, organizations and individuals require a multilayered approach to cybersecurity. Furthermore, organizations should prioritize data backups and develop comprehensive incident response plans to ensure quick recovery in the event of a ransomware attack. Regularly testing backup restoration processes is essential to maintain business continuity and minimize the impact of potential ransomware incidents.

Ransomware as a Service has profoundly transformed the ransomware landscape, democratizing access to malicious tools and fueling the rise of cybercrime. The ease of use, scalability, and profitability of RaaS platforms have contributed to a surge in ransomware attacks across industries and geographic locations.

Generative AI and Ransomware

The rise of generative AI has been a boon for cybercriminals in helping them automate attacks. If you’ve ever been through any kind of cybersecurity training, you’ll know that spelling mistakes, bad grammar, and awkward writing are some of the most obvious signs of a phishing email. With generative AI, the cybercriminals’ job just got that much easier, and their phishing emails that more convincing.

Now, a cybercriminal just needs to punch a prompt into ChatGPT, and it spits out an error-free, well-written, convincing email that the cybercriminal can use to target victims. It has also been a force multiplier for helping cybercriminals translate that email into different languages or target it to specific industries or even companies. Text generated by models like ChatGPT help cybercriminals create very personalized messages that are more likely to have the desired effect of getting a target to click a malicious link or download a malicious payload.

How Does Ransomware Work?

A ransomware attack starts when a machine on your network becomes infected with malware. Cybercriminals have a variety of methods for infecting your machine, whether it’s an attachment in an email, a link sent via spam, or even through sophisticated social engineering campaigns. As users become more savvy to these attack vectors, cybercriminals’ strategies evolve. Once that malicious file has been loaded onto an endpoint, it spreads to the network, locking every file it can access behind strong encryption controlled by cybercriminals. If you want that encryption key, you’ll have to pay the price.

When we say ‘hacker,’ it’s not some kid in his basement. They’re stealthy, professional crime organizations. They attack slowly and methodically. They can monitor your network for months, until they have the keys to the kingdom—including backups—then they pull the trigger.

—Gregory Tellone, CEO, Continuity Centers

Encrypting ransomware or cryptoware is by far the most common variety of ransomware. Other types that might be encountered are:

  • Non-encrypting ransomware or lock screens, which restrict access to files and data, but do not encrypt them.
  • Ransomware that encrypts a drive’s master boot record (MBR) or Microsoft’s NTFS, which prevents victims’ computers from being booted up in a live operating system (OS) environment.
  • Leakware or extortionware, which steals compromising or damaging data that the attackers then threaten to release if ransom is not paid.
  • Mobile device ransomware which infects cell phones through drive-by downloads or fake apps.

What Happens During a Typical Attack?

The typical steps in a ransomware attack are:

  1. Infection: Ransomware gains entry through various means such as phishing emails, physical media like thumb drives, or alternative methods. It then installs itself on a single endpoint or network device, granting the attacker access.
  2. Secure Key Exchange: Once installed, the ransomware communicates with the perpetrator’s central command and control server, triggering the generation of cryptographic keys required to lock the system securely.
  3. Encryption: With the cryptographic lock established, the ransomware initiates the encryption process, targeting files both locally and across the network, rendering them inaccessible without the decryption keys.
  4. Extortion: Having gained secure and impenetrable access to your files, the ransomware displays an explanation of the next steps, including the ransom amount, instructions for payment, and the consequences of noncompliance.
  5. Recovery Options: At this stage, the victim can attempt to remove infected files and systems while restoring from a clean backup, or they may consider paying the ransom. 

It’s never advised to pay the ransom. According to Veeam’s 2023 Ransomware Trends Report, 21% of those who paid the ransom still were not able to recover their data. There’s no guarantee the decryption keys will work, and paying the ransom only further incentivizes cybercriminals to continue their attacks. 

Who Gets Attacked?

Data has shown that ransomware attacks target firms of all sizes, and no business—from small and medium-sized business to large coprorations—is immune. According to the Veeam 2023 Data Protection Trends Report, 85% of organizations suffered at least one cyberattack in the preceding twelve months. Attacks are on the rise in every sector and in every size of business. This leaves small to medium-sized businesses particularly vulnerable, as they may not have the resources needed to shore up their defenses. 

Recent attacks where cybercriminals leaked sensitive photos of patients in a medical facility prove that no organization is out of bounds and no victim is off limits. These attempts indicate that organizations which often have weaker controls and out-of-date or unsophisticated IT systems should take extra precautions to protect themselves and their data.

The U.S. consistently ranks highest in ransomware attacks, followed by the U.K. and Germany. Windows computers are the main targets, but ransomware strains exist for Macintosh and Linux, as well.

The unfortunate truth is that ransomware has become so widespread that most companies will certainly experience some degree of a ransomware or malware attack. The best they can do is be prepared and understand the best ways to minimize the impact of ransomware.

Ransomware is more about manipulating vulnerabilities in human psychology than the adversary’s technological sophistication.”

