Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/4/2017
10:30 AM
Rod Mathews
Rod Mathews
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Ransomware Will Target Backups: 4 Ways to Protect Your Data

Backups are the best way to take control of your defense against ransomware, but they need protecting as well.

Ransomware has had a banner year so far. Two major attacks — WannaCry and NotPetya — have caused, conservatively, hundreds of millions of dollars in damages, while cybercriminals continue to target users' systems and data.

Proactive companies, however, do have options. The most consistent defense against ransomware continues to be good backups and a well-tested restore process. Companies that consistently back up their data and can quickly detect a ransomware attack should be able to restore their data and operations with a minimum of disruption.

In some cases, we have seen wiper malware such as NotPetya pretending to be Petya ransomware while serving a similar ransom note. In these attacks, the victims won't be able to get their files back even they pay the ransom — making the ability to restore from a backup even more critical.

For that reason, the cybercriminals — and, in some cases, nation-state agents — behind ransomware have begun targeting the backup processes and tools, as well. Several ransomware programs — such as the recent WannaCry (WannaCrypt0r) and the newer version of CryptoLocker — delete the shadow volume copies created by Microsoft's Windows operating system. Shadow copies are a simple method that Microsoft Windows provides for easy restoration.

On the Mac, cybercriminals targeted backups from the get-go. Researchers have discovered incomplete functions in the first Mac ransomware — released in 2015 — that targeted the disk used by the Mac OS X operating system's automated backup tool called Time Machine.

The strategy is straightforward: Encrypt the backup and individuals or companies are likely to lose the ability to restore data and are more likely to pay a ransom. Attackers are escalating their efforts beyond infecting single workstations and aim to destroy the backups, too.

Here are four recommendations to help companies protect their backups against ransomware attacks.

1. Be careful using network file servers and online sharing services.
Network file servers can be easy to use and are always available, two attributes that make network-accessible "home" directories a popular way to centralize data and make it easy to back up. However, when exposed to ransomware, this type of data architecture has serious security weaknesses. Most ransomware programs encrypt connected drives, so the victim's home directory would be encrypted as well. In addition, any server that runs a vulnerable and highly targeted operating system like Windows could be infected, which would lead to every user's data being encrypted.

Thus, any company with a network file server needs to assiduously back up the data to a separate system or service, and specifically test the system's restore capability if faced with ransomware.

Cloud file services aren't immune to ransomware either. In 2015, Children in Film, a business providing information for child actors and their parents, got hit with ransomware. The company extensively used the cloud for its business, including a common cloud drive. Within 30 minutes of an employee clicking on a malicious e-mail link, more than 4,000 files stored in the cloud were encrypted, according to an article in KrebsOnSecurity. Fortunately, the company's backup provider was able to restore all of the files, even though it took almost a week to complete the process.

Depending on whether the cloud service provided incremental backups or easily managed file histories, recovering data in the cloud could be more difficult than an on-premises server.

2. Get visibility into your backup process.
The earlier that a company can detect a ransomware infection, the more likely that the business can prevent significant corruption of data. Data from the backup process can provide early warning of a ransomware infection. A program that suddenly encrypts your data leaves signs in your backup log. Incremental backups will suddenly "blow up" as every file is essentially changed, and the encrypted files can't be compressed or deduplicated.

Monitoring vital metrics such as capacity utilization from the backup process on a regular basis — essentially, every day — can help companies detect when ransomware has infected a system inside the company and limit the damage from the compromise.

3. Consider your solution options.
If ransomware can directly access backup images, then it will be very challenging if not impossible to stop it from encrypting corporate backups. For that reason, a purpose-built backup system that abstracts the backup data will be able to prevent ransomware from encrypting historical data.

By separating backups from your normal operating environment and making sure the process is not running on a general-purpose server and operating system, your backups can be hardened against attack. Backup systems based on the most commonly targeted operating system, Microsoft Windows, are prone to being attacked and make it much harder to protect your backup data.

4. Regularly test your recovery process
Finally, backups are no good unless you can recover both reliably and quickly. Some victims of ransomware have had backups but still have had to pay the ransom because the backup schedule did not perform backups with enough granularity, or they were not backing up the data they thought they were backing up.

Part of testing the recovery process is determining the window of data loss. A company that does a full backup every week will lose up to a week of data should it need to recover after its last backup. Doing daily or hourly backups greatly increases the level of protection. More granular backups and detecting ransomware events as early as possible are both key to fending off damage.

In the end, companies should aim to detect ransomware attacks early through monitoring or anti-malware defenses, use a purpose-built system to maintain a separation between the backup data and a potentially compromised system, and regularly test the backup and restore process to ensure data is properly protected.

These efforts will keep backups at the top of the list of ransomware defenses and will reduce the risk of losing data in the event of an attack.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Rod Mathews serves as Senior VP & General Manager, Data Protection Business, for Barracuda. He directs strategic product direction and development for all data protection offerings, including Barracuda's backup and archiving products, and is also responsible for Barracuda's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
White Papers
More White Papers
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/5/2017 | 9:10:49 AM
Catalog Backujps are essential
And in several sets - onsite and offsite.  Backups must be run on a risk-factor - how many days or hours is the firm comfortable with potential data loss upon restore.  Most times, a 24 hour turn-around will suffice but it must be DAILY and rotational.  Only then does one have true insurance.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8603
PUBLISHED: 2020-05-27
A cross-site scripting vulnerability (XSS) in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow a remote attacker to tamper with the web interface of affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or ...
CVE-2020-8604
PUBLISHED: 2020-05-27
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to disclose sensitive informatoin on affected installations.
CVE-2020-8605
PUBLISHED: 2020-05-27
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this vulnerability.
CVE-2020-8606
PUBLISHED: 2020-05-27
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authentication on affected installations of Trend Micro InterScan Web Security Virtual Appliance.
CVE-2020-11075
PUBLISHED: 2020-05-27
In Anchore Engine version 0.7.0, a specially crafted container image manifest, fetched from a registry, can be used to trigger a shell escape flaw in the anchore engine analyzer service during an image analysis process. The image analysis operation can only be executed by an authenticated user via a...