Protecting backups from ransomware

Backups can be infected, too

Over time, ransomware has evolved from the efforts of script kiddies chucking malware at open networks to more sinister and calculated attacks launched by individuals who want to guarantee their hard work pays off. Attackers have elevated their scope and tactics to take over backup solutions or exfiltrate data before they trigger the ransomware campaign. This more aggressive methodology impairs recovery processes and aims to remove a victim’s alternatives to paying up.

Ransomware attack processes are evolving

The entire attack process is changing. Attackers can sit on your network for an extended period of time (sometimes months) before their access is noticed, which enables them to gain elevated access and take control of all servers on the network.

Once attackers have elevated access, they can spread throughout the network and gain access to the backup servers. If organizations have not identified the attackers, the situation becomes more concerning. Attackers will attempt to exfiltrate any sensitive data they find and then activate the ransomware. At this point, the attackers are in a much stronger position.

Even if organizations have offline backups, attackers might cripple the primary backup solutions, and that can make getting back to normal operations more difficult. Furthermore, even if organizations are able to recover their systems, attackers still can hold exfiltrated data for ransom.

Protecting backups from ransomware

First and foremost, security is most effective when implemented in layers. While a single, silver-bullet solution to security issues does not exist, protecting backups from ransomware is an important part of layered security.

Taking a people, process, and technology approach can help organizations better protect themselves as they implement backup solution protection.

• People. Employees are the greatest asset in this endeavor. The first line of defense is to build and implement an effective security awareness program. Creating a culture in which non-IT employees feel safe enough to communicate any suspicious activity can be the make-or-break difference when confronting a ransomware attack.

  An organization’s IT team should designate a person who can be the backup administrator. This person will be responsible for initiating, watching, and testing backups on a regular basis. It’s important, though, that this person is not already wearing multiple hats. A slip-up in the backup process can be detrimental and costly.

• Process. One of the best ways organizations can prevent ransomware from infecting backups is to implement a 3-2-1 backup process strategy:

  3. Hold three copies of the data.
  2. Use two different backup methods or mediums.
  1. Store one copy offline.

  Three copies of the data would include the original working data, the primary data backup, and then the secondary backup. Three copies of data can seem like a lot, but remember: Restoring from backups is a last-ditch effort, and so it has to work.

  Two different backup methods or mediums protect organizations from a single point of failure in the overall backup strategy. Physical devices can fail every once in a while; however, using two different mediums can reduce the likelihood of backup device failures.

  One copy of the data should be stored offline. Attackers can infect only backups that they can see, so storing offline is the best barrier to prevent a total takeover.

  As with anything in IT, organizations should make sure to test, test, and test again their backups. And no, restoring individual files based on user requests is not the same as a holistic backup test.

• Technology. Proper network segmentation and access control lists can slow down the spread of an attack dramatically, and they can provide more opportunities to detect malicious activity. Taking the following proactive steps can help protect against a rapidly spreading attack:

• Restrict access. Organizations should strategize with the network team and allow users access to only what they need. End points and users should not be allowed network access to IT servers, and the principle of least privilege should be followed. Ransomware’s favorite snack is an open network share.

• Separate duties. Administrator and local accounts should be separated. If the same account and password are used for all administrative functions of the network, then the account can be easy to compromise and difficult to monitor. IT teams should create a separate service account for the backup administrator and apply alerting and logging to that account.

Taking proactive steps can reduce risk

Ransomware is an ongoing challenge, and it’s becoming more advanced the longer it remains a threat. While penetration testing, identifying gaps, and implementing technical controls can help mitigate the risk of and exposure to a ransomware attack, protecting backups from ransomware is critical to keeping your business operating.