Increased Needs For Ransomware Backup Protection
Despite numerous cyber security incidents making international news on a regular basis over the last few years, it was specifically the WannaCry ransomware attack in May 2017 that brought renewed and urgent focus on what organizations need to do to protect their businesses and services from ransomware. This attack seriously impacted thousands of organizations worldwide, having hit more than 150 countries and over 200,000 computers.
Some of the more common methods of spreading ransomware are phishing emails, spam and social engineering – but newer methods are also constantly developing, such as drive-by downloads or actual infected websites. The prime purpose of a ransomware is to get inside a networked system – it can then proceed to encrypt a company’s data and then demand a ransom for the encryption to be lifted.
Encryption-related ransomware (cryptoware) is one of the more widespread types of ransomware in the current day and age. Some less common examples of ransomware types are:
- Lock screens (interruption with the ransom demand, but with no encryption),
- Mobile device ransomware (cell-phone infection),
- MBR encryption ransomware (infects a part of Microsoft’s file system that is used to boot the computer, preventing the user from accessing the OS in the first place),
- Extortionware/leakware (targets sensitive and compromising data, then demands ransom in exchange for not publishing the targeted data), and so on.
The frequency of ransomware attacks is set to increase dramatically in 2022 and beyond, and with increasing sophistication. For example, some malware already exists that is more sophisticated than WannaCry and which actually looks for weak backup systems and encrypts the backed up data itself. A research from Palo Alto Networks shows that just in the first half of 2021 the average ransom payment amount is typically more than half a million dollars ($570,000+, to be exact).
While preventive measures are the preferred way to deal with ransomware, they are typically not 100% effective. For attacks that penetrate successfully, backup is the last bastion of defence that an IT department can use. Data backup and recovery are proven to be an effective and critical protection element against the threat of ransomware. However, being able to effectively recover data means maintaining a strict data backup schedule and taking various measures to prevent your backup from also being encrypted by ransomware.
For an enterprise to sufficiently protect backups from ransomware, advance preparation and thought is required. Data protection technology, backup best practices and staff training are critical for mitigating the business-threatening disruption that ransomware attacks can inflict on an organization's backup servers.
One of the best protections against such attacks is to have a data backup solution of correct architecture, properly configured, combined with best-practice backup strategies. This includes ensuring any cloud backups are adequately protected and available. That means having up-to-date copies of that data available elsewhere. For any medium to large company, having an enterprise-grade backup solution is essential because correct data backup, storage and compliance practice can be the main difference between a company’s survival and failure in the event of a ransomware attack.
Top 7 Ransomware Backup Strategies
Here are some specific technical considerations for your enterprise IT environment, to protect your backup server against future ransomware attacks:
1. Use different credentials, uniquely for backup storage
This is a basic best practice and with the increasing amount of ransomware attacks on backup servers, it is as necessary as ever. The user context that is used to access the backup storage should be completely confidential and only used for that purpose. Additionally, other security contexts shouldn’t be able to access the backup storage except for the account(s) needed for the actual backup operations. Avoid working as root or Administrator. Use service accounts that are restricted as much as possible, whenever possible. By default, Bacula builds authentication in the design and enables the user to implement as much separation as possible from production workloads. For example, its default installation ensures that its daemons run with dedicated service accounts.
2. Make offline storage part of the backup strategy
Offline storage is one of the best defenses against propagation of ransomware encryption to the backup storage. There are a number of storage possibilities that can be used:
|Media Type||What’s Important|
|Cloud target backups||These use a different authentication mechanism. Can only be partially connected to the backup system.|
|Primary storage Snapshots||Better that they have a different authentication framework. These snapshots can be used for recovery.|
|Replicated VMs||Best when controlled by a different authentication framework, such as using different domains for say, vSphere and Hyper-V hosts, and Powered off.|
|Hard drives/SSD||Detached, unmounted, or offline unless they are being read from, or written to.|
|Tape||You can’t get more offline than with tapes which have been unloaded from a tape library. These are also convenient for off-site storage. Tapes should be encrypted.|
|Appliances||Appliances, being black boxes, need to be properly secured against unauthorized access. Stricter network security than with regular file servers is advisable, as appliances may have more unexpected vulnerabilities than regular operating systems.|
3. Use Backup Copy Jobs to help mitigate risk
The Backup Copy Job is a great mechanism to have restore points created on different storage and with different retention rules than the regular backup job. When the previous points above are incorporated, the backup copy job can be a valuable mechanism in a ransomware situation because there are different restore points in use with the Backup Copy Job.
