Ransomware Defense Overview

Introduction

This document provides an overview of the key steps involved in defending against a ransomware attack.  This is not intended to be an exhaustive guide on ransomware defense; please also refer to other more general references:

• https://security.psu.edu/education-training/ransomware/
• https://www.cisa.gov/stopransomware/ransomware-guide

Please also read Ransomware Defense in UBSi-Commvault for more detail about the specific features available in UBSi-Commvault.

Prevention

The first step in ransomware defense is prevention.

Users should implement appropriate security controls, training, and policies to combat ransomware.  The goal is to reduce the risk of a ransomware infection occurring in the first place, and to limit the scope of a ransomware attack if one does occur.  Investing resources in prevention can help avoid or significantly reduce the cost of responding to a ransomware attack.

Prevention would typically involve configuring security features in operating systems, firewalls, antivirus products, and other infrastructure components.  The UBSi-Commvault service does not play a significant role in preventing ransomware infection of our users’ devices.  However, the UBSi-Commvault Administrators would like to stress the importance of prevention in fighting against ransomware.

Preparation

The second step in ransomware defense is preparation.

In order to recover from a ransomware event, it is critical to have good, tested backups of your data.  You should configure all Penn State computers under your purview to back up any relevant data to a suitable backup service.  UBSi-Commvault is intended to be suitable for Level 1, Level 2, or Level 3 data on servers, NAS devices, and other similar IT components.  For laptops and desktops, CrashPlan may be a better choice.

For the strongest protection against ransomware, consider performing backups to immutable or offline storage.  See the section about Immutability lower on this page for more information.

It’s also important to perform risk assessments to identify critical data and services, and to develop response plans based on the business needs for each service.

 

Please note that other data protection methods, such as snapshots or replication, are not a substitute for an independent backup of your data.  These methods can be a valuable tool when preparing for other types of issues, but they are weak against ransomware attacks.

Snapshots track the recent changes to your data, allowing you to recover from small, recent problems such as the deletion or corruption of a few files.  But a ransomware attack may generate too many changes to track, causing the snapshots to be deleted automatically.  Sophisticated ransomware may even attempt to delete snapshots directly.

Replication copies your data from one site or device to another redundant location, protecting against physical damage or disruption to the primary copy.  But replication, especially when performed by the storage device, is not fully aware of the quality of the data being replicated.  In a ransomware attack, it is likely that the replication process will naively copy the encrypted data to the redundant location, overwriting good data with bad.

Detection

The third step in ransomware defense is detection.

Antivirus products and other security software typically play the major role in early detection of ransomware.  Users should also be trained to report suspicious files, programs, and activity to their IT staff.

Regardless of the detection method, security incidents must be promptly reported to Information Security: https://security.psu.edu/education-training/what-to-do-security-incident/ .  Reporting an incident promptly can significantly reduce the scope of the incident and thus reduce the effort required to recover.

Response

When ransomware is detected, begin by reporting the security incident to Information security: https://security.psu.edu/education-training/what-to-do-security-incident/

Following your response plan(s) and instructions from Information Security, you will work to contain the ransomware, secure the environment, and rebuild or restore the affected servers and services.

If you need further assistance in restoring data from UBSi-Commvault, please Contact Us with any relevant details.

Immutability

In some cases, a ransomware attack may involve sophisticated software or malicious human actors who will attempt to destroy not only the primary copy of your data (found on your server or other device), but will also attempt to delete or destroy any backup copies of the data (stored in UBSi-Commvault or another backup service or cloud product).

UBSi-Commvault offers several levels of backup immutability in order to help defend against attempts to delete your backup data.  For each server or service, you should evaluate the risks and select a backup type that is appropriate for the data.

For many users, the data being protected may be important but not irreplaceable.  It may therefore be appropriate to use a “weaker” tier of immutability, in exchange for lower cost or more day-to-day flexibility.

In cases where data is critical to Penn State operations and difficult or impossible to replace, then it may be necessary to use a higher tier of immutability in order to manage the risk of a severe ransomware attack.

Regardless of the type of backup selected, it’s important to periodically review backup settings and test the ability to restore the critical backups.  Your team knows best which data is important to Penn State and which backups are required to recover from an attack.  The UBSi Administrators will attempt to assist with restores wherever possible, but we rely on your knowledge and planning as we work together to protect Penn State.

Offline Backup Copies – Very Strong Protection

The strongest possible protection would be provided by a backup copy which is physically disconnected from the network.  UBSi-Commvault is not currently able to offer this level of protection, because it would require our Administrators to handle a large amount of backup media.

However, you may be able to create your own offline copy of some types of data.  For example, you may be able to create and store physical printed copies of certain records.  Or you may be able to backup critical files to a removable storage device (USB drive, CD, Backup tape, etc.) each quarter, and then remove it from your computer and store it in a secure offline location.  These techniques may seem simple, but can provide significant protection against ransomware.  For many servers or services it may not be feasible to perform this type of backup regularly.  But if this type of backup works well for your data, you should consider using these techniques to supplement the protection provided by UBSi-Commvault.