Conventional wisdom is that you are fine if your data gets infected or your data storage systems get shutdown by ransomware – if you have a current backup that is complete and uncorrupted. All you need to do is reset your systems, reinstall the apps and restore the data.
Unfortunately, that may no longer apply.
"Backing up your data no longer provides an absolute guarantee that you can recover from a ransomware attack,” said Jerome Wendt, an analyst at storage consultancy DCIG.
Cybercriminals, after all, are not infecting systems and installing ransomware out of spite or malice. They are in the business of making money. Early strains of ransomware would lock users out of their devices or databases. That prompted many to pay over the ransom rather than having their data be destroyed.
But over time, enough savvy users and organizations learned that they could defeat an outbreak by restoring their systems. So the bad guys adapted. They learned to sniff out backup files on the network and to encrypt them too. They aren’t that hard to find as they sit on network file shares using the default directory name created by backup vendors to store backups. Just look up vendor documentation and you can find the default names easily. The malware is now designed to probe networks for to detect backup files.
“Just like in any cryptoware attack, a system that is not properly protected or poorly configured from a networking, access control or shared storage can be corrupted,” said Christophe Bertrand, Vice President, Product Marketing, Arcserve.
This applies to Windows and Linux systems alike. There is a significant rise in Linux attacks recently, he said. If you put your backup store on a shared storage device, then, ransomware could propagate through another user, for example. And if you compound the felony by not leveraging recommended networking best practices, an attacker could get to any server, including a backup server.
“If ransomware is present on a machine, and your backup is either permanently connected/online (e.g. on a NAS or USB Disk), or if you plug in your USB disk to that machine, your backup will get corrupted because the ransomware can access it and starts to encrypt the backup files so it can hold you to ransom,” said Linus Chang, CEO, BackupAssist.
But the cybercriminals don’t stop there. They have found it relatively simple to track down published application programming interfaces (APIs) from backup vendors. Once they know the APIs, they can use them to corrupt, encrypt and render worthless any backup, no matter how complete it is.
A delayed attack is another tactic that can thwart backup protection. The trick here is to let the ransomware slowly infiltrate but don’t encrypt anything for a few weeks or month. Over that time, backups continue. But they are backing up infected data. When ransomware strikes, the company does a restore and immediately reinfects its systems.
Take the case of a file server that’s backed up at regular intervals. The ransomware infection happens on a workstation. Ransomware starts uses that beachhead to begin infecting or encrypting files on network shares and on the file server. When the backup software does its scheduled backup, and those now-infected files then get backed up.
“If the business is lucky, there will be enough backup history so they can restore from an older backup,” said Chang. “But if they’re unlucky and there was limited space on the backup device, these old backups might have been deleted automatically to make way for the new backup.”
Another attack vector is worthy of mention. Social engineering tricks like phishing can target backup administrators and system admins. Once their credentials are compromised, external influences can encrypt or destroy backup files.
“The inability to access and recover from a ransomware attack may put the very survival of a company at risk,” said Wendt. “Organizations need to take a fresh look at their backup software to make sure that it has the right set of features to counter these newest forms of ransomware attacks."
Proofing up Backups from Attack
So how do you plug these and other security holes? How do you ensure you can recover from a ransomware infection? It’s time for the separate worlds of backup and security to come together. The first step is communication. Backup administrators and security administrators need to begin a dialogue. On the one side, security staff may not be aware of the mechanics of backup, about the potential openness of APIs and the various routes and back doors that can be used to infiltrate backup files. On the other side of the coin, backup staff need to gain more knowledge about social engineering, phishing, malware and security technology in general. From that strong foundation, a better defensive perimeter can be established.
Also encourage end user education on security basics. Security awareness training from companies such as KnowBe4 is a good way to reduce the gullibility of the user population to constant phishing attacks.
“End user and IT personnel education with regular testing/drills is a very important step,” said Bertrand. “Check Ransomewarewatch for input and advice from top security vendors.”
Getting into further specifics, Betrand recommended good access control policy across the board for users and specifically for the backup environment. That nails down who can access what, and who cannot. That at least reduces the potential routes of incursion into backup data.
“Applying best practices in access control, networking and storage configurations is a starting point,” said Bertrand.
Another intelligent strategy is to have multiple copies of the backups stored in multiple locations and different platforms. Should a primary site get affected, a distributed backup approach may provide some insurance.
“If your backup store gets encrypted, having multiple copies in multiple locations allows you to not only get your backup environment up and running again, but also to recover other affected systems and data,” said Bertrand.
However, he cautions users not to fall for what he terms backup vendor propaganda on ransomware detection or ransomware predictive analytics that may be installed as part of a backup package. Once ransomware has started executing, you have a problem and have not avoided the attack.
“Leave security to specialists and don’t get a false sense of security,” said Bertrand.
Finally, Chang said it was vital to figure out some way to insulate backups from direct network access. The modern practice of using disk for backup typically means that systems remain online and connected to the network. Yes, this provides faster access. But it means that sneak attacks are always possible.
The time-honored practice of making backup tapes and shipping them offsite has largely been discredited as “legacy” and cumbersome. But perhaps it has its place as a last bastion of enterprise data.
“We often talk about the need to air gap your backups – to take them offline and disconnect them completely,” said Chang. “That shields the backup from being encrypted by ransomware.”