Secure the Data, Not the Device

Download TCIL Technical Note

Ransomware attacks are a lucrative practice for hackers. In just one attack in June against meat processing company JBS, hackers extorted an $11 million payment.¹ In the wake of the May 2021 Colonial Pipeline ransomware attack, Secretary of Homeland Security Alejandro Mayorkas said, “More than $350 million in losses are attributable to ransomware attacks this year. That’s a more-than-300 percent increase over last year’s victimization of companies. And there’s no company too small to suffer a ransomware attack.”²

Ransomware is a type of malware that encrypts the target’s files and data or even its entire system, preventing users from accessing the data until they pay the ransom. After receiving payment, the hacker provides the decryption key in the form of a password. The hacker may also engage in double extortion, threatening to leak the stolen data if the victim does not pay.

Prevalent strategies for dealing with ransomware emphasize defensive measures, even though experience shows that one cannot thwart a well-resourced adversary determined to penetrate a target’s system.³ To the extent that current strategies seek to build resilience, they call for maintaining system backups, which may not prevent substantial data loss. For example, the ransomware best practices guide from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) begins with an admonition “to maintain offline, encrypted backups of data and to regularly test your backups.”⁴ The CISA guide then turns to cyber hygiene measures for preventing infections.⁵

To deal more effectively with the threat from ransomware, the most pressing need is to configure networks in a manner that promotes post-attack resilience. Specifically, there is a need to shift from defending devices — such as servers and workstations — to ensuring that the data on those devices is immediately recoverable. Decentralized file storage systems provide a potential solution. Instead of storing files and data on a central server that may become a single point of failure for the entire network during a ransomware attack, a decentralized storage system “shards” (breaks up), “hashes” (labels), and encrypts files, then stores the fragments in multiple locations.

If the system works as intended, users can discard compromised devices following a ransomware attack, then use new machines to reassemble their files and resume business as usual without costly disruptions. Even if attackers exfiltrate files or data, encryption prevents them from exploiting it for extortion or other purposes.

In this pilot project, the Transformative Cyber Innovation Lab (TCIL) at the Foundation for Defense of Democracies (FDD) partnered with CyLogic, a cybersecurity products company, to demonstrate how decentralized file storage systems can mitigate the effects of ransomware. TCIL tested this new approach to file storage using CyLogic’s CyDrive, a secure, decentralized file storage system that enables users to manage and share files securely. The TCIL pilot tested a user’s ability to create a file, store it, have it infected by ransomware, and immediately recover the file. The TCIL pilot also compared CyDrive’s recovery capabilities against 11 commercially available tools that the National Institute of Standards and Technology (NIST) identifies in its reference architecture for post-attack recovery.

The TCIL pilot demonstrated in practice that decentralized storage systems can deliver the following expected benefits:

1. If ransomware locks a machine, the user can still recover all the data with minimal (if any) delay. The organization can resume business as usual within minutes.
2. If a hacker gets into the system, the hacker cannot read files (or engage in double extortion), since the data are encrypted.
3. The document creator determines the document permissions, preventing access by a system administrator or users who could act as an insider threat.