Unfortunately, with the ever-increasing sophistication of attacks, there is no silver bullet to ensure an organisation’s perimeter is 100 per cent ransomware-proof. While preventive controls can help stop basic attacks, the only way to guarantee your business is completely immune is to never use the internet – for anything.

Our reliance on digital and connected technologies across the entire economy – from POS terminals at small neighbourhood cafes to AI and robotics-driven manufacturing processes – means this simply isn’t feasible.

With this in mind, enterprises need to look beyond perimeter controls and consider how quickly they can remediate and get their business back-up and running following an attack.

To do so, it is important to understand the two methods these attacks use to disrupt businesses and force them to the negotiation table – encryption and exfiltration.

Business paralysis with encryption

It is impossible today for a business to operate without data.

This simple truth has been the principle guiding ransomware attacks since their inception in 1989 with the first ever strain, PC Cyborg. While this rudimentary ransomware only demanded a payment of around $500 and was distributed by floppy disk, its authors understood more than 30 years ago that if you lock up someone’s critical data, they will pay to regain access.

Since then, an entire economy has spawned, feeding off the desperation of businesses suddenly staring into the abyss of days, weeks, or even months without access to the data and systems they need to operate.

In fact, ransomware attacks are estimated to have cost Australian organisations up to $241 million in 2019. The true figure, however, is far greater as this does not include the cost of lost production – on average, an Australian business suffers 16 days downtime in the wake of an attack.

Facing the possibility of more than two weeks’ offline, many Australian businesses decide to pay the ransom. According to research Rubrik and IDC recently released, 18 per cent of Australian organisations had experienced a ransomware attack in the past two years and 29 per cent of these paid the attackers to regain their data.

The key to rapidly recovering, without negotiating with criminals, is having comprehensive and up-to-date backups as they allow you to effectively turn back the clock and restart operations from a ‘save point’ prior to the infection. This is also endorsed as one of the Australian Signals Directorate’s Essential Eight strategies to mitigate cyber security incidents.

Ransomware attackers are savvy and understand that backups ruin their business model. The more sophisticated strains now actively seek out back-up data in order to hamstring recovery efforts and increase the likelihood the victim will pay. Immutable back up data, natively air-gapped, provides organisations with a ‘ransomware insurance policy’ that helps business-as-usual resume as quickly as possible – massively reducing recovery times from an average of 16 days to just hours.

Exfiltration pincer movement

One of the biggest evolutions in ransomware was the introduction of exfiltration capabilities, first seen in the wild in late 2019 with the variant, Maze. While the hackers behind this strain shut down operations in November last year, the pincer manoeuvre they introduced of both stealing and encrypting data is now the preferred tactic of ransomware groups around the globe.

By threatening to publish stolen data, attackers increase the urgency of the victim’s response while also raising the stakes of the attack’s consequences.

In the immediate fallout of such an attack, the first few days are traditionally spent in sheer panic as the organisation attempts to identify what data was taken. Having visibility into exactly what files were stolen is critical to response efforts as it allows the business to understand whether any personally identifiable information (PII), financial data, or intellectual property was taken and which additional authorities or regulatory bodies need to be notified.

Machine learning models applied against back-up data can help significantly accelerate this discovery process and reduce the time it takes to understand the full scale of an attack from days to just minutes. This allows impacted customers to be rapidly notified so they can take appropriate measures to protect themselves from any fraud stemming from the stolen data.

In the past 12 months, ransomware attacks have taken some of Australia’s biggest names offline – Toll Group, Lion, and now Channel 9.

What is clear is that these attacks are not going to stop anytime soon. In fact, quite the opposite. They will continue to evolve, becoming more sophisticated, and more disruptive as attackers aim to make recovery as difficult and costly as possible.

Unfortunately, cyber-attacks are one of the risks of living and working online. While businesses can never be completely immune from the risks of ransomware, they can minimise disruption and ensure operations are back up and running as quickly as possible.

Dale Heath is solutions engineering manager at cloud data management company, Rubrik