—James Scott, Institute for Critical Infrastructure Technology

How to Combat Ransomware

So, you’ve been attacked by ransomware. Depending on your industry and legal requirements (which, as we have seen, are ever-changing), you may be obligated to report the attack first. Otherwise, your immediate footing should be one of damage control. So what should you do next?

  1. Isolate the Infection. Swiftly isolate the infected endpoint from the rest of your network and any shared storage to halt the spread of the ransomware.
  2. Identify the Infection. With numerous ransomware strains in existence, it’s crucial to accurately identify the specific type you’re dealing with. Conduct scans of messages, files, and utilize identification tools to gain a clearer understanding of the infection.
  3. Report the Incident. While legal obligations may vary, it is advisable to report the attack to the relevant authorities. Their involvement can provide invaluable support and coordination for countermeasures.
  4. Evaluate Your Options. Assess the available courses of action to address the infection. Consider the most suitable approach based on your specific circumstances.
  5. Restore and Rebuild. Utilize secure backups, trusted program sources, and reliable software to restore the infected computer or set up a new system from scratch.

1. Isolate the Infection

Depending on the strain of ransomware you’ve been hit with, you may have little time to react. Fast-moving strains can spread from a single endpoint across networks, locking up your data as it goes, before you even have a chance to contain it.

The first step, even if you just suspect that one computer may be infected, is to isolate it from other endpoints and storage devices on your network. Disable Wi-Fi, disable Bluetooth, and unplug the machine from both any local area network (LAN) or storage device it might be connected to. This not only contains the spread but also keeps the ransomware from communicating with the attackers. 

Know that you may be dealing with more than just one “patient zero.” The ransomware could have entered your system through multiple vectors, particularly if someone has observed your patterns before they attacked your company. It may already be laying dormant on another system. Until you can confirm, treat every connected and networked machine as a potential host to ransomware.

2. Identify the Infection

Just as there are bad guys spreading ransomware, there are good guys helping you fight it. Sites like ID Ransomware and the No More Ransom! Project help identify which strain you’re dealing with. And knowing what type of ransomware you’ve been infected with will help you understand how it propagates, what types of files it typically targets, and what options, if any, you have for removal and disinfection. You’ll also get more information if you report the attack to the authorities (which you really should).

3. Report to the Authorities

It’s understood that sometimes it may not be in your business’s best interest to report the incident. Maybe you don’t want the attack to be public knowledge. Maybe the potential downside of involving the authorities (lost productivity during investigation, etc.) outweighs the amount of the ransom. But reporting the attack is how you help everyone avoid becoming victimized and help combat the spread and efficacy of ransomware attacks in the future. With every attack reported, the authorities get a clearer picture of who is behind attacks, how they gain access to your system, and what can be done to stop them. 

You can file a report with the FBI at the Internet Crime Complaint Center.

There are other ways to report ransomware, as well.

4. Evaluate Your Options

The good news is, you have options. The bad news is that the most obvious option, paying up, is a terrible idea.

Simply giving into cybercriminals’ demands may seem attractive to some, especially in those previously mentioned situations where paying the ransom is less expensive than the potential loss of productivity. Cybercriminals are counting on this.

However, paying the ransom only encourages attackers to strike other businesses or individuals like you. Paying the ransom not only fosters a criminal environment but also leads to civil penalties—and you might not even get your data back.

The other option is to try and remove it.

5. Restore and Rebuild—or Start Fresh

There are several sites and software packages that can potentially remove the ransomware from your system, including the No More Ransom! Project. Other options can be found, as well.

Whether you can successfully and completely remove an infection is up for debate. A working decryptor doesn’t exist for every known ransomware. The nature of the beast is that every time a good guy comes up with a decryptor, a bad guy writes new ransomware. To be safe, you’ll want to follow up by either restoring your system or starting over entirely.

Why Starting Over Using Your Backups Is the Better Idea

The surest way to confirm ransomware has been removed from a system is by doing a complete wipe of all storage devices and reinstalling everything from scratch. Formatting the hard disks in your system will ensure that no remnants of the ransomware remain.

To effectively combat the ransomware that has infiltrated your systems, it is crucial to determine the precise date of infection by examining file dates, messages, and any other pertinent information. Keep in mind that the ransomware may have been dormant within your system before becoming active and initiating significant alterations. By identifying and studying the specific characteristics of the ransomware that targeted your systems, you can gain valuable insights into its functionality, enabling you to devise the most effective strategy for restoring your systems to their optimal state.

Select a backup or backups that were made prior to the date of the initial ransomware infection. If you’ve been following a sound backup strategy, you should have copies of all your documents, media, and important files right up to the time of the infection. With both local and off-site backups, you should be able to use backup copies that you know weren’t connected to your network after the time of attack, and hence, protected from infection. Backup drives that were completely disconnected should be safe, as are files stored in the cloud, especially if you use Object Lock to make them immutable.

