In light of recent large-scale attacks on hundreds of companies by cybercriminal groups, the question is how to take precautions. Ransomware criminals encrypt the victim's data and promise to hand over the key in exchange for the ransom. The best plan to make such attacks useless is to have an effective mitigation plan in place for the case.
Mitigation should include best practices for perimeter protection and secure password rules with two-factor authentication and fully authenticated communication channels.
Regular and frequent backups of all vital systems and a clear plan and tested exercise for how to bring a complex IT system with all its dependencies back online are an important part of such a risk mitigation strategy.
A clear challenge is to secure the backup in such a way that criminals are not able to render the backup unusable by encrypting not only the current day's data, but also the backup data, or by simply deleting the backup data. Therefore, the access control to the backup data and the allowed processing functions on the backup data must be well managed with very restrictive policies.
The recovery strategy must take into account that all user data is gone and therefore administrative access is not possible. Therefore, additional "offline" business continuity accounts are required to re-provision the infected servers. Having clean images of the server base OS infrastructure will greatly speed recovery.
In recent months, criminal attacks have evolved in both technological approach and business strategy. The criminals use double blackmail by threatening that regardless of the victim's ability to restore operations, the victim's data will be sold to third parties or published on the Internet to damage reputations. This is, of course, a threat even if the ransom has been paid and the systems are successfully restored.
Effective protection against this requires that the data on the storage medium be encrypted file by file from the beginning. Complete encryption of the storage medium does not help in this case, as the attack is carried out at the level above, where the data is already in plain text. Encrypting files renders the "stolen" data unusable and thus protects against the long-term threat, even if it does not protect against the initial attack.
In summary, data-at-rest encryption with secure storage of encryption keys based on a secure standard such as ECIES and AES256 - combined with a stringently executed backup strategy and a managed deployment process, such as a fully automated CI/CD with integrity-protected Docker - can significantly reduce the risk of falling victim to such an attack by removing the criminals' incentive even if the system scope and access protections have been breached.
Ensuring the integrity of communications with digitally encrypted and signed messages further reduces the attack surface for penetration of the system.