Protecting yourself against ransomware with Box
Let’s talk about ransomware
The more things change, the more things stay the same. With new and terrifying attack vectors, the advent of AI and all the security implications it brings, and bad actors proliferating their methods at an incredible pace, ransomware remains one of the most prevalent threats. We have seen major file transfer service providers breached, leading to an enormous amount of compromised content and again, extremely visible attacks on major casinos, which resulted in MGM being temporarily shut down, and a massive breach in the healthcare industry exposing the private information of millions of people.
That’s right, ransomware played a role in all of these security incidents. It’s not surprising, with ransomware present in 70% of malware breaches, if the bad actor breaching your system is leaving something behind, odds are it’s ransomware. Ransomware that will corrupt, encrypt, or otherwise keep you from accessing your most critical content, with the intention of holding it ransom (it’s in the name) until you pay whatever they demand. Even paying might not help though, as many bad actors never had any intention of unlocking your content whether you paid or not. These are the bad guys remember, we can’t just take them at their word.
So, all bad options right?
That’s why it is so important that organizations have solutions in place to detect malicious content that might be delivering ransomware to your network, and tools in place to effectively recover from an attack by restoring corrupted or lost content quickly enough to avoid major disruption. Let’s explore some effective strategies to keep you from being the next news story.
Seeing is defending
Arguably, the single most important characteristic to effectively securing your content is visibility. Remember, ransomware is the payload, not necessarily the breach. But that creates a tricky situation, because odds are the bad actors aren’t dropping “RansomwareYesTheBadKind.exe” on your network. These payloads are disguised and often difficult to detect, especially if you have the misfortune of being an early target of a strain before word gets out. It’s important to have malware detection that is intelligent and able to identify sophisticated malware using pattern recognition and file characteristics. If even one piece of malicious content makes it through, it can propagate and grow into a major disaster.
Seeing the threats early, seeing user behavior and sharing patterns, even just seeing your content being modified at large scale can all enable your admins to take remediating actions quickly enough to actually make the difference. Ransomware has some distinctive activity patterns (for instance, mass encryption of content) that, if identified quickly enough, can be mitigated or blocked. Bad actors are counting on your organization to miss these signs until it’s too late, so potent visibility tools can give you a chance to foil their attack.
Be prepared to bounce back
We live in a world where there are (at least) several bad actors for every diligent cybersecurity professional, and they have the initiative. Eventually, the wrong person will click on the wrong email attachment and you’ll be facing a malware incident. The main difference between well-prepared organizations and those that are vulnerable is not just their layers of protection, but how ready they are to bounce back from a successful attack.
Effective recovery from a ransomware attack is composed of two main elements, containing the spread and recovering lost data. For containing the spread, it’s critical to have tools to cut off the ransomware’s access to content, so that you can begin recovering without worrying about further damage. Once you’ve contained the incident, you need to get insight into the content impacted before you can recover it. Any recovery process has to begin with an understanding of the business impact of your content, and if necessary develop a prioritization strategy to ensure the most important content is recovered immediately.
Fighting ransomware with Box
Since Box is a non-executable environment, malicious files don’t pose a direct risk to the Content Cloud…however, our customers still don’t want malicious files being passed around their network. To catch these files before they can reach vulnerable endpoints, we have built an intelligent malware scanning solution that examines files for malicious traits, Malware Deep Scan. By inspecting the contents of the file to identify malicious elements, we are able to automatically identify and stop malware from being shared from Box.
But what about when an employee brings their favorite virus-infected thumb drive to work? For these scenarios, Box is developing a set of tools to fight ransomware, with the first step being our new Content Recovery tool. Content Recovery was designed to help rapidly recover ransomware-encrypted content, enabling admins to review file activity over the past 30 days for compromised user accounts, identify the scope of damage, and recover the files with precision. Whether simply recovering all damaged files or prioritizing particularly important content, this tool accelerates the recovery of content from what could take days to minutes and hours.
We aren’t stopping with recovery either, later this year Box will be adding a new advanced detection rule to catch ransomware activity early, before it has a chance to spread, and new protection tools to help admins rapidly terminate compromised user sessions mitigating the potential damage.
At Box, we are committed to providing our customers with frictionless security against any threats aimed at their critical content. Whether it’s a ransomware attack, or a bad actor with stolen credentials, or just an employee oversharing sensitive content, we are focused on providing the tools to keep your content in the right hands.