How Object Lock Protects Your Data

Object Lock functionality for backups allows you to store objects using a write once, read many (WORM) model, meaning that after it’s written, data cannot be modified. Using Object Lock, no one can encrypt, tamper with, or delete your protected data for a specified period of time, creating a solid line of defense against ransomware attacks.

Object Lock creates a virtual air gap for your data. The term air gap comes from the world of LTO tape. When backups are written to tape, the tapes are then physically removed from the network, creating a literal gap of air between backups and production systems. In the event of a ransomware attack, you can just pull the tapes from the previous day to restore systems. Object Lock does the same thing, but it all happens in the cloud. Instead of physically isolating data, Object Lock virtually isolates the data.

Object Lock is valuable in a few different use cases:

  1. To replace an LTO tape system: Most folks looking to migrate from tape are concerned about maintaining the security of the air gap that tape provides. With Object Lock, you can create a backup that’s just as secure as air-gapped tape without the need for expensive physical infrastructure.
  2. To protect and retain sensitive data: If you work in an industry that has strong compliance requirements—for instance, if you’re subject to HIPAA regulations or if you need to retain and protect data for legal reasons—Object Lock allows you to easily set appropriate retention periods to support regulatory compliance.
  3. As part of a disaster recovery (DR) and business continuity plan: The last thing you want to worry about in the event you are attacked by ransomware is whether your backups are safe. Being able to restore systems from backups stored with Object Lock can help you minimize downtime and interruptions, comply with cyber insurance requirements, and achieve recovery time objectives (RTO) easier. By making critical data immutable, you can quickly and confidently restore uninfected data from your backups, deploy them, and return to business without interruption.

Ransomware attacks can be incredibly disruptive. By adopting the practice of creating immutable, air-gapped backups using Object Lock functionality, you can significantly increase your chances of achieving a successful recovery. This approach brings you one step closer to regaining control over your data and mitigating the impact of ransomware attacks.

So, Why Not Just Run a System Restore?

While it might be tempting to rely solely on a system restore point to restore your system’s functionality, it is not the best solution for eliminating the underlying virus or ransomware responsible for the initial problem. Malicious software tends to hide within various components of a system, making it impossible for system restore to eradicate all instances. 

Another critical concern is that ransomware has the capability to encrypt local backups. If your computer is infected with ransomware, there is a high likelihood that your local backup solution will also suffer from data encryption, just like everything else on the system.

With a good backup solution that is isolated from your local computers, you can easily obtain the files you need to get your system working again. This will also give you the flexibility to determine which files to restore from a particular date and how to obtain the files you need to restore your system.

Human Attack Vectors

Often, the weak link in your security protocol is the ever-elusive X factor of human error. Cybercriminals know this and exploit it through social engineering. In the context of information security, social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. In other words, the weakest point in your system is usually somewhere between the keyboard and the chair.

Common human attack vectors include:

1. Phishing

Phishing uses seemingly legitimate emails to trick people into clicking on a link or opening an attachment, unwittingly delivering the malicious payload. The email might be sent to one person or many within an organization, but sometimes the emails are targeted to help them seem more credible. This targeting takes a little more time on the attackers’ part, but the research into individual targets can make their email seem even more legitimate, not to mention the advent of generative AI models like ChatGPT. They might disguise their email address to look like the message is coming from someone the sender knows, or they might tailor the subject line to look relevant to the victim’s job. This highly personalized method is called “spear phishing.” 

2. SMSishing

As the name implies, SMSishing uses text messages to get recipients to navigate to a site or enter personal information on their device. Common approaches use authentication messages or messages that appear to be from a financial or other service provider. Even more insidiously, some SMSishing ransomware variants attempt to propagate themselves by sending themselves to all contacts in the device’s contact list.

3. Vishing

In a similar manner to email and SMS, vishing uses voicemail to deceive the victim, leaving a message with instructions to call a seemingly legitimate number which is actually spoofed. Upon calling the number, the victim is coerced into following a set of instructions which are ostensibly to fix some kind of problem. In reality, they are being tricked into installing ransomware on their own computer. Like so many other methods of phishing, vishing has become increasingly sophisticated with sound effects and professional diction that make the initial message and follow-up call seem more legitimate. And like spear phishing, it has become highly targeted.

4. Social Media

Social media can be a powerful vehicle to convince a victim to open a downloaded image from a social media site or take some other compromising action. The carrier might be music, video, or other active content that, once opened, infects the user’s system.

5. Instant Messaging

Between them, IM services like WhatsApp, Facebook Messenger, Telegram, and Snapchat have more than four billion users, making them an attractive channel for ransomware attacks. These messages can seem to come from trusted contacts and contain links or attachments that infect your machine and sometimes propagate across your contact list, furthering the spread.

Machine Attack Vectors

The other type of attack vector is machine to machine. Humans are involved to some extent, as they might facilitate the attack by visiting a website or using a computer, but the attack process is automated and doesn’t require any explicit human cooperation to invade your computer or network.

