Wood Ranch was the victim of a ransom attack during the summer, and its electronic medical records were encrypted. Wood Ranch didn’t agree to pay the ransom, only to discover that their backups were also encrypted. Since it has not been able to recover its data, the company will close its doors and cease operations on December 17, 2019.
The evolution of ransomware is very similar to a cat and mouse chase.
A growing threat
The 2019 Cyberthreat Defense Report mentions the following:
“Last year’s ransomware stats were ugly. This year’s stats are even uglier. The percentage of organizations victimized by ransomware is up, the percentage of organizations paying ransoms is up, and the percentage that lost data by refusing to pay ransoms is up, as well."
In one of our previous blogs entitled “Business continuity in an era of rapid ransomware evolution”, we concluded by saying : Even with multi-level protection and user awareness, you can never be 100% guaranteed to having deflected all attacks. It is therefore vital to implement the necessary data protection measures in order to recover effectively.
But the question remains: how do you ensure that backups, which are the last line of defense, are really protected against ransomware?
The evolution of ransomware
This evolution is very similar to a cat and mouse chase.
In the early days of ransomware, criminals infected computers and servers with a virus, which when activated, encrypted the data. The victims, had they had enough foresight and made up-to-date backup copies, could retrieve their data without having to pay the ransom.
Seeing that they were missing out on income opportunities, the criminals decided to also encrypt the backup copies they were able to get into.
Companies adapted by adopting the 3-2-1 rule.
In the 3-2-1 backup strategy, instead of creating a single backup of files, 2 backup copies are created, one local, the other remote. The last is the most important when it comes to defending your company against ransomware. For this rule to be effective in the context of a ransomware attack, backups, especially off-site backups, must be stored in such a way that they are not accessible to ransomware, otherwise ransomware will spread to the backups.
This is the concept of an "Air Gap". The idea is simple. If the data is not accessible, it cannot be infected or corrupted. It is usually a copy of the data on secondary storage that is put offline after the backup has been completed.
To emphasize this point, Veeam adds an additional "1" to the 3-2-1 rule, in which a copy of the storage medium must be kept fully offline, ie without a direct connection to the Internet, to a network, or to any other computer.
In practice, connection must be established at each backup update, thus putting the integrity of the backup at risk.There is therefore no guarantee that an "Air Gap" copy cannot be corrupted during the copying process.
Phase 3: The current situation
Businesses today face the limits of the 3-2-1-1 rule and are confronted with the following questions:
1. What happens if ransomware is not detected before updating the backup?
2. What happens if the scheduled update occurs after a ransomware infection, but before the detection?
3. What happens if the ransomware is dormant, and your 2 backups now contain malware ready to activate? This situation has been described as "Attack Loop" by the company Asigra.
Ransomware can destroy backups in many ways
Encrypt accessible networks
Ransomware is able to attack accessible network drives, and even specifically target files that have backup file extensions.
Hacking backup software APIs
Many backup softwares have their own application programming interface (API) available to developers, including ransomware creators, who can also access these published APIs for malicious purposes and use them to encrypt existing backups.
Destroy Windows Shadow copies
Ransomware, such as WannaCry (WannaCrypt0r) can remove virtual copies of the volume created by Microsoft's Windows operating system.
Place a time bomb in backups
Ransomware starts to infect data, but it does not encrypt it immediately. It is only after days, weeks or months during which the infected data has been saved that it triggers the encryption of the production data. The company then tries to restore from backups, themselves already infected. It can then become very difficult for an organization to determine when it was initially infected and what backup data it can restore reliably and confidently.
How to protect backup copies ?
The two angles of attack often mentioned to counter ransomware are prevention and repair. But many manufacturers of backup software have limited themselves to restoring from the latest copies deemed usable (so without assuming responsibility), to replace the encrypted files.
This attitude is changing, and manufacturers are starting to integrate prevention and alert features, as backup software is in a prime position to detect all file changes in the environment.
The 3-2-1-1-0 rule
To ensure that security copies are intact, they should not only be not editable, but also be certain that they have not been infected and therefore do not contain dormant ransomware.
In other words, a 0 should be added to Rule 3-2-1-1 to indicate that backups must be intact and free of errors after verifying the recoverability of backups.
What are the options?
To be certain of having at least one backup copy that cannot be modified by a ransomware, it is necessary that this copy not be modifiable.
There are several ways to achieve this, such as:
- Physical or virtual (VTL) tapes that can be ejected after backup.
- Immutable storage and WORM that cannot be rewritten.
- Storage with versioning. When the copy is modified, a new copy is created without affecting the original copy.
Veeam announced that the version 10 of Backup & Replication would support the immutable storage feature with Amazon S3.
The popular belief is that if you save your data, you can recover from a ransomware attack. Although this premise is generally true, simply backing up your data is no longer an absolute guarantee that you can recover from a ransomware attack.
Does your current strategy protect you from an infection of your backups?