The Gately Report: VMware Zeroes In On Ransomware Recovery
Plus, two Danish hosting firms have been nearly shut down by ransomware attacks.
JLStock/Shutterstock
Channel Futures: When it comes to shortening ransomware response or recovery time, what difference can that make as far as the potential for damage or impact?
Mark Chuang: What is so challenging about these modern attacks is that it ultimately is an existential threat. Unfortunately, I’ve seen articles out there literally about hospitals that have gone out of operations because they could not recover their systems within some reasonable amount of time. So anything that we can do to help our customers to shorten that recovery time of course helps them get back up to operations, but even more importantly, it helps them to get back to the business of serving their their own clients and customers.
And in the case where we see health care organizations, state and local governments and educational institutions being impacted, there is a very real human side of this when hospital patients or citizens, or students can’t go about getting access to very important services to them. So again, anything that we can do, even if we’re just shortening it by days, and in many cases weeks and even months, it helps them avert the impact of this existential crisis.
CF: What’s the optimum recovery time? How short can it be?
MC: I guess the short answer to that would be as soon as possible because we’re seeing dwell times that can be as long as weeks or months before you actually realize that the ransomware is in your environment. And then I’ve personally seen some of the efforts with customers with VMware, where before they adopted our solution, they’ve been hacked. And there are cases in which it’s taken them three, four or five months before they’re back up and running. And so, again, anything we can do to bring that time shorter is highly valuable.
CF: Are threat actors shifting their tactics and techniques when it comes to ransomware? And is it tough to keep up with what they’re doing?
MC: Absolutely. We point to a seminal point in time, roughly five or six years ago, in which we saw the uptick of these more sophisticated fileless, living-off-the-land type of attacks where in the traditional antivirus approaches of doing signature-based scans, we’re not going to find these because they don’t leave traces in the file system. They’re running in memory. They’re leveraging legitimate OS libraries, Java libraries, PowerShell, etc. They’re actively attacking the media servers where the backups are being stored. And so the sophistication definitely has gone up.
Not surprisingly, I think that correlates to the lucrative payouts that they can get. And so we’re constantly evolving as well. That’s where leveraging the next-generation antivirus from VMware’s portfolio that takes advantage of artificial intelligence (AI) and machine learning (ML) as it understands what the threat landscape looks like across all of our customer set, and using that insight to understand what’s the latest, what’s happening out there as opposed to a static approach.
CF: Is the evolving threat landscape shaping VMware’s solution strategy when it comes to cybersecurity?
MC: Obviously cybersecurity is a very broad area. So if I look across VMware’s entire portfolio and the areas in which we are most able to help customers, it can extend all the way from how we harden our hypervisor, EXSI, even better so that it protects against attacks, to our solutions that can help with network intrusions and detecting that as early as possible so that if an attack does penetrate the perimeter, to keep it from spreading and limiting the blast radius, to our solutions like Carbon Black, which can assist with the endpoint protection as well as protection of the data center.
And then finally you have to have both preventive measures as well as recovery measures. There are so many other facets of cybersecurity, but those would be some of the main ones, especially as it relates to this business scourge of ransomware that companies of all sizes have to face.
CF: Are there things that organizations still aren’t doing that is leaving them vulnerable?
MC: Part of it is just sometimes a perception of having sufficient protection, but not understanding the nature of the latest types of attacks. For instance, I will get questions like, “Well, I have immutable air-gap backups, I think that’s good enough.” And then my team and I will share that it’s super important that you have immutable air-gap backups, but actually you do need a lot more, right? That’s just table stakes. And then we walk them through how fileless attacks can’t be detected just by scanning backups, how you’ve actually got to power on those replications points and observe the behavior, looking for suspicious activity to help you determine if there is dormant ransomware or is it clean? And so I think that’s one of the biggest challenges I’ve seen, which is organizations aren’t fully aware of these latest type of attack techniques and therefore what they actually need in order to confidently recover.
CF: Is partner feedback impacting VMware’s product strategy when it comes to cybersecurity and if so, how?
MC: Absolutely. Whether it be on the preventive side with NSX+ that was just announced, talking about how that’s going to increase the visibility that organizations will have about what’s happening with their network so that they can stop attacks earlier, whether it be the enhancements we announced on the ransomware recovery-as-a-service side, that’s all based on customer feedback where they said, “We love the solution; here are ways that you can make it even better for us.”
CF: AI and generative AI have been a massive topic at VMware Explore. How does cybersecurity fit into that?
