Cybercriminals are actively trying to break ransomware-busting backup solutions

Malware authors have been caught designing ransomware code to disable enterprise backup systems that might otherwise help victims recover their files, according to one security-industry research and development head.

Backup solutions from Acronis and other vendors have been explicitly targeted in code analysed during security development efforts, with some code trying to sneak under the radar by splitting itself into innocuous pieces that are assembled after they have passed security scanning engines.

“We have already seen ransomware that is trying to avoid our engine,” Acronis head of R&D Eugene Aseev told CSO Australia. “Criminals are always trying to invent new methods of escaping these protections, but we are also always working on improving our algorithms too.”

Those algorithms have become key defences in the fight against ransomware, which new figures continues to catch many businesses flat-footed. Only 53 percent of enterprises have a formal process to deal with ransomware attacks, according to the ISACA State of Cyber Security 2017 survey, with a similar proportion reporting they experienced more attacks in 2016 than in 2015.

Just 46 percent of respondents were, however, confident that their organisation can handle anything beyond simple cyber incidents. This bodes poorly for defence against ransomware, which continues to extricate money from organisations that lack appropriate protections against ransomware – or robust enough backup to enable them to restore files to the point before they were encrypted by the infection.

Such protective technologies work smoothly on desktop computers but scaling them to a business environment gets more complicated: Acronis, for its part, has this month just added its Active Protection to its business products, giving enterprises a higher degree of backup-based ransomware protection that has been designed to allow instant rollback of files that are encrypted due to ransomware.

Tools may be able to help avoid data and productivity losses, but Aseev warns that businesses expecting a ransomware silver bullet still need to remember the importance of the basics – a lesson that, the ISACA figures suggest, is still being lost on far too many businesses.

“It’s amazing to see how simple rules of cyber hygiene are not followed by so many organisations worldwide even in 2017,” he said, noting that the recent WannaCry outbreak was avoided by organisations that had patched their old Windows systems. “If affected companies had applied patches in time, they wouldn’t have been affected at all.”

Despite its high profile in the news, security leaders must remember that ransomware is only one of numerous threats targeting businesses: credential compromise, for example, is responsible for 4 out of 5 breaches, according to Verizon’s Data Breach Investigations Report 2017.

Acronis, for its part, is working hard to build a data protection ecosystem that pivots off of its backup capabilities. Within the next year or so, the company will introduce data restore verification features that will use Blockchain technology – already pioneered within the company’s data notarisation offerings – to confirm that the files restored after a malware attack are identical to the way they were before it.

“You really need multiple layers of data protection,” Aseev said. “It’s generally about the integrity and authenticity of the data.”

Even as new protections are developed, developers are continuing to explore new ways to fight malware as the industry’s game of cat-and-mouse with malware authors drags on.

As cybercriminals iteratively work out ways to deceive and circumvent backup technologies in one version of a backup tool Aseev’s R&D team is continually working on refining those technologies for the next version.

“The cycle comes for months, until you have broken detection and have to implement new technology,” he said. “During these several months we’re not just waiting until the detection breaks; we are building new algorithms, heuristics, and new engines that will tackle these and similar threats.”

“We are in a very good position: if you are always on time and always thinking about new methods to integrate into your software, you can have much more success than just pushing out new versions of signature database updates.”