Ransomware Epidemic Hits Epic Proportions, And IBM i Shops Take Notice
May 17, 2021 Alex Woodie
The ransomware outbreak hit home for millions of Americans last week when attackers shut down a major East Coast pipeline as well as a hospital network on the West Coast. For IBM i shops, the events are a potent reminder to re-evaluate network security and data protection systems to ensure they’re resilient from attack.
You could be forgiven for thinking you were watching an episode of Mr. Robot last week as news spread of the shutdown of Colonial Pipeline network, which provides 45 percent of the gasoline for the entire East Coast of the United States through 5,500 miles of pipes. Thousands of gas stations in the Southeast ran out of fuel amid the supply interruptions and subsequent hoarding by panicked citizens.
A hacker group called DarkSide was credited by the FBI with locking up Colonial Pipeline computer systems with ransomware. The group used a variant of the “REvil” ransomware-as-a-service to lock the pipeline operator’s computers, according to a report from Flashpoint-Intel. According to Bloomberg, Colonial Pipeline paid a $5 million ransom to DarkSide, and as of late last week, the company was working to restore fuel deliveries.
Before it abruptly shut down operations last week, DarkSide toed the line between criminality and charity. The group, which reportedly has ties to Russian-speaking countries, brought in at least $60 million in the first seven months of its existence by attacking corporate computer systems, according to the blockchain analysis firm Chainalysis. DarkSide donates a big portion of its ransoms to charities, in a sort of modern twist on the Robin Hood story. (Mr. Robot, of course, hired hackers to his F Society to delete debt records held by the fictional Evil Corp.)
Meanwhile, in California, another ransomware attack took down the computer systems of Scripps Health, a $3.2-billion, non-profit health network operating five hospitals and employing 13,000 workers in San Diego County. The attack forced workers to resort to manual, paper-based record keeping, and delayed radiation treatments for cancer patients. As of this newsletter’s deadline, Scripps was still offline, with no timetable for a return to normal operations.
Ransomware On The Rise
If it seems like there are more ransomware attacks occurring, that’s because there are. According to a recent report from the Institute for Security + Technology’s Ransomware Task Force, ransomware rose significantly in the past year. The report found that American firms paid an estimated $350 million in ransom to attackers in 2020, which was a 311 percent increase over the previous year. The average payment, typically made in Bitcoin, was over $312,000, which was an increase of 171 percent.
The impact of ransomware is being felt by organizations large and small, including at IBM i shops, says Jim Kandrac, president of UCG Technologies, which provides the VAULT400 data protection and disaster recovery services for IBM i and other servers.
“Generally we don’t hear a whole heck of a lot until there’s a problem,” Kandrac tells IT Jungle. “However, there are a certain number of customers that are proactive. It’s fewer that are proactive than reactive. Unfortunately, having said that, this recent cyberattack on the East Coast has caused, certainly, more of a concern with people.”
UCG Technologies sells data protection gear and services that can help companies recover quickly from a ransomware attack without paying the ransom, which is actually illegal, the U.S. Treasury Department reminded us in an October memo. Having ready access to high quality daily backups of one’s data – whether it’s sitting on a tape, a VTL device, or in the cloud – is a critical factor in preventing ransomware from impacting your operations.
In addition to backup and disaster recovery solutions, UCG Technologies offers cybersecurity training designed to prevent ransomware attacks from occurring in the first place. The Cleveland, Ohio, company has a partnership with Tampa, Florida, firm called KnowBe4 that conducts phishing tests and security training. UCG is also teamed up with another Cleveland company, called Briteskies, which provides IBM i security services that can help minimize the chance that an IBM i server can be impacted by ransomware in the first place.
“I believe that training to educate people what not to click on is as important as the data protection,” Kandrac says. “As we say, we’re protecting the front door and the back door with the VAULT400 and the DR, but we’re also protecting the side doors and the windows with the KnowBe4 before managed service, because guess what? That’s where people are getting in today. They’re getting in because Joe or Sally clicks on an email that says ‘help Pizza Hut celebrate our anniversary, click here for a free personal pan pizza,’ or whatever.”