1. Drive-By

The drive-by vector is particularly malicious, since all a victim needs to do is visit a website carrying malware within the code of an image or active content. As the name implies, all you need to do is cruise by and you’re a victim.

2. System Vulnerabilities

Cybercriminals learn the vulnerabilities of specific systems and exploit those vulnerabilities to break in and install ransomware on the machine. This happens most often to systems that are not patched with the latest security releases.

3. Malvertising

Malvertising is like drive-by, but uses ads to deliver malware. These ads might be placed on search engines or popular social media sites in order to reach a large audience. A common host for malvertising is adults-only sites.

4. Network Propagation

Once a piece of ransomware is on your system, it can scan for file shares and accessible computers and spread itself across the network or shared system. Companies without adequate security might have their company file server and other network shares infected as well. From there, the malware will propagate as far as it can until it runs out of accessible systems or meets security barriers.

5. Propagation Through Shared Services

Online services such as file sharing or syncing services can be used to propagate ransomware. If the ransomware ends up in a shared folder on a home machine, the infection can be transferred to an office or to other connected machines. If the service is set to automatically sync when files are added or changed, as many file sharing services are, then a malicious virus can be widely propagated in just milliseconds.

It’s important to be careful and consider the settings you use for systems that automatically sync, and to be cautious about sharing files with others unless you know exactly where they came from.

Security experts suggest several precautionary measures for preventing a ransomware attack.

  1. Use antivirus and antimalware software or other security policies to block known payloads from launching.
  2. Make frequent, comprehensive backups of all important files and isolate them from local and open networks.
  3. Immutable backup options such as Object Lock offer users a way to maintain truly air-gapped backups. The data is fixed, unchangeable, and cannot be deleted within the time frame set by the end-user. 
  4. Keep offline data backups stored in locations that are air-gapped or inaccessible from any potentially infected computer, such as disconnected external storage drives or the cloud, which prevents the ransomware from accessing them.
  5. Keep your security up-to-date through trusted vendors of your OS and applications. Remember to patch early and patch often to close known vulnerabilities in operating systems, browsers, and web plugins.
  6. Consider deploying security software to protect endpoints, email servers, and network systems from infection.
  7. Exercise good cyber hygiene, exercising caution when opening email attachments and links.
  8. Segment your networks to keep critical computers isolated and to prevent the spread of ransomware in case of an attack. Turn off unneeded network shares.
  9. Operate on the principle of least privilege. Turn off admin rights for users who don’t require them. Give users the lowest system permissions they need to do their work.
  10. Restrict write permissions on file servers as much as possible.
  11. Educate yourself and your employees in best practices to keep ransomware out of your systems. Update everyone on the latest email phishing scams and human engineering aimed at turning victims into abettors.

➔ Download The Complete Guide to Ransomware E-book

It’s clear that the best way to respond to a ransomware attack is to avoid having one in the first place. Other than that, making sure your valuable data is backed up and unreachable to a ransomware infection will ensure that your downtime and data loss will be minimal if you ever fall prey to an attack.

Have you endured a ransomware attack or have a strategy to keep you from becoming a victim? Please let us know in the comments.

The post Guide to How to Recover and Prevent a Ransomware Attack appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

The 3-2-1 Backup Strategy

Post Syndicated from original https://www.backblaze.com/blog/the-3-2-1-backup-strategy/

Backing up your computer files isn’t like buying comprehensive car insurance, e.g., something you hope you never have to use but are sure glad you have when you need it. Of course, you want to protect your personal information, photos, work files, and other important data from hard drive crashes, accidental deletions, drink spills, theft, or malware. While Backblaze can’t help with power outages, computer encryption, or anti-theft technologies (though we can locate a computer), we can help make backing up your files a no-brainer. And (at least to our most recent survey) with only 10% of respondents who own a computer backing up daily, folks need the help!

Warning

Some cloud service providers suggest that encouraging people to keep multiple copies of their data reflects a lack of faith in our product. Still, redundant failsafes should always be part of your plan. It’s like investing, diversification is key. The truth is that anything and everything can fail. Hard drives fail. Good employees make bad mistakes. Bad employees make worse mistakes. And whether it was the Amazon Web Services outage that took down a large swath of the internet or the Google Cloud Storage outage that affected platforms like Snapchat, Shopify, and Discord, even the biggest providers can let you down in your time of need. That’s why the 3-2-1 strategy exists.

What’s Changed About the 3-2-1 Backup Strategy?

You may have heard of the 3-2-1 backup strategy. It means having at least three copies of your data, two local (on-site) but on different media (read: devices), and at least one copy off-site.

We’ll use “socialsecurity.jpg” as an example for this scenario. Socialsecurity.jpg lives on your computer at home; let’s say you took a picture of it for your tax accountant years ago for some tax-related stuff (as tax accountants are wont to do). That’s one copy of the data.

You also have an external hard drive to back up your computer; if you’re on a Mac, you might use it as a Time Machine drive (and Backblaze loves Time Machine). That external hard drive will back up socialsecurity.jpg as part of its backup process. That’s a second copy on a different device or medium.

