When ransomware attacks backups

Posted by Claude Gagne_ on Oct 30, 2019 7:45:00 AM
 

shutterstock_1484088575Wood Ranch was the victim of a ransom attack during the summer, and its electronic medical records were encrypted. Wood Ranch didn’t agree to pay the ransom, only to discover that their backups were also encrypted. Since it has not been able to recover its data, the company will close its doors and cease operations on December 17, 2019.

The evolution of ransomware is very similar to a cat and mouse chase.

 

 

A growing threat

The 2019 Cyberthreat Defense Report mentions the following:

“Last year’s ransomware stats were ugly. This year’s stats are even uglier. The percentage of organizations victimized by ransomware is up, the percentage of organizations paying ransoms is up, and the percentage that lost data by refusing to pay ransoms is up, as well."

Global damage costs in connection with ransomware attacks are predicted to reach $11.5 billion annually by end of 2019.

In one of our previous blogs entitled “Business continuity in an era of rapid ransomware evolution”, we concluded by saying : Even with multi-level protection and user awareness, you can never be 100% guaranteed to having deflected all attacks. It is therefore vital to implement the necessary data protection measures in order to recover effectively.

But the question remains: how do you ensure that backups, which are the last line of defense, are really protected against ransomware?

 

The evolution of ransomware

This evolution is very similar to a cat and mouse chase.

 

Phase 1

In the early days of ransomware, criminals infected computers and servers with a virus, which when activated, encrypted the data.  The victims, had they had enough foresight and made up-to-date backup copies, could retrieve their data without having to pay the ransom.

 

Phase 2

Seeing that they were missing out on income opportunities, the criminals decided to also encrypt the backup copies they were able to get into.

Companies adapted by adopting the 3-2-1 rule.

In the 3-2-1 backup strategy, instead of creating a single backup of files, 2 backup copies are created, one local, the other remote. The last is the most important when it comes to defending your company against ransomware. For this rule to be effective in the context of a ransomware attack, backups, especially off-site backups, must be stored in such a way that they are not accessible to ransomware, otherwise ransomware will spread to the backups.

This is the concept of an "Air Gap". The idea is simple. If the data is not accessible, it cannot be infected or corrupted. It is usually a copy of the data on secondary storage that is put offline after the backup has been completed.

To emphasize this point, Veeam adds an additional "1" to the 3-2-1 rule, in which a copy of the storage medium must be kept fully offline, ie without a direct connection to the Internet, to a network, or to any other computer.

In practice, connection must be established at each backup update, thus putting the integrity of the backup at risk.There is therefore no guarantee that an "Air Gap" copy cannot be corrupted during the copying process.

Present will perform at no cost at with no obligation an assessment of your overall risk score based on industry-wide best practices for network health, performance, and security.

 

Phase 3: The current situation

Businesses today face the limits of the 3-2-1-1 rule and are confronted with the following questions:

1.     What happens if ransomware is not detected before updating the backup?

2.     What happens if the scheduled update occurs after a ransomware infection, but before the detection?

3.     What happens if the ransomware is dormant, and your 2 backups now contain malware ready to activate? This situation has been described as "Attack Loop" by the company Asigra.

 

Ransomware can destroy backups in many ways

Encrypt accessible networks

Ransomware is able to attack accessible network drives, and even specifically target files that have backup file extensions.

Hacking backup software APIs

Many backup softwares have their own application programming interface (API) available to developers, including ransomware creators, who can also access these published APIs for malicious purposes and use them to encrypt existing backups.

Destroy Windows Shadow copies

Ransomware, such as WannaCry (WannaCrypt0r) can remove virtual copies of the volume created by Microsoft's Windows operating system.

Place a time bomb in backups

Ransomware starts to infect data, but it does not encrypt it immediately. It is only after days, weeks or months during which the infected data has been saved that it triggers the encryption of the production data. The company then tries to restore from backups, themselves already infected. It can then become very difficult for an organization to determine when it was initially infected and what backup data it can restore reliably and confidently.

 

How to protect backup copies ?

The two angles of attack often mentioned to counter ransomware are prevention and repair. But many manufacturers of backup software have limited themselves to restoring from the latest copies deemed usable (so without assuming responsibility), to replace the encrypted files.

This attitude is changing, and manufacturers are starting to integrate prevention and alert features, as backup software is in a prime position to detect all file changes in the environment.

The 3-2-1-1-0 rule

To ensure that security copies are intact, they should not only be not editable, but also be certain that they have not been infected and therefore do not contain dormant ransomware.

In other words, a 0 should be added to Rule 3-2-1-1 to indicate that backups must be intact and free of errors after verifying the recoverability of backups.

 

What are the options?

To be certain of having at least one backup copy that cannot be modified by a ransomware, it is necessary that this copy not be modifiable.

There are several ways to achieve this, such as:

  • Physical or virtual (VTL) tapes that can be ejected after backup.
  • Immutable storage and WORM that cannot be rewritten.
  • Storage with versioning. When the copy is modified, a new copy is created without affecting the original copy.

Veeam announced that the version 10 of Backup & Replication would support the immutable storage feature with Amazon S3.

 

Conclusion

The popular belief is that if you save your data, you can recover from a ransomware attack. Although this premise is generally true, simply backing up your data is no longer an absolute guarantee that you can recover from a ransomware attack.

Does your current strategy protect you from an infection of your backups?

We help our clients assess their risks and take the protection approach that best meets their needs.

 

Topics: Cloud, Storage, IT security

About this blog

The right use of technology addresses business challenges and drives business growth in all areas of an enterprise.  We hope this blog will offer insight into developing strategies and tactics to enable you to identify those key drivers of growth and keep pace with and anticipate the rapid technology change of today.

Subscribe to Blog Updates by email

Protecting your business assets: Lower your risks with a disaster recovery plan

Recent Posts