Few organizations are able to continue operating after being hit by ransomware, let alone be able to quickly get services back online. Those few who can are likely assisted by cloud-based services as those systems tend to remain unaffected.
By Jeff Chan, Technical Advisor, MOXFIVE
Recent data shows that nearly 70% of organizations now host more than half of their workloads in the cloud, with overall cloud adoption growing 25% in the past year. With this increase in the adoption of cloud-based services, organizations are well on their way to moving existing services from on-premises to the cloud. One of the biggest and most notable benefits for organizations making this shift is that the security risk and IT management gets transferred to the vendor. Organizations can significantly reduce the amount of time they spend managing infrastructure, updating software, and upgrading hardware by transferring these tasks to their vendor, who is then responsible for ensuring that services are up, systems are updated, and Service License agreements (SLAs) are met. What’s more, cloud-based services can provide a significant benefit when dealing with a ransomware incident.
In the event of a ransomware incident, cloud-based systems tend to be unaffected, since these services and the servers hosting them are not running on the organization’s domain/network. In my experience, only a few organizations have been able to continue operating even after being hit by ransomware or have been able to quickly get services back online within a matter of a couple of hours/days. Those few were likely assisted by the number of cloud-based services they were using.
Lessons from a Law Firm
In 2020, a law firm was tasked with restoring its impacted environment, which contained a couple of on-premises Exchange servers (email) and a document management system. Unfortunately, their backups were targeted by the threat actor and these backups were impacted in such a way that trying to recover data from them required an extensive amount of time. For this law firm, their email servers and document management system were critical as their core business relies on email communications and contracts stored on those systems. Restoring their email servers to a functioning level took approximately 7-10 days, increasing the firm’s stress as they were unable to operate for those days and had to resort to other methods to connect with their clients.
A year later, another law firm of relatively the same size was impacted by ransomware. Fortunately for them, they recently migrated their email services from on-premises to Microsoft 365 and were therefore able to continue operating as usual. Roughly 80% of their business was up and running immediately after the incident happened, and only a handful of non-critical systems were impacted by the ransomware. Having these cloud-based solutions minimized their business impact, which allowed the law firm to keep calm throughout the response efforts knowing that they would still be able to operate and run their business.
Building Off a Solid Foundation
It’s clear that cloud-based services have their benefits, but it is also important to secure the data in those services. These services are still vulnerable to attacks and threat actors can log into these services and get creative with the information and services to which they are exposed. So, when you’re considering going to a cloud-based service, make sure to implement a few cybersecurity basics, such as:
- Enforcing a strong password policy.
- Setting up Multi-Factor Authentication (MFA) using a software or hardware token.
- Enhancing logging capabilities and regularly monitoring logs.
- Limiting the number of users with administrative roles.
- Implementing IP whitelisting and geo-blocking, if possible.
When you consider making a move to a cloud-based service, it’s important to understand why you are doing it and if it makes sense for your organization. In most cases, it’s simple: You let someone else manage your services so that you don’t have to, it makes it easier to scale as needed, and allows your organization to focus on what matters. And if you ever get impacted by ransomware, you can more confidently trust that these applications will keep functioning, minimizing the stress of recovery.
About the Author
Jeff Chan is a technical advisor at MOXFIVE who is a technical cyber security leader that has helped build incident response teams and has led a large number of digital forensics and incident response investigations. As a technical advisor, Jeff has assisted clients in managing incidents and recovering their networks from cyber security attacks. Jeff can be reached online at his LinkedIn profile at https://www.linkedin.com/in/jeffrey-chan-h/ and at MOXFIVE’s website https://www.moxfive.com.