In addition to that external hard drive, you also have an online backup solution (we recommend Backblaze, go figure!). The online backup continuously scans your computer and uploads your data to an off-site data center. Socialsecurity.jpg is included in this upload, becoming the third copy of your data.

Oh! And, your paper social security card is hopefully stored in a fire-proof safe (not your wallet). Does that sound pretty air-tight to you? It is, or at least it used to be.

The rise in ransomware attacks calls for strengthening the basic principles of the 3-2-1 strategy—redundancy, geographic distance, and access—with added protections. Cybercrimes targeting networked machines and capturing all data, including backups, is a growing problem. Data geeks who know about backup and recovery are going “comprehensive” with their backup “insurance.” New versions of the tried-and-true backup strategy have emerged, such as the 3-2-1-1-0 or 4-3-2 backups. Sounds like overkill? It isn’t. The good news is that companies like Backblaze exist to make at least the off-site component less stressful, they do the work and keep up with security best practices for you.

Why Is It Important to Back Up On-site and Off-site?

Whether you are interested in backing up a Mac or a PC, an on-site backup is a simple way to access your data quickly should anything happen to your computer. If your laptop or desktop’s hard drive crashes, and you have an up-to-date external hard drive available, you can quickly get most of your data back or use the external drive on another computer while yours gets fixed or replaced. If you remember to keep that external hard drive fairly up to date, the exposure for data loss is negligible, as you might only lose the uncopied files on your laptop. Most external hard drives even come with software to ensure they’re readily updated.

Having an on-site backup is a great start, but having an off-site backup is a key component in having a complete backup strategy, including cloud storage. The newer backup strategies build on the cloud’s strengths:

  • Convenience: Backing up large volumes of data in the cloud is fast.
  • Durability and reliability: Cloud storage centers protect against fires, natural disasters, and more.
  • Collaboration: Sharing with permissions is intuitive and effortless in the cloud.

With millions working in the cloud, those three copies in the 3-2-1-1-0 backup are separated by media on-site, off-site, and offline. This backup strategy exceeds the original model in its zero error copy. This fidelity to your files’ durability and reliability is possible with the help of a backup protection tool like Object Lock, which makes it impossible to modify or delete data (for a certain amount of time) because of its Write Once, Read Many (WORM) model. If you’re using cloud storage, consider a backup strategy that uses the principles of redundancy, distance, access, and immutability like 3-2-1-1-0. And in the case of Backblaze, retention history (like our Extended Version History feature of Computer Backup) adds additional layers of protection in how long those copies are kept should anything happen to your physical devices.

Is 3-2-1 Perfect?

There is no such thing as a perfect backup system, but the 3-2-1 approach is a great start for most people and businesses. Even the United States government recommends this approach. In a 2012 paper for US-CERT (United States Computer Emergency Readiness Team), Carnegie Mellon recommended the 3-2-1 method in their publication: Data Backup Options.

Backing Up Is the Best Insurance

The 3-2-1-1-0 plan is great for getting your files backed up. If you view the strategy like an insurance policy, you want one that provides the coverage needed should the unthinkable happen. Service also matters; having a local, off-site, and offline backup gives you more options for backup recovery. And a zero error policy for recoverability is a “no questions asked” claims process. One can dream! We did.

That’s how, and why, Backblaze created the world’s easiest cloud backup.

The post The 3-2-1 Backup Strategy appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

How a National Nonprofit Protects Field Staff Workstations

Post Syndicated from Molly Clancy original https://www.backblaze.com/blog/how-a-national-nonprofit-protects-field-staff-workstations/

Image credits below: Mason Cummings, The Wilderness Society.

Saving the environment is one of the most noble tasks anyone can undertake, but the thing about the environment is that it’s notoriously rough on laptops.

For the staff of The Wilderness Society, saving wild places means trekking out into said wild with boots firmly on the ground. Whether that means shutting down copper mines that would have otherwise devastated nearby waterways or helping create public transportation routes out to public lands, The Wilderness Society is a group constantly on the move. That doesn’t leave a lot of time for dealing with backups, particularly in the geographically far-flung areas in which The Wilderness Society researchers find themselves.

Data saved on staff laptops was regularly at risk, and The Wilderness Society needed a way to protect that data from threats both natural and otherwise. Director of Information Technology, Kristin Iden, shared how she:

  • Protected essential workstation data with cloud backups.
  • Achieved a security stance that aligns with cyber insurance policies.
  • Eased the administrative burden on an IT team of two that serves more than 160 staff around the country.
Otero Mesa, New Mexico.
The Wilderness Society: A Force for Change

Since 1935, The Wilderness Society has led the effort to permanently protect 109 million acres of wilderness in 44 states. They have been at the forefront of nearly every major public lands victory. Initiatives include climate change solutions, land and water conservation, and community-led conservation.

