Backups are an essential part of any ransomware disaster recovery plan. In the event that an organisation is hit with Ransomware, it can simply use its backups to recover the system without paying a penny to the bad guys.
There’s just one problem: backups are not immune to Ransomware. Increasingly advanced ransomware strains contain mechanisms that are designed to seek out and encrypt backups that are stored both locally and in the cloud. And, if a company’s backups get encrypted, or deleted it may have no other choice but to pay the ransom.
In this article, we’ll show you how Ransomware can affect a company’s backups and what you can do to try and keep your backups safe.
How does Ransomware encrypt backups?
There are many ways Ransomware can infect a system, including email attachments, malicious links, drive-by downloads, RDP attacks, MSP tools and other third-party software. Once it has infected an endpoint, it can potentially spread to any backups held on devices that are write-accessible via standard protocols, such as NAS devices, locally installed cloud services and USB-connected devices.
There are a few ways it can do this:
Spreading through the network
Many small business owners understand the value of backups, yet may not have the resources or expertise to create and maintain a fully-fledged continuity strategy. Instead, they may take an ad-hoc approach, which might involve manually copying critical files to an external hard drive, or automating regular backups to a network-connected file-server.
Local backups are important, but they are ineffective when used alone. Many ransomware variants are capable of spreading laterally to other computers on the network and mapped network drives. If the system gets infected, there’s a good chance the Ransomware will propagate across the network and encrypt the drive that holds the organisation’s backups.
Syncing to cloud storage
Cloud storage is a convenient way to store files, but it’s not an effective way of protecting backups – particularly when it comes to Ransomware.
Many cloud storage services such as Dropbox, OneDrive and Google Drive automatically synchronise local files with files stored in the cloud. If your business gets hit with Ransomware and the files on your network are encrypted, the files will also be encrypted or deleted in the cloud.
Some cloud storage service providers offer file versioning, which means it keeps multiple versions of files. If your company’s files are encrypted, you can simply roll back the files to a previous, unencrypted version. However, this feature is not supported by all cloud storage providers and may not be enabled by default.
Its always worth enabling a read-only mode sometimes referred to as WORM Write Once Read Many, or an Immutable copy of your data. As a cloud version of your data is still online and therefore susceptible to Ransomware attacks, regularly creating an immutable copy that can’t be altered or deleted will prevent this copy from being corrupted by Ransomware.
Deleting System Restore points
System Restore, Windows’ built-in recovery tool, allows an administrator to reverse recent changes to the operating system and can be useful for rolling back drivers and system files to previous versions. Unfortunately, System Restore does not save copies of personal files, including documents, photos and videos, which means it can’t be used to reverse the encryption.
Even if System Restore could help restore personal files, many ransomware strains – including WannaCry, Cryptolocker and Locky – are designed to deliberately sniff out and delete volume shadow copies (the snapshots System Restore uses for recovery) using command-line commands. Furthermore, the copies are typically accessed via the operating system which is now encrypted.
Ransomware-proof your backups
A multi-layered approach is the best way to protect backups against Ransomware.
Local backups are fast, efficient and can be easily accessed whenever required. However, as mentioned above, local backups are vulnerable to Ransomware, which can potentially spread across the network.
While offsite storage solutions are generally slower and less convenient, they are more isolated from the company network and considered more reliable. Using a blend of local and offsite backups provides the best of both worlds.
With this in mind, the easiest way to ransomware-proof backups is to apply the 3-2-1 rule, which stipulates that a business should:
Keep at least three copies of production data (one being the live copy)
Store the copies on at least two different types of storage media. (or separate devices)
Store at least one copy offsite. (and offline)
Making your data copy an offline copy can be done using an ‘air gap’ physical or electronic whereby the data copy is connected for a limited time to minimise the possible attack risk.
Consider making the copy an immutable one where it can not be deleted or modified by anyone until its no longer of value to be retained; then it can be made read/write capable of allowing the backup application to delete it to save space.
Remember to always use unique logins and passwords for all backup systems (and everything else for that matter!), or even better a Privileged Access Management (PAM) solution which acts as a gatekeeper for credentials.
Keep at least three copies
The more backups a business has, the less risk there is of losing data. Companies should aim to maintain at least three copies of their data. Should one copy be lost due to Ransomware, theft, technical error or natural disaster, business leaders can rest assured that there will be other copies to fall back on.
Store at least two copies on different devices
All devices fail sooner or later. Diversifying storage media minimises the risk of backups failing at the same time. When storing backups locally, use at least two different types of storage media, such as a local drive, file server, NAS device or tape drive.
Store at least one copy offsite
For maximum protection, at least one copy of the backups should be completely isolated from the network and preferably stored offline, where it will be safe from Ransomware.
Another factor in recovering data is the number of retention points created within the backup sets because Ransomware can remain dormant within production files. Going back days, or weeks may be required to obtain ‘clean’ backup sets to restore from. There are guidelines for retention periods but even so, sometimes additional resources are required to determine that any backup data is free from malware/ransomware.
There are a few different options for storing company backups offsite. Tape backup systems might seem like a somewhat outdated solution, but they remain a popular option thanks to their cost-effectiveness, scalability and archival stability. Tape backup systems are usually not connected to any network and can therefore not be affected by Ransomware.
Cloud backup services offer a more modern solution for creating and maintaining offsite backups. Cloud backup servers are housed in secure, purpose-made facilities that usually include environmental controls, backup power supplies, fire suppression systems and more. If Ransomware or a local disaster naturally wipes out your company’s local backups, you can use cloud backups to get back up and running.
Cloud storage vs cloud backups
It’s important to note that cloud storage services and cloud backup services are not the same things. Cloud storage services are designed to do just that – store files. They may not offer file versioning, which leaves backups vulnerable to Ransomware, and they usually don’t allow you to retain your file system structure, which means if you ever need to recover your system, you’ll have to organise all your data by hand.
Cloud backup services, on the other hand, are made with disaster recovery and business continuity in mind. They allow you to retain your file system structure and usually include useful features such as file versioning, status reports, scheduling options and better encryption methods for transferring data. When it comes to ransomware-proofing your backups, cloud backup services are the superior option.
Access management
Regardless of the storage media, your company chooses to use, it’s important to restrict access to only those with a legitimate business need. This involves being very selective of who has the login credentials to file servers and backup services, as well as limiting physical access to onsite backups via secure storage and access management. Limiting access to backups helps reduce the attack surface for Ransomware and minimises the chances of sensitive company information falling into the wrong hands.
Mitigating the effects of Ransomware
A robust backup strategy is a critical ingredient for mitigating the effects of Ransomware.
However, as with any data, backups can also be affected by Ransomware. Using a combination of local and offsite backups will help reduce the risk of Ransomware affecting your company’s backups and put your business in a stronger position to minimise downtime in the event of an infection.
Contact us to discover more.