4. Do not rely on different file systems to protect backup storage
Although having different protocols involved can be another way to prevent ransomware propagation, be aware that this is certainly no guarantee against ransomware backup attacks. Different types of ransomware tend to evolve and get more effective on a regular basis, and new types appear quite frequently. Therefore, it is advisable to use an enterprise-grade approach to security: backup storage should be inaccessible as far as possible, and there should be only one service account on known machines that needs to access them. File system locations used to store backup data should be accessible only by the relevant service accounts. There is no reason why end users from different systems should ever have permission to access them. Using another set of credentials to allow access to shared file systems, for example for snapshots, offline shares, or cloud storage is an inherently insecure approach - all those should be restricted exclusively to the backup service account.
5. Be sure to use the 3-2-1-1 rule
Following the 3-2-1 rule means having three different copies of your data, on two different media, one of which is off-site. The power of this approach is that it can address nearly any failure scenario and doesn’t require any specific technology. In the ransomware era, Bacula recommends adding another “1” to the rule where one of the media is offline. The offline storage options listed above highlighted a number of options where you can implement an offline or semi-offline copy of the data. In practice, whenever you backup to non file system targets, you’re already close to achieving this rule. So, tapes and cloud object storage targets are helpful to you. Putting tapes in a vault after they are written is a long-standing best practice.
Cloud storage targets can act as semi-offline storage from a backup perspective. The data is not on-site, and access to it requires custom protocols and secondary authentication. Some cloud providers allow object to be set in an immutable state, which would satisfy the requirement to prevent them from being damaged by an attacker. As with any cloud implementation, a certain amount of reliability and security risk is accepted by trusting the cloud provider with critical data, but as a secondary backup source the cloud is very compelling.
6. Beware of using storage snapshots on backup storage
Storage snapshots are useful to recover deleted files to a point in time, but aren’t backup in the true sense. Storage snapshots tend to lack advanced retention management, reporting, and all the data is still stored on the same system and is therefore may be vulnerable to any attack that affects the primary data.
7. Ensure you can recover all systems from bare metal
Bare metal recovery is accomplished in many different ways. Many enterprises simply deploy a standard image, provision software, and then restore data and/or user preferences. In many cases, all data is already stored remotely and the system itself is largely unimportant. However, in many cases this is not a practical approach and the ability to completely restore a machine to a point in time is a critical function of the disaster recovery implementation. The ability to restore a ransomware-encrypted computer to a recent point in time, including any user data stored locally, may be a necessary part of a layered defense. The same approach can be applied to virtualized systems, although there are usually preferable options available at the hypervisor.
Backup System Specific Tools as a Means of Additional Ransomware Protection
Going for an augmented approach to the same problem, it is possible - and advisable - to use backup systems’ tools as an additional means of protecting against attack. Here are five ransomware backup best practises – to further protect a business against ransomware:
- Make sure that backups themselves are clean of ransomware and/or malware. Checking that your backup is not infected should be one of your highest priorities, since the entire usefulness backup as a ransomware protection measure is negated if your backups are compromised. Perform regular system patching to close off vulnerabilities in the software, invest in malware detection tools and update them regularly, and try to take your media files offline as fast as possible after changing them. In some cases, you might consider a WORM approach (Write-One-Read-Many) – a specific type of media that is only provided for certain tape and optical disk types, as well as a few cloud storage providers.
- Do not rely on cloud backups as the only backup storage type. While cloud storage has a number of advantages, it is not completely impervious to ransomware, While harder for an attacker to corrupt data physically, it is still possible for attackers to gain access to your data either using a shared infrastructure of the cloud storage as a whole, or by connecting said cloud storage to an infected customer’s device. This is why it is highly recommended to always have an alternative backup strategy other than online backup, and a separate backup media and destination in combination with the Cloud, such as off-site tape.
- Review and test your existing recovery and backup plans. Your backup and recovery plan should be tested on a regular basis. Finding out that your recovery plan is not working as intended after a ransomware attack is clearly undesirable. Work through several different scenarios, and time-check some of your restoration-related results, such as time-to-recovery, and establish which parts of the system are prioritized by default. Remember, many businesses can measure in dollars-per-minute the cost of services being down.
- Clarify or update retention policies and develop backup schedules. A regular review of your ransomware backup strategies is strongly recommended. It may be that your data is not backed up often enough, or that your backup retention period is too small, making your system vulnerable to more advanced types of ransomware that can target backup copies via time delays and other means of infection.
- Thoroughly audit all of your data storage locations. These should be audited to be sure that no data is lost and everything is backed up properly – possibly including end-user systems, cloud storages, applications and other system software.
How Ransomware Can Tamper With Your Backups
While it is true that backup and recovery systems are capable of protecting organizations against ransomware in most cases, these systems are not the only ones that keep progressing and evolving over the years – because ransomware also gets more and more unusual and sophisticated as the time passes.