How Workstation Backups Protect Data From Disasters

The urgency to put a solid workstation backup plan in place hit home for Kristin when her laptop was destroyed by a lightning strike. And yes, she’s aware of the irony. The IT director, one of the few who isn’t dragging their laptop across creation, is the one who lost data to natural disaster.

The Wilderness Society’s researchers find themselves all over the world as part of their mission to protect the environment. There are 14 offices from coast to coast, from Hallowell, Maine to Anchorage, Alaska. According to Kristin, “drop and destroy” events are not uncommon out in the field, whether it’s a laptop taking an accidental trip down a mountainside or into the waters of the Arctic Circle.

Add to that, as a nonprofit organization, The Wilderness Society always has to look at the bottom line. Their funding comes entirely from donors and sponsors, gifted with a purpose, and as much of it should go toward the mission as possible. In fact, Kristin had originally sought out a backup solution solely for executives as a way to save budget, but Backblaze’s affordability made it a no-brainer to extend backups out into the field.

“If somebody in the Arctic Circle drops and breaks their laptop, now I can get them back up and running within a couple of days. ”
—Kristin Iden, Director of Information Technology, The Wilderness Society

Arctic National Wildlife Refuge, Alaska.

How to Back Up Field Staff Workstations

Kristin started with a beta test group of around 10% of the users, making sure to include a mix of field researchers, administrative workers, and executives. One important group to include in this mix was the handful of workers in truly remote regions of the country that have metered bandwidth. This obviously made regular backups difficult, but Kristin found a workaround by having them run the backup during weekly office visits.

The two members of the IT department are the sole administrators on the roughly 160 machines throughout the organization, an 80/20 mix of PC and Mac users. As such, they were able to roll out installation of Backblaze through Microsoft Intune, a mass deployment tool. The initial beta test went off without a hitch, and they took a phased approach to the remaining rollout—Backblaze was installed across the entire organization in groups of 30.

Pisgah National Forest, North Carolina.

Lightweight Backup Client Provides Peace of Mind

Kristin knew there was simply no way to prevent the inevitable destruction of user laptops out in the field. By focusing her efforts on finding the right backup solution, she was able to easily roll out to the entire organization a solution that protected their data from the rigors of nature.

Of paramount importance was simplifying the entire process for the users. They are, after all, doing the truly critical work of protecting the environment. Whether that means surveying wildlife in their native environment or working with lawmakers to craft bills that preserve nature, Kristin wanted their focus on the mission and not on their machine. With a lightweight client that doesn’t bog down machines and reliable backups she can use to provision new machines and recover data, Backblaze gave her that turnkey solution, and the peace of mind that followed.

“Admin tasks like backups are a time suck when you’re a two-person team minding 160 people running around the country trying to make sure the forests stay up. I don’t have time to babysit something constantly. With Backblaze, it just does its thing, and it lets me know when something’s not working. That’s exactly what I want out of every tool I use—just work, tell me when it isn’t, and make it easy to fix it. Backblaze just works everywhere we need it to.”
—Kristin Iden, Director of Information Technology, The Wilderness Society

Looking for a backup solution for your nonprofit organization or dispersed field staff? Learn more about Backblaze Business Backup for workstations.

The post How a National Nonprofit Protects Field Staff Workstations appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

CrashPlan On-Premises Customers: Come On Over

Post Syndicated from Shveta Shahi original https://www.backblaze.com/blog/crashplan-on-premises-customers-come-on-over/

CrashPlan Deprecation Announcement

With CrashPlan sunsetting its On-Premises backup service as of February 28, 2022, customers have some choices to make about how to handle their backups moving forward. As you think about the options—all of which require IT managers to embrace a change—we’d be remiss if we didn’t say Backblaze is ready to help with our Business Backup service for workstations. It’s quick and easy to switch over to, easy to run automatically ongoing, and cost effective.

If you’re a CrashPlan customer but you need a new backup solution, read on to understand your options. If you’re interested in working with us, you can transition from CrashPlan to Backblaze in six simple steps outlined below to protect all employee workstations from accidental data loss or ransomware, automatically and affordably.

What Options Do CrashPlan Customers Have?

CrashPlan customers have two options: transfer to CrashPlan’s Cloud Backup Service or transfer to another vendor. CrashPlan customers have until March 1, 2022 to make the decision and get started. After March 1, CrashPlan customers will lose support for their backup software. If any issues arise with backing up or restoring data, you won’t receive support to help fix the situation from CrashPlan.

CrashPlan’s Cloud Backup Service starts at $10 per endpoint per month for 0-100 endpoints, and is tiered after that. For customers looking for different pricing options or features, some CrashPlan alternatives include Carbonite and iDrive, both of which are offering promotions to attract CrashPlan customers. Keep in mind that once these promotions expire, you’re stuck paying the full price which may be higher than others. And, of course, Backblaze is an option as well.

