Data centers are an integral part of the digital infrastructure of the world. As such they are a prime target for hackers. Most often the reason is not the data center itself, but the clients using it and the data it is hosting. But sometimes a specific data center could become the main target in a cyberattack, and one of the most popular risks these days is ransomware.
Ransomware is a preferred attack for many hackers as it serves several tasks at once. A successful ransomware attack means a breach to the internal systems of the victim, access to the data, service disruption, and often a good source of money. According to an analysis by Check Point, 2023 was “the year of Mega Ransomware attacks with unprecedented impact on global organizations”. So, yes, it’s definitely a good idea for data center operators to increase their efforts in ransomware protection and prevention.
The state of the ransomware in 2023
According to Check Point, one of every ten organizations worldwide was hit by a ransomware attack in 2023. That’s a 33% increase. In 2023, there were on average 1,158 attacks per organization per week for a total of over 60,000 for the whole year.
The most attacked industry was education and research, followed by government and military. The third highest volume of attacks is for the healthcare industry, followed by communications, ISP, etc. There’s no industry that’s spared by ransomware hackers.
The ransomware attacks are spread relatively evenly over the globe. It means that hackers are looking everywhere for ransomware victims, and no one should have a false impression their business might remain unnoticed because it’s in a small market.
“In 2023, the landscape of ransomware underwent a significant upheaval, marked by a major surge in both conventional ransomware and the more formidable mega-ransomware. This unsettling trend was underscored by the alarming prevalence of zero-day exploits, amplifying the extent of damage inflicted and the number of victims impacted, with an increasing number of hacking groups boldly (though in some cases, falsely) claiming responsibility,” Check Point notes.
“Another notable shift was observed in the execution strategies of these ransomware attacks. Traditionally focused on encrypting victim data and demanding ransom for its release, an increasing number of cybercriminals in 2023 adopted a different approach. They concentrated more on data theft, followed by extortion campaigns that did not necessarily involve data encryption but rather threats of public disclosure of the stolen data. This evolution in ransomware tactics signifies a strategic pivot, where the emphasis shifted from disrupting operations through encryption to leveraging stolen data for monetary gains through extortion. This change underscores the adaptability of cyber threat actors and highlights the need for businesses, especially though not solely, smaller ones with limited cybersecurity resources, to enhance their defenses against such evolving ransomware threats,” the company adds.
Data centers on notice
According to another analysis by Cobalt, in 2022 (too early for 2023 results), there was one successful ransomware attack every 40 seconds somewhere in the world. And every 11 seconds there was a new attempt. That’s a quite high success rate. Cybersecurity Ventures estimates that overall cybercrime cost the world about $8 trillion in 2023. If it was a country, it would be third most prosperous in the world behind the US and China, Forbes reports.
The real figures could be even more staggering as most victims don’t report when they are hit by a ransomware attack. Regulators around the world changed this by introducing mandatory requirements for reporting, but despite that, companies try to avoid notifying anyone. And even if they do, they often minimize the actual impact. The main reason for that is they don’t want reputation or stock value damage. So, unless the ransomware attack results in a major service disruption, it will most likely remain a secret.
This lack of reporting is actually helping ransomware attacks. When companies report them, experts can then analyze the attacks, and this helps them develop protections and preventions. This makes data centers even more vulnerable as they normally host a wide range of data and clients within the same facility. This means a lot of possible vulnerabilities and bigger exposure to risks, and hackers would love to disrupt an entire data center or as much of it as they can and then force the operator to pay a bigger ransom to minimize the damage. Or just to take as much data as they can to resell it on the dark web. So, it’s best that data center operators implement a multi-layered strategy to protect their facilities.
The basics stage
Naturally, the first step would be to cover the basics. There’s no point in implementing complex solutions if the data center isn’t covering the basic necessities first.
The first one is the most obvious. Make sure there are regular backups of the data. For a data center, that might be a bit of an expensive task, but backups are always the most effective way to recover from a ransomware attack quickly and relatively hassle-free, and it’s for sure without the need to pay the ransom. A proper backup strategy would require having at least two copies of the data and one of them should be offsite.
Next, train the employees and even the users. It’s one of the most neglected areas because it’s expensive and often viewed as something with little to no return. Most often though, hackers rely on phishing and social engineering tactics to infiltrate the malware into the system. Data center employees should be trained to cover the latest threats, vectors and prevention measures that the company has implemented. Data center clients should also have access to at least basic FAQs and other information that gives them a good idea of the threats and ways to spot potential risks. For example, banks have started even calling their new online banking users and explaining to them the main features of the service within a minute or two, also emphasizing that they would never ask the user for their password or other data in any medium and to never enter said data or share it with anyone. Then they also inform the client of the official channels to ask for support or any further questions.
Data center operators could employ a similar and simpler approach for their new clients. Maybe set up an internal page which is regularly updated with the latest risks and basic data. Then link it to the client during the on-boarding process.
The next step would be to implement two-factor authentication (2FA) for all users. It’s not a fool proof guarantee, but it does help lower the risk of attacks and makes it more complicated for the hackers. Thus, it gives more time for the prevention systems, real-time security monitoring and other security measures to detect the potential attack and act. The same goes for adding role-based access controls (RBAC).
Also, develop an incident response plan. That is actually required under the law of more and more countries. It can also help save critical time when responding to the incident and helps foster a “when, not if” culture. Victory loves preparation.
The advanced stage
After covering the basics and creating a lasting habit of following them, it’s time to dive deeper. This means adding machine learning algorithms and automated security features. Another possibility is behavioral analytics which analyze user behavior and network activity and identify possible malicious patterns. They can flag potential risks and raise them for inspection by admins or simply activate the next layer of protection.
A more advanced approach is air-gapping. This means to fully disconnect resources from the internet and other systems. Of course, that’s not always possible, especially for data centers operating in the public cloud, but it can be done for critical data. For example, storing it on servers that are separate from the rest and can be quickly disconnected from the network if needed.
Digital twins are another approach which is gathering popularity. It’s not a new one, but recently it has become a popular choice for various industries and projects. Usually, it’s done for testing and analysis, but for data centers it can also be a great way to have everything in place in real time and switch as needed if there’s an issue.
Of course, the obvious drawback here is that it will basically double the needed resources. You could use the old hardware to keep the digital twin running, as its main goal is to simply be a copy, not to run the workload, DataCenterKnowledge notes.
There are also some new threat vectors. One of them is a ransomware attack from an insider. That’s a risk that can be mitigated with increased physical security. Especially for private data centers where you can install more protection and monitor user activities better.
There are some entirely new solutions, as well. The Open Compute Project (OCP), for example, proposed the Data Center Secure Control Module (DC-SCM). This is a card which contains the RoT and the SoC components needed for key authentication, trust services, etc. If the system is compromised, simply change the card and not the entire system. It’s yet another option to minimize downtime and increase recovery rates.
“Ransomware attacks pose a growing threat to data centers, and the traditional methods of addressing these attacks are not enough. By embracing modular security solutions and adding hardware monitoring of software, intelligence and forensics to platforms, the industry can take a significant step toward mitigating the impact of ransomware attacks and reducing the costs associated with system replacement,” says Gopi Sirineni, President & CEO of Axiado for Forbes.
The key message is that data centers should no longer rely only on their customers to protect themselves from ransomware attacks. Data center operators should be proactive and vigilant against evolving threats. This is the only way they can minimize the risk of becoming victims and save money and their clients’ data.