Cyber threat actors are becoming more and more efficient. They are targeting software and applications that are used by organizations globally. One recent example of this is the ESXIargs mass ransomware campaign which targeted a zero-day vulnerability in ESXi. So far this year, it has been reported that over 3,000 ESXi servers and countless virtual machines globally have been impacted by this campaign in the last two months.

Last month as the attack surfaced, a patch to the vulnerability rapidly became available and widely installed and the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) jointly published a Cybersecurity Advisory (CSA) on mitigating the effects of being impacted with ESXiargs ransomware. As CISA nor the FBI encourage organizations to pay ransoms, they published this advisory to help victims of ESXiargs ransomware recover. This ransomware attack targets organizations using unpatched versions of ESXi.

Preparing and Mitigating the Next Ransomware Attack

In the CSA guide, CISA and the FBI recommend organizations take some preventive steps to mitigate the impact of a ransomware attack. We will explore some of the key recommendations from the report and also detail how Rubrik’s capabilities can help you prepare and implement the recommendations below.

  • Ensure all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure.

Rubrik encrypts backup data by default and stores it in Rubrik’s proprietary file system. This ensures the immutability of the data and allows the system to provide data resiliency capabilities across various data sources, whether they be on-premise, in the cloud, or both.

  • Maintain offline backups of data, and regularly test backup and restoration [CPG 7.3]. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.

Rubrik’s logical air gap approach to storing data backups helps reduce and limit the possibility of attacks coupled with their unique and purpose-built file system is another layer of protection for the protection of customers’ data. Offline backups are indeed very secure and good to have but not efficient or cost-effective in many use cases. Rubrik Enterprise Data Protection and Rubrik Cloud Vault minimize the need or frequency of offline backups.

  • Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident [CPG 7.1, 7.2].

Rubrik Data Remediation helps organizations build response plans for recovering data and systems post a cyber attack or event. Rubrik’s offerings help organizations build playbooks on how to quickly and confidently recover in an orchestrated manner to minimize downtime, data loss, and impact on you and your customers. 

  • Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.

In mitigating any cyber attack, it is critical to reduce the attack surface of your systems and don’t forget your backups. The more ports and protocols running and listening on your backup data solutions the greater the chances an attacker can find and target them. In the spirit of Zero Trust, Rubrik was built with many of these principles in mind. For example, Rubrik systems lock down what and how your backup storage can be accessed.

  • Require phishing-resistant MFA for as many services as possible [CPG 1.3]—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.

  • Implement allow-listing policies for applications and remote access that only allow systems to execute known and permitted programs.

Both of these security recommendations are critical cybersecurity controls as MFA and role-based access controls are both incorporated into Rubrik solutions. These are critical steps for helping organizations achieve compliance at the Data Pillar for Zero Trust Architecture.

  • Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.

Rubrik, without relying on third-party access, can enable threat hunting by leveraging file hashes, YARA rules, threat intelligence, and proprietary detection algorithms to detect malicious code and sensitive data in data backups. This is important as it helps organizations rapidly identify when a safe point in time to recover from is as well as provide insights into what sensitive data was exposed and potentially how an adversary executed their attack. Also, Rubrik enables organizations to quickly live mount their backups to rapidly analyze, test and recover necessary data to ensure data integrity.

Become Cyber Resilient with Proven Cyber Recovery

It is great to see CISA working across government organizations and producing very relevant and timely Cybersecurity Advisories that detail attacks and provide guidance on how to prevent future ones. Rubrik secures data for 5,000+ customers around the world with our industry-leading Zero Trust Data Security platform. To learn more about how Rubrik can support your cyber resilience strategy, please join us for our virtual Rubrik Forward conference. Register to save your spot here.