MC: I’ll cite two examples. Within our ransomware recovery-as-a-service solution that leverages Carbon Black‘s next-generation AV, they already leverage AI by understanding all the different threat attacks that they see and bringing that insight to help identify what may be happening today. So that’s already one application of AI that’s happening.
On the generative AI side, I would just point to the demo … in which they showed how generative AI that would be within VMware NSX can help customers to much more quickly gain insight from all the data that is being collected and generated about what’s happening within the customer’s networking environment. Generative AI is all about speed to insight, because the data is there, it’s a matter of helping to gain the insight out of that data.
CF: VMware Private AI Foundation with Nvidia was just announced. What if a partner or customer asks if it’s safe?
MC: Security, privacy and the prevention of lP leakage were key design tenants of the VMware Private AI Foundation strategy and offering. It’s really putting the ability in the hands of organizations to be able to leverage this solution from VMware and Nvidia to be able to run their own private large language models (LLMs) with their own proprietary data sets in order to gain those important business insights. That’s going to help differentiate their respective businesses. So I would say one of the primary objectives of us collaborating with Nvidia to roll out this solution is exactly the point that you brought up.
CF: What do you find most dangerous about the current threat landscape?
MC: Like in so many things, it’s a matter of organizations fully understanding the nature of the threat and having plans to be well-prepared for it. VMware has solutions to be able to help customers with it, but I still have a lot of conversations where I’m educating and raising the level of awareness of why modern ransomware is different than ransomware that may have been on the scene five, 10 years ago.
CF: Any sneak peek of what’s coming next in terms of cybersecurity?
MC: I would just say stay tuned. The strategic directions, that won’t change, so you’ll see continued innovations along the lines of helping customers to fully get the value from a multicloud environment, and then secondly generative AI. Not surprising, right? We do think that will be a seismic shift for the entire industry. And so strategically, those will remain perhaps the two most important investment areas for us.
In other cybersecurity news …
Danish hosting companies CloudNordic and Azero have been hit with ransomware attacks that have resulted in significant data loss and a complete shutdown of systems.
CloudNordic and Azero are owned by Denmark-registered Certiqa Holding. It also owns Netquest, a provider of threat intelligence for telcos and governments.
Both CloudNordic and Azero posted the same message on their websites of the attacks that took place on Aug. 18. Hackers shut down all systems, including websites, email systems, customer systems, their customers’ websites, etc.
The break-ins have completely paralyzed both CloudNordic and Axzero, “which also hits our customers hard.”
“As we cannot and do not want to meet the financial demands of the criminal hackers for ransom, the companies’ IT teams and external experts have been “working hard to get an overview of the damage and what was possible to recreate,” the messages said.
“Unfortunately, it has proved impossible to recreate more data, and the majority of our customers have thus lost all data with us,” it said. “This applies to everyone we have not contacted at this time. We are deeply affected by the situation, and are aware that the attack is also very critical for many of our customers. In addition to data, we also lost all our systems and servers, and have had difficulty communicating. We have now re-established blank systems, e.g. name servers (without data), web servers (without data) and mail servers (without data).”
Kevin Kirkwood, deputy CISO at LogRhythm, said the operational status of both companies remains up in the air, as only a portion of servers have been partially restored and lack data. The company emphasized its decision not to pay the ransom, instead collaborating with cybersecurity professionals and involving law enforcement.
“Unfortunately, ransomware attacks continue to target businesses with substantial IT data,” he said. “Effectively countering these cyber threats demands thorough readiness, and enterprises must adopt a proactive stance, investing in cybersecurity solutions capable of preemptively identifying malicious cyber activities and empowering network systems to repel further breach attempts. Additionally, firms should establish data backups, formulate response protocols, and prioritize staff training to manage attacks and sustain operations.”
However, while backups help in recovery, they can’t prevent data leaks, Kirkwood said.
“Businesses should consistently prioritize prevention and detection tools, ensuring proper protective measures and comprehensive visibility across their network landscape,” he said. “Additionally, zero trust should be applied across all internal IT landscapes. Without it, organizations are only protected to the outside edge of their systems, and once attackers get in, they have free access across internal systems.”
Nuspire’s Second Quarter 2023 Threat Landscape Report highlights an “alarming” rise in ransomware attacks, with ransomware extortion publications increasing by almost 18% compared to the first quarter.
The report reveals a 65% increase in activity from the Clop ransomware gang, a newer entrant to the list of top ransomware groups. In addition, a deep dive into the financial industry showed a 43% increase in ransomware extortions.
Notable findings from Nuspire‘s newly-released cyber threat report include:
Apache vulnerabilities comprise 25% of exploits. Apache Software can be found in approximately 31% of all global websites, making this finding particularly concerning.
