The story of a ransomware attack often jumps from occurrence directly to restoring from backups or paying ransom. But it’s the work IT operations performs between those points that facilitates ransomware recovery.
The need for prevention and protection is integral to discussing ransomware. IT operations must know not only what ransomware does, but also how to prevent potential issues. Learn some of the steps IT teams can take to prepare for and recover from ransomware attacks on critical infrastructure.
Understanding infrastructure ransomware
Ransomware is a type of malware that targets anything it can get into — including backups — to steal or lock up as much data as quickly as possible. Data theft is common in a ransomware attack; in fact, it’s typically the intended result. And when ransomware targets critical infrastructure, the results can be catastrophic.
IT systems, while resilient to power issues and hardware failures, often have notable east-west vulnerabilities. The single-pane-of-glass approach of today’s GUI dashboards and management consoles has created unforeseen complexities in modern data centers.
Stopping data flow should be the first response after detecting suspicious activity that might indicate ransomware. With infrastructure ransomware, however, the usual steps might be impossible.
For example, during a ransomware attack, many IT admins’ first move is to log in to the switch management portal — only to find that the server hosting the application has become an encrypted brick. Likewise, to log in to switches directly, admins must know the exact IP addresses and logins. In most organizations, this information is stored on a shared drive, which the ransomware can also encrypt into an unreadable data brick.
Protect IT tools in times of crisis
In an infrastructure ransomware attack, the immediate urge is typically to rebuild critical admin tools or consoles before touching anything else. The surface-level process looks simple: Install the software, connect to the infrastructure and carry on.
But in many cases, the tools used to manage infrastructure aren’t supported like traditional application servers. Most application servers have designated process flows and backout abilities. Infrastructure servers, in contrast, are generally upgraded as needed rather than in a regular cadence. As a result, out-of-sight, out-of-mind processes and backout steps are neglected.
The tools and software versions an organization uses to manage its data centers are more critical than its user-facing applications. Despite this, infrastructure tools often aren’t subject to the same policies and procedures that IT teams use for customer-facing applications. Instead, they’re usually upgraded repeatedly without attached documentation.
Most IT professionals don’t track the version numbers of their tools, even those they use daily — there often isn’t a reason to. But this vacuum of knowledge is where ransomware strikes hardest.
Because infrastructure ransomware can lock up everything it accesses in a rapid cascade, IT teams must separate essential tools from their organization’s IT ecosystem and devise methods to maintain control over critical tool sets. Backups are important, but any data or architecture hosted online can be at risk. Air gapping is ideal, but takes time and effort to accomplish.
Many IT systems use common login directory information, such as Active Directory (AD). If the infrastructure ransomware affects this data, the losses can be staggering — and create significant recovery roadblocks.
Safety in clones
Cloning data to external media every few months is a valuable starting point to prepare for ransomware attacks on critical infrastructure. Data that’s three to six months out of date is better than no data at all, and it can be a lifesaving resource for organizations that have lost everything, including desktop functionality due to critical system lockup.
Virtualized tools offer a significant advantage. Clone VM keys onto a standalone local storage host with no AD integration or connection to the external infrastructure to hold critical infrastructure server copies. Although these clones won’t restore the data center from a single host, they provide a vital backup of tools that can help IT admins start a recovery plan.
Even if an organization pays the ransom or has an unlock code, decryptors are generally not user-friendly; typically, they require some infrastructure and tooling to work. While it’s not feasible to clone large-scale tools, such as massive monitoring software, IT teams can clone switch management, storage area network, storage portals, DNS, wireless and network management servers.
Although the cloned versions of these tools could be months out of date, IT admins can make changes to switches or storage once the infrastructure is set up. Because the server reads data from the physical device, being out of date is unlikely to be a significant issue. Not starting at zero after a cyber attack is worth the hours it takes each quarter to make clones.
Ransomware is a widespread and growing concern, and IT ops tools are becoming ever more critical for safe and successful data center operations. When planning for infrastructure ransomware attacks, IT teams must consider not only data loss, but also the loss of infrastructure management ability. If an organization assumes its management and operations tools are safe — or doesn’t consider them at all — bad actors have a huge advantage.