Transferring from CrashPlan to Backblaze

So, what makes Backblaze a great fit for CrashPlan customers? We’ll share a few reasons. If you are already convinced, you can get started now by following the getting started guide in the next section of this post. If not, here are some of the benefits you’ll get with Backblaze:

  1. Unlimited and Automatic: Lightweight Mac and PC clients back up all user data by default and are Java-free for stability—no system slow-downs or crashes.
  2. Easy Admin and Restores: Transition in a few simple steps then easily manage and deploy at scale via a centralized admin console by choosing from a number of mass-deployment tools with multiple restore options.
  3. Affordable and Predictable: Protect all employee workstations for just $70/computer, with no surprise charges, plus monthly, yearly, or two-year billing flexibility to suit your needs.
  4. Safe and Secure: Defend your business data from ransomware and other threats with single sign-on, two-factor authentication, encryption at rest, encryption in transit, and ransomware protection.
  5. Live Support: Make your transition easy with support during your transition and deployment via our customer service team and solution engineers.

Backblaze has been in the backup business for 15 years, and businesses ranging from PagerDuty to Charity: Water to Roush Auto Group rely on us for their data protection. Former CrashPlan customers who recently transitioned to Backblaze are getting the value they expected. Recently, Richard Charbonneau of Clicpomme spoke of the ease and simplicity he gained from switching:

“All our clients are managed by MDM or Munki, so it was really easy for us just to push the uninstaller for CrashPlan and package the new installer for Backblaze for every client.”
– Richard Charbonneau, Founder, Clicpomme

We invite you to join them.

Ready to Get Started?

➔ Register Now

How to Transition to Backblaze: Getting Started

You can “version off” of CrashPlan and “version on” to Backblaze Business Backup, making for a seamless transition. Simply create and configure an account with Backblaze to start backing up all employee workstations, and let CrashPlan lapse when they sunset On-Premises support on February 28.

You can retain your CrashPlan backups on premises for however long your retention policies stipulate in case you need to restore (or just deprecate those altogether if you’d rather use your on-premises storage servers for something else—it’s up to you!). Then, with Backblaze set up in parallel, you can start relying on Backblaze moving forward.

Here’s how to get started with Backblaze Business Backup.

  1. Click here to get started on our sign-up page.
  2. Enter an email address and password. Then click Create Account with Groups Enabled.

    3. Business Sign Up

  3. You will receive a verification email. When you do, enter the code provided.

    4. Verify Email Address

  4. Now, create a Group for your users. There are a few reason to create a group or groups for your users, including:
    • To establish separate retention periods.
    • To use different billing methods for different groups.
    • To give different kinds of users customized access.
    • To keep your users organized according to your needs.

    Create group

  5. Choose how many licenses you would like to purchase in the Computers to Backup field, select your retention plan under Version History, then click Add a Billing Method and enter your information. When you are done, click Buy and Next (If you are not ready to proceed with adding a payment method, feel free to click “Skip Payment & Try for Free”, this will allow you to try out the product for 15 days with full functionality.)

    6. Add Payment

  6. Now that your Group is created, you have some options on how to invite users into the group. You can:

    7. Invite and Approve

Deployment Considerations

Backblaze offers a number of different deployment options to give you the most flexibility when deciding how to deploy the Backblaze client to your machines. It can be as simple as sending the invite link via Slack or in a personally crafted email to a handful of users. You can use our Invite Email option to just add email addresses to a canned invite. Or you can deploy via a silent install using RMM tools such as JAMF, SCCM, Munki and others to deploy the software to your end users. Assistance is always available from our solution engineers to help guide you through the deployment process.

Additional Configuration Considerations

With Backblaze Business Backup, you can customize your groups’ administrative access. Specify who has administrator privileges to a group simply by adding an email address to the group settings. As a group administrator, you have the ability to assist your users with restores and be aware of issues when they arise.

You can also integrate with your Single Sign-on provider—either Google or Microsoft—in the settings to improve security, reduce support calls, and free users from having to remember yet another password.

An Invitation to Try Backblaze

If you are a CrashPlan user looking to transition to a new cloud backup service for your workstations, Backblaze makes moving to the cloud easy. Reach out to us at any time for help transitioning and getting started.

➔ Register Now

The post CrashPlan On-Premises Customers: Come On Over appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

Ransomware Takeaways: Q2 2021

Post Syndicated from Jeremy Milk original https://www.backblaze.com/blog/ransomware-takeaways-q2-2021/

Backblaze Ransomware Takeaways: Q2 2021

A lot has happened since we published our last Ransomware Takeaways, and it’s only been three months. High-profile attacks dominated headlines last quarter, but the attacks few of us ever hear about made up the majority, often with more serious consequences than higher gas prices. In a recent survey of 130 hospitals and healthcare organizations, nearly half of them reported they had to disconnect their networks in the first half of 2021 due to ransomware.

You surely follow ransomware news if you have any responsibility for your organization’s IT infrastructure and/or data. Still, since the dynamics are ever changing, you might find it useful to see the bigger picture developments as we’re seeing them, to help inform your decision making. Here are five quick, timely, shareable takeaways from our monitoring over Q2 2021.