Botnets grew about 16% in the second quarter, with Torpig Mebroot, a trojan renowned for its data-theft capabilities, maintaining its position as the top botnet detected.
LockBit remains the dominant ransomware gang, but Clop (also known as TA505) is quickly approaching the leading position and may dethrone LockBit by the third quarter.
“Ransomware groups like LockBit and Clop have driven a significant rise in attacks over the last several months because of their relentless exploitation of zero-day and known vulnerabilities,” said J.R. Cunningham, Nuspire’s CSO. “MOVEit Transfer is a recent example of the scale and scope these attacks can take. However, our data shows that older vulnerabilities like Apache Software continue to be ripe for exploitation. This tells us that many organizations still lack sufficient patch and vulnerability management operations, greatly increasing their risk of exposure.”
Nuspire’s Second Quarter 2023 Threat Landscape Report highlights an “alarming” rise in ransomware attacks, with ransomware extortion publications increasing by almost 18% compared to the first quarter.
The report reveals a 65% increase in activity from the Clop ransomware gang, a newer entrant to the list of top ransomware groups. In addition, a deep dive into the financial industry showed a 43% increase in ransomware extortions.
Notable findings from Nuspire‘s newly-released cyber threat report include:
Apache vulnerabilities comprise 25% of exploits. Apache Software can be found in approximately 31% of all global websites, making this finding particularly concerning.
Botnets grew about 16% in the second quarter, with Torpig Mebroot, a trojan renowned for its data-theft capabilities, maintaining its position as the top botnet detected.
LockBit remains the dominant ransomware gang, but Clop (also known as TA505) is quickly approaching the leading position and may dethrone LockBit by the third quarter.
“Ransomware groups like LockBit and Clop have driven a significant rise in attacks over the last several months because of their relentless exploitation of zero-day and known vulnerabilities,” said J.R. Cunningham, Nuspire’s CSO. “MOVEit Transfer is a recent example of the scale and scope these attacks can take. However, our data shows that older vulnerabilities like Apache Software continue to be ripe for exploitation. This tells us that many organizations still lack sufficient patch and vulnerability management operations, greatly increasing their risk of exposure.”
Ransomware recovery as soon as possible is critical after an attack, and VMware is constantly focused on decreasing the time from attack to recovery.
That’s according to Mark Chuang, VMware’s head of product marketing for cloud storage and data. We spoke with him during last week’s VMware Explore conference.
“We’ve been on the journey for the last two years in terms of helping customers deal with modern ransomware attacks and specifically the type that are using fileless techniques,” Chuang said. “So here at Explore Vegas, we announced additional innovations on top of our existing ransomware-as-a-recovery service in order to continue to shorten the amount of downtime by accelerating the recovery rates.”
VMware Ransomware Recovery aims to recover from fileless attacks using behavioral analysis of powered-on virtual machines (VMs) in cloud-based isolated recovery environments (IREs). The solution has been shown to resolve unplanned downtime up to 75% faster, according to VMware.
Ransomware Recovery Enhancements
At VMware Explore, VMware announced that its Ransomware Recovery now includes concurrent multi-VM recovery operations to further reduce customer downtime. Also, VMware will allow customers to run production workloads in the cloud until forensics are completed and the on-premises data center is fortified. That will be available in the third quarter of fiscal 2024.
Additionally, VMware unveiled a technology preview of cybersecure storage that will integrate recovery workflows with native vSAN snapshots for data transfer optimizations. VMware Ransomware Recovery is also expanding VMware Cloud service support to include protection of workloads in Google Cloud VMware Engine.
Chuang details what should take place once an organization is hit with a ransomware attack.
VMware’s Mark Chuang
“Within an organization, collaboration between the security and infrastructure team is paramount in any sort of response, although once data has been encrypted, the infrastructure team typically takes the lead on restoration of systems and applications, and services,” he said. “So I think step one is getting all the right teams together. Step two is you need to start figuring out when the organization believes is the window in which the attack actually came into the environment. It’s very different from natural disasters where you know exactly when that took place. You actually have to do a lot of forensics to figure out when did this ransomware actually get into our environment because if you restore a recovery point that still has that ransomware dormant but is already there, then you would just be back to square one again.
“So VMware is providing different tools to help the infrastructure team work with the security team to try to identify where that window is that they believe the attack first came in,” he added. “They need to identify that window because you need to find a more pristine state from before the attack actually came in. So that would be some of the very first steps.”
Scroll through our slideshow above for more from Chuang from VMware Explore and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like