One of the more recent problems of this whole approach with backups is that now a lot of ransomware variations have learned to target and attack not only the company’s data in the first place, but also the backups of that same company – and this is a significant problem for the entire industry. From this perspective, while backups still can protect your data against ransomware – you will also have to protect backups from ransomware, too.
It is possible to figure out some of the main angles that are typically used to tamper with your backups as a whole. We will over each one of them:
- Ransomware damage potential increase with longer recovery cycles
While not as obvious as other possibilities, the problem of long recovery cycles is still a rather big one in the industry, and it’s mostly caused by outdated backup products that can only perform slow full backups. In these cases, recovery cycles after ransomware attack can take days, or even weeks – and it’s a massive disaster for the majority of companies, as system downtime and production halt costs can quickly overshadow initial ransomware damage estimates.
Two possible solutions here would be: a) to try and get a solution that can provide you a copy of your entire system as quickly as possible, and b) to try and get a solution that offers mass restore as a feature, getting multiple VMs, databases and servers up and running again very quickly.
- Your insurance policy may also become your liability
As we have mentioned before, more and more ransomware variations appear that can target both your original data and your backups, or sometimes even try to infect and/or destroy your backed up data before moving to its source. There is no definitive way to counter that, other than to try and make it as hard as possible to eliminate all of your backup copies – a multi-layered defense, of sorts.
You should have a single copy of the data in such a state that it can never be mounted by any external system (often referred to as an immutable backup copy), and implement various comprehensive security features, like the aforementioned WORM, as well as modern data isolation, data encryption, tamper detection and monitoring for data behaviour abnormality.
There are two measures here that we can go over in a bit more detail:
- Immutable backup copy. Immutable backup copy is one of the bigger measures against ransomware attacks – it’s a copy of your backup that cannot be altered in any way once you’ve created it. It exists solely to be your main source of data if you have been targeted by ransomware and need your information back as it was before. Immutable backups cannot be deleted, changed, overwritten, or modified in any other way – only copied to other sources.
- Backup encryption. It is somewhat ironic that encryption is also used as one of the measures to counter ransomware attacks – since a lot of ransomware uses encryption to demand ransom for your data. In its core, backup encryption is supposed to act as one more measure against ransomware, encrypting your data within backups so that ransomware cannot read or modify it in the first place – it turns your structured data into a jumbled mess of symbols that cannot be changed back into its regular state without an encryption key.
- Visibility issues of your data become an advantage for ransomware
By its nature, ransomware is at its most dangerous when it gets into a badly managed system – “dark data”, of sorts. In there, it can do a lot of damage, including encrypting your data and/or selling it. This is a significant problem that requires the most cutting-edge technologies to detect and combat effectively.
While early detection of ransomware is possible with only a modern data management solution and a good backup system, detecting such threats in real-time requires a combination of machine learning and artificial intelligence – so that you can get alerts about suspicious activity in real-time, making attack discovery that much faster.
- Data fragmentation is a massive vulnerability
Clearly, a lot of organisations deal with large amounts of data on a regular basis. However, the size is not as much of a problem as fragmentation – it’s not uncommon for one company’s data to be located in multiple different locations and using a number of different storage types.
Each of these locations and backup types are adding another potential venue for ransomware to exploit – making the entire company’s system even harder to protect in the first place. In this case it is a good recommendation to have a data discovery solution working within your system which brings many different benefits – one of which is better visibility for the entirety of your data, making it far easier to spot threats, unusual activity and potential vulnerabilities.
- User credentials can be used multiple times for ransomware attacks
User credentials have always been one of the biggest problems in this field, providing ransomware attackers with clear access to valuable data within your company – and not all companies can even detect the theft in the first place. The entire situation with user credentials became worse when, because of Covid, businesses were forced to largely switch to remote work around in 2019 – and this problem is still as present as ever.
According to Verizon’s 2021 Data Breach Investigation Report, over 60% of data breaches in a year were performed using compromised credentials. Typically the only way to combat this kind of gap in security is to invest into strict user access controls – including features such as multi-factor authentication, role-based access controls, constant monitoring, and so on.
For maximum protection of your backup against ransomware and similar threats, Bacula Systems’ strong advice is thatyour organisation fully complies with the data backup and recovery best practises listed above. The methods and tools outlined in this blog post are used by Bacula Systems’ customers on a regular basis. For companies without advanced-level data backup solutions, Bacula Systems urges these organizations to conduct a full review of their backup strategy and evaluate a modern backup and recovery solution.
Download Bacula’s white paper on ransomware protection.