This post is a part of our ongoing series on ransomware. Take a look at our other posts for more information on how businesses can defend themselves against a ransomware attack, and more.

1. Ransom Demands Hit New Highs

The REvil ransomware syndicate started negotiations at $70 million in an attack on Kaseya that affected 1,500 businesses that use the company’s software products. The $70 million demand follows on the heels of two $50 million demands by REvil against computer manufacturer, Acer, in March and Apple supplier, Quanta, in April.

While the highest demands reach astronomical heights, average demands are also increasing according to cybersecurity and cyber insurance firm, Coalition. In their H1 2021 Cyber Insurance Claims Report, they noted the average ransom demand made against their policyholders increased to $1.2 million per claim in the first half of 2021, up from $450,000 in the first half of 2020.

2. Ransom Payments Appeared to Fluctuate

In their 2021 Ransomware Threat Report, Cybersecurity firm, Palo Alto Networks, noted an 82% increase in average ransom payments in the first half of 2021 to a record $570,000. While cybersecurity firm, Coveware, which tracks payments quarterly, reported a lower figure—in Q2 of 2021, they put average payments at $136,576 after hitting a high of $233,817 in Q4 of 2020. The different sources show different trends because tracking payments is a tricky science—companies are not required to report incidents, let alone ransoms demanded or payments made. As such, firms that track individual payments are limited by the constituencies they serve and the data they’re able to gather.

Taking a different approach, Chainalysis, a blockchain data platform that tracks payments to blockchain addresses linked to ransomware attacks, showed that the total amount paid by ransomware victims increased by 311% in 2020 to reach nearly $350 million worth of cryptocurrency. In May 2021, they published an update after identifying new addresses that put the number over $406 million. They expect the number will only continue to grow.

We’ll continue to track reporting from around the industry and account for variances in future reporting, but the data does tell us one thing—ransomware continues to proliferate because it continues to be profitable.

3. Double Extortion Tactics Are Increasing

In addition to encrypting files, cybercriminals are stealing data with threats to leak it if companies don’t pay the ransom. This trend is particularly concerning for public sector organizations and companies that maintain sensitive data like the Washington, D.C. Metropolitan Police Department—the victim of a May 2021 attack by the Babuk group that leaked sensitive documents including staff disciplinary records and security reports from the FBI and CIA.

Double extortion is not new—the Maze ransomware group carried out the first extortion attack in 2019, but the tactic is becoming more prevalent. In their Threat Report, Palo Alto Networks found that at least 16 ransomware variants currently employ this approach, and they expect more ransomware brands to adopt the tactic.

4. Ransomware Syndicates Are in Flux

The limelight is not a place most ransomware syndicates want to be. We’ve seen reports that the DarkSide group, responsible for the Colonial Pipeline attack, seems to have dissolved under the increased attention. But, the ransomware economy is porous, and different sources report that the muscle behind the gang may simply have changed horses to a new brand—BlackMatter—or a simply a different one—LockBit, the group allegedly responsible for the reported attack on Accenture. Like a high-stakes game of whack-a-mole, ransomware brands and groups are continuing to morph and change as authorities get wise to their tactics.

5. SMBs Continue to Be Main Targets, and Healthcare Suffered Doubly

Coalition reported that attacks on organizations with fewer than 250 employees increased 57% year over year. And, according to Coveware, over 75% of attacks in Q2 2021 targeted companies with less than 1,000 employees.

Ransomware Distribution by Company Size

Cybercriminals target organizations of this size because they know they’re vulnerable. Small and medium-sized businesses (SMBs) with strapped IT budgets are less likely to have the resources to protect themselves and more likely to pay the ransom rather than suffer extended downtime trying to recover from an attack.

While hospitals struggled to respond to the global COVID-19 pandemic, they also suffered cybersecurity breaches at an alarming rate. As noted above, almost half of 130 hospitals surveyed in a new study reported that they disconnected their networks in the first half of 2021 due to ransomware. Some did so as a precautionary measure while others were forced to do so by the severity of the ransomware infection. Medium-sized hospitals with less than 1,000 beds experienced longer downtime and higher losses than larger institutions, averaging almost 10 hours of downtime at a cost $45,700 per hour. As we reported in our last quarterly update, relying on the goodwill of cybercriminals to forgo attacks on organizations that serve the public good is a mistake.

The Good News

This quarter, the good news is that the increased attention means ransomware groups are under more scrutiny and more businesses are waking up to the reality that the threat is very, very real. Fortunately, the headlines and numbers make it even easier to justify the investment in ransomware protections, and there are plenty of ways to incorporate them into your cloud infrastructure. If your IT team does one thing in 2021, making ransomware resilience a priority should be it.

What You Can Do to Defend Against Ransomware

For more information on the threat SMBs are facing from ransomware and steps you can take to protect your business, read our Complete Guide to Ransomware.

The post Ransomware Takeaways: Q2 2021 appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.