Ransomware is currently the most widespread cybercrime business model. Basically, ransomware occurs when a criminal gains access to a company’s IT systems or servers and then encrypts the data to paralyze the company. The “data hijackers” then demand a ransom (hence the name ransomware) in exchange for removing the encryption and allowing the company to resume operations.  

The size of the ransom varies, and some companies simply choose to pay it. However, security experts do not recommend giving in to cybercriminals, because there is no guarantee that they will actually live up to their end of the agreement or that the data will be undamaged once the encryption is removed.  

How does ransomware work?

There are many types of ransomware, and new forms are appearing all the time. However, certain fundamental strategies have been observed time and again:  

• Ransomware that takes over writing permission and compromises data 

Most ransomware uses concrete/existing rights and credentials to install or activate itself. This is why writing permissions and access rights to folders and drives should generally be kept to a minimum for the individual users within the organization, including the admins. This is the best way to minimize the risk of spreading ransomware. 

• Ransomware as “Dormant intruder” 

A cybercriminal or ransomware breaks into the IT environment and hides in the operating system for weeks or months without detection. This approach can cause tremendous damage because it makes it possible to:  

• Harvest rights and access files, databases and user data based on the backup  
• Encrypt the backup without allowing mirroring or restore because an uninfected backup no longer exists  
• Perform functions to hamper the recovery of data by encrypting the shadow copies used for system restore points, or possibly even deleting them entirely. 

Strong IT safety, good processes and high vigilance are all crucial. However, it is in the backup that the most important protection against the high costs that result from a ransomware attack should be implemented: the separation of duties, especially at user/admin level. 

Read more about Separation of Duties and Backup-as-a-Service.

Get in Touch

Want to learn more? We’re always ready for an informal conversation, contact CCO Jesper Juul at jju@b4restore.com.