IBM i Impact
Unfortunately, the fraudsters are getting very good at disguising their phishing links, and it’s becoming increasingly difficult to differentiate between legitimate digital correspondence and emails or texts that will take you to a malformed website where ransomware will be downloaded to your computer.
Once the ransomware is on your PC, it can spread via the network to other computers, including corporate file shares that hold the company’s most valuable data. And yes, that includes the IBM i’s Windows-like Integrated File System (IFS), which is just as susceptible to having its contents encrypted as any Windows or Linux file system.
As the ransomware epidemic has grown, it’s gotten the attention of IBM i security experts. Back when ransomware was just starting to hit the mainstream in 2017, HelpSystems PowerTech subsidiary shared a story about an IBM i shop that had nearly a quarter million infected files on the IFS. The company used its Bytware Antivirus software to detect the viruses.
Another security vendor that’s working to fight the ransomware epidemic is Raz-Lee Security, which launched its Anti-Ransomware offering back in 2018. Last summer, Raz-Lee bolstered its offering with the capability to simulate a ransomware attack on an IBM i server.
While third-party software can help, there are lots of other things that IBM i shops can do to lessen their exposure to ransomware and reduce the odds of ransomware impacting IBM i operations.
Last fall, Robert Andrews, the team lead for IBM i Security and Authentication Lab Services, wrote a comprehensive story about how ransomware can impact IBM i. Called “Ransomware and IBM i,” the five-page article is a must-read for IBM i administrators who want to protect their systems.
Andrews offers a lot of commonsense tips that should be obvious, such as “never share the root (/)” in a directory path. But sometimes, it’s helpful to re-state things that appear to be obvious.
Andrews also offers some less-obvious advice, such as making sure mount points for the IFS “are as far down the directory path as possible.” That can help to limit the number of files accessible to the outside. “If only a certain sub-folder of an application needs to be accessible from the network, do not share the entire application folder. Share just the sub-folder containing the needed data,” Andrews writes.
Andrews just updated his story this month, which is located at ibm.ent.box.com/v/Ransomware-and-IBMi, so it might be worth re-reading it.
Air Gap Year
Even if IBM i shops have invested a lot of time and money into establishing backups and disaster recovery processes, they can still make costly mistakes. For example, backups should never be hosted on the same network as the primary machine. Ransomware is intelligent enough to search for backup data on the same network, so it’s critical to ensure the backups are kept somewhere safe.
Air-gapping is an increasingly popular method of data protection. Bob Hicks, the COO of Recovery Point, a full-service disaster recovery provider based in Germantown, Maryland, says he’s seeing an uptick among business asking for air-gapped data protection, specifically to protect against ransomware
“Some people want air gapping of their data. They want their data repository to not be not online anywhere, to protect against malware or ransomware,” Hicks told IT Jungle for a company profile in October. “We’ll maybe pick a replication target and a backup target here in Germantown, and then we’ll take that data, spin it to tape, pull the tapes, and put it in a vault. And those tapes are impenetrable to any online malware or ransomware.”
It may seem quaint to be using tapes in a world full of high-speed networks and sophisticated high availability software, like MIMIX, and continuous availability offerings, like IBM’s Db2 Mirror. But those offerings don’t offer protection from ransomware. In fact, they can replicate the ransomware to the secondary copies, potentially making the problem worse (especially if you’re running backups off that secondary copy)
“We don’t see it much in the IBM i world, but in the Intel world, some people confuse replication as backup, and it’s not,” Hicks says. “You need to have a backup strategy, and a retention and archive strategy, and then you need a replication strategy. Replication is for recovery. Backup is for data backup and protection.”
With the increase in ransomware, IBM i shops should take steps now to ensure their houses are in order and can withstand a ransomware attack. Shops should ensure they have good backups, first and foremost, and then look to ensure they have locked down the system and network access to the greatest extent possible. Lastly, training users to identify phishing attempts can prevent ransomware from getting into the network in the first place.