Is there a certain rule to follow for large-scale ransomware incidents? How does the ransomware usually disguise itself to make it hard to be defended?
There is incredible fragmentation in the types of threats in play today. The threats come in a number of different ways, behave a number of different ways and even provide threats differently. One example is some ransomware threats now will upload data instead of encrypting the data. This means the ransom is to prevent a public leak of potentially sensitive data. These disguises and behaviors make it very difficult to consistently defend against the landscape of threats. The certain rule to follow is to have increased awareness by monitoring and analytics of the IT environment to be aware of what is a normal behavior in the IT infrastructure.
Most ransomware software use data to blackmail. In this case, what are the best precautions for enterprises to take in data management?
I have realized this threat indeed. I have advised organisations to put in more encryption to help defend against this threat. Take for example backup data. Imagine the blackmail risk of using the whole backup of an organisation? I have been advising clients to implement more “nearline” encryption. Meaning, encrypt backups every step of the way, including the first disk resource on-premises. Encrypting backups historically is a great idea when tapes leave the IT facility or if data is transmitted over the Internet, but now with these threats, the need for encryption comes nearer.
After enterprises are infected with the blackmail virus, what measures should they take to recover the data?
Ideally resiliency implementation can prevent this situation; and this is beyond the previous recommendation around encryption. Consider the primitive fact that enabled that behavior: how did the threat get in? How did the data get out? Were there monitoring and analytics in place to identify that?
In the event that the blackmail threat is realized; it is usually too late to remediate. This is why I’m recommending more encryption in use throughout; as encrypted backups or other data are useless out of the management realm. 
Some enterprises would purchase decryption tools by contacting hackers through a third party to pay the ransom. If they are not willing to bow to evil forces, what should they do?
The IT security community generally is consistent in recommending that victims never pay the ransom.
One of the best courses of action is to engage with a breach task force. There are IT security firms that specialize in the analysis of what happened and can advise preventing this from happening again.
Above all, take this question and ask yourself as an IT decision-maker – do you want to be in this situation? No. Therefore your time to act is now. Implement ultra-resilient backup storage, implement stricter security measures all-around, secure the critical parts of your infrastructure and more.
From the cases in recent years, what are the main industries that blackmail virus attacks? What is the security awareness of the above industries?
The threat actors have no soul. So much so, there is no discrimination or preference either against one industry or another.
The iteration of ransomware is changing with the update of defense software. How can we improve the security level of the Internet?
This is the constant back and forth battle; we all need to improve our IT resiliency – continually. And constantly re-assess the risks and opportunities to be resilient with your technology deployments. In my professional practice here at Veeam, I am constantly working to improve my technical recommendations based on the threat landscape. I recommend IT organisations do the same.
Discussion about this post