Skip to main content

How to Navigate Ransomware Attacks

We know from the IBM Cost of a Data Breach Report that the average time to identify and contain a data breach is 277 days–207 days to identify the breach and 70 days to contain the breach. The report also found that the average cost of a data breach is $4.35 million. And we know from IBM’s X-Force Threat Intelligence Index 2022 that manufacturing outpaced finance and insurance in the number of cyberattacks levied against these industries. The report says that 47% of attacks were vulnerability exploitation, 40% were phishing, 7% were removable media and brute force and stolen credentials were both at 3%. It also reported that attackers are increasingly using cloud-based messaging and storage services to blend into legitimate traffic. And some groups are experimenting with new techniques in encryption and code obfuscation to go unnoticed.

Mainframes as a Target

Mainframes make an obvious target because they are full of useful information that the bad actors can make money from by selling on or using themselves. In addition, mainframe sites are usually in companies that can afford to pay the ransom, while at the same time needing to keep news about the hack to themselves to prevent loss of confidence in them by their suppliers and customers. Those companies also need to prevent the consequential loss of revenue that would occur.

Gaps in Security

In the continuing arms race between the bad actors–who may well be members of criminal gangs or nation-state hacking teams–and the IT team at any company, newer software that can help the ‘good guys’ has got to be welcome.

Too many sites, when they are rehearsing their business continuity plan (BCP), are very much focused on restoring their data–which is clearly important but is only a part of the recovery process. Pencil and paper exercises for business continuity usually simply tick the box showing that backups have been taken and can be used to restore the data. People using immutable backups–either with IBM’s safeguarded copies or Dell’s snapsets–feel even happier as they tick the box. With hourly backups into an air-gapped box, they will have no problems restoring their system, they think.

Examining Cyberattack Techniques

Let’s look at what hackers typically do once they have penetrated your network and gained access to your mainframe. As any hacker who has ever been caught in the early stages of a hack knows, it’s important to create some backdoors into the system. That way, if they are pushed out, they have a different route to get straight back in.

In addition to creating backdoors, they may leave a few time bombs. These are malware that expect to receive a certain key from the hacker at fixed intervals (maybe every 24 hours). If the malware doesn’t receive the key, then something has happened to the hacker (they’ve been pushed off the mainframe) and the malware runs, usually causing serious damage to data.

Hackers will also be trying to raise their security status on the mainframe so that their programs have a higher authority to cause damage. The authorized program facility (APF) identifies system or user programs that can use sensitive system functions. The problem for the defensive IT team is that there are already typically 200 to 300 APF datasets and thousands of programs authorized on modern z/OS systems.

All three of these activities can involve changes to, or even the creation of, system software, changes to parameters and possibly changes to application software. And these all occur in the early stages of a ransomware attack. So, if you don’t have any software that could identify that these changes have been made, when you come to restore your data probably days or weeks later, you will still have (or be restoring from your snapset/safeguarded copy backup) those same changes to your infrastructure. As a result, the hackers will be able to get back into your system using the backdoors and carry on with their nefarious work.

Integrity Monitoring Software

Luckily, there is software available that can identify when these kinds of actions are taking place. This is Integrity Monitoring (IM) software, which can identify unauthorized infrastructure changes as they happen. And that means any hacking attempt can be nipped in the bud. The other clever thing about IM software is that it can maintain a whitelist of programs that are allowed to run on a mainframe. The National Institute of Standards and Technology (NIST), Payment Card Industry’s Data Security Standard (PCI/DSS), the 2014 The Federal Information Security Modernization Act (FISMA) and others recommend the use of a whitelist. If any applications run on your mainframe that aren’t on the whitelist, the IM software will identify them. It will also identify who started the job and any files that the malware has affected. The programs can be quarantined, and the user can be suspended. This can happen automatically (policy driven), again stopping the action of the hackers in the very early stages.

But suppose the warning messages are missed for some reason; the hacker’s next target is to exfiltrate the data from the database to sell elsewhere, and then corrupt or encrypt the data. Most BCP tests will assume that the data can be restored from backups. The bad actors learned a few years ago, that to succeed with their ransomware attack, they needed to corrupt the backups first to stop organizations from using them to restore their data. The good news is that modern mainframe-based integrity monitoring software can check backups to see whether they have been changed. If they have, then this is another warning sign that a hack is taking place. The IM software will send alerts and the ransomware attack could be stopped at this stage.

Because the IM software already knows which backups have been corrupted, which ones are OK and which ones have corrupt files on them, it can use that information to create the restore job needed to restore everything back to how it should be. The IT team, when they’ve checked the job, can run it. In addition, the IM software can next be used to verify that the restored files are in the correct state. No backdoors and no time bombs are left.

A Sample Scenario

But let’s suppose that all the earlier alerts sent by the IM software have been ignored. The recent backups have been corrupted, the data has been encrypted and you’ve just found that your safeguarded copy data is corrupt–what do you do? One way is to re-IPL from recent safeguarded copy files until you find one that isn’t corrupted. You then replace everything on your mainframe with that. However, that will take time and still leave the infrastructure corruptions in place (backdoors, etc.). And, while your phone is ringing off the hook and senior managers are standing behind your chair demanding action, there isn’t always a lot of time available. The question to ask before this happens is, “How long can my company stay in business without a working mainframe?”

IM Software Solutions

Again, IM software has the solution. As mentioned earlier, it knows which backups are good and which are corrupt. It can create the restore job that’s needed to get everything back to an uncorrupted state. It can also integrate restores from immutable backups and Data Facility Data Set Services (DFDSS) or FDR backups, thereby removing the infrastructure corruptions too. And, as mentioned above, it can verify the restored files.

In order to stay one step ahead of the bad actors and their ransomware attacks, it’s important to use the latest software designed to do just that. That’s where products like FIM+ from MainTegrity come in. Alternatively, start working out how to get your hands on some Bitcoin to pay the ransom!