The rise and rise of Ryuk
I am finding lately that my articles are turning into posts because there are a lot of things to say about the topics that catch my eye. Today, I was struck by an article in Toolbox which describes Ryuk as more dangerous than ever - possibly the most feared cybersecurity threat currently causing headaches for IT organisations!
The reason is that Ryuk has evolved new capabilities that allow it to spread across connected networks and systems, including those that are inactive or powered off.
French cybersecurity agency ANSSI has issued an alert about evolving capabilities in Ryuk ransomware that are making it difficult for enterprise security defenses to kill it or block its spread. The ransomware is now displaying worm-like capabilities that allow it to spread from an infected network to other networks or devices on its own.
What this article seems to confirm is the paramount importance of taking a layered or ‘circular fort’ approach to building secure defences against ransomware. Against an ingenious cybersecurity threat, which has the ability to self-propagate and spread laterally, there has to be an impregnable barrier that the intruder cannot breach or cross.
Once the host is infected, usually via a phishing email, access credentials can be stolen, and even powered off or shut down systems can be resurrected by a malicious Wake-on-LAN packet. And even if you are doing all the right things, you can never eliminate the possibility that your cloud provider might not be. Increasingly, cloud providers are being targeted as a means to hold their client organisations to ransom, as in this recent example.
Worse, according to the article:
“This new variant of Ryuk can infect a system repeatedly as it lacks an exclusion mechanism like Mutual Exclusion Objects (MUTEX), thus making the disinfection process extremely difficult.”
Tape is not, per the old acronym, “The Answer to Practically Everything” but what is does do, indisputably well, is provide offline data protection that malware cannot penetrate. Ransomware cannot spread to a completely disconnected tape that is secured in a vault. So even if you have a hyperconverged system capable of restoring a server in minutes, or you replicate everything to the cloud, it’s worth considering deploying tape as part of your ransomware defences.
A midrange tape library with 100 TB of storage can be bought for less than $30k. Compare that to the average ransomware demand in Q4 2020 which, according to cybersecurity specialists Coveware, stood at $154k, a sum that doesn’t include the financial damage caused by lost business, damage to brand reputation and customer faith or legal penalties for the breach.
People sometimes ask me “Why should I sell tape? Wouldn’t it be better to sell a technology of the future, like HCI or cloud?”
Surely, the evidence is mounting that tape is a technology of the future! And moreover, a technology of the future with some essential and very necessary benefits here in the present!