Ransomware is no longer just about locking files to extort payment. It’s increasingly part of a two-pronged attack where the first stage is to compromise or destroy backup data and the second stage is to encrypt systems. Without backups to restore from, some organizations find they have no other choice than to pay the ransom in order to recover their data. Are attackers gaining the upper hand?
At Datto, we first observed this new phenomenon around 2018. Suddenly, clients were reporting attempted attacks on their backups. Attackers would enter an organization’s network, proactively search for a connected backup appliance, then try to break into it using stolen credentials.
These attacks were not sophisticated, but they served a clear purpose. More businesses had implemented solid backup strategies to protect themselves from ransomware, and this was impacting the return on investment for cyber-criminals. Because organizations had backups that allowed them to restore systems fast, attacks were a lot less successful and fewer victims were paying the demanded ransom. So, threat actors pivoted to attacking backups instead, fully deleting the backup data first, then immediately launching a ransomware attack.
Three years on, we see this tactic being used more frequently and on a larger scale. In November 2020, it was reported that electronics giant Foxconn had been hit by a ransomware attack that involved the encryption of around 1200 servers. The threat actors claimed to have stolen 100 GB of unencrypted files and deleted 20-30 TB of backups.
The record-breaking $50m ransom demand made on Acer earlier this month only underlines how attackers are becoming bolder. With ransomware predicted to grow further, now is the time to not only revisit your organization’s business continuity and disaster recovery (BCDR) strategy, but also to make sure the backups themselves are safe from attack.
The most important step is to entirely separate access to backup systems from your other infrastructure. Backup software, by nature, requires a high level of access to files, systems, virtual machines, databases and other aspects of a computing environment. This creates an additional risk: Hackers may steal the credentials of a backup administrator as a backdoor to enter other systems and data. Some backup products maintain a configuration database that stores the credentials required to connect to the systems they back up. If that database is compromised, an attacker could gain access to every protected system in your network.
So, your first priority is to minimize the risk of anyone hacking into your backup systems, both on-premises and in the cloud. Two-factor authentication should be mandatory not only for access to the backup administration portal, but for any activity that has the potential to manipulate or delete backup data.
Make sure you cannot connect directly to a backup appliance via a simple LAN connection. For remote access, use key-based SSH authentication. If you are using a remote monitoring and management solution (RMM) to administer backups, this could be a point of attack, so boost its security. In addition, separate the appliance from backups stored in the cloud with separate authentication mechanisms for both, and never store admin credentials on your local browser.
Secondly, remember that backup files can be easy targets simply because the file extensions, such as BAK, are easy to find. To keep them safe, backups should always be stored in read-only state. If encrypting, it is essential to follow best practices including storing the encryption key on a separate and physically secured device. To ensure backups are not corrupted, proactively scan them for ransomware.
Hold multiple copies of backups in different, secure locations – preferably geographically disperse from primary data and backups – and drastically limit any possibility to modify the data or its storage. Think ‘the more copies the better’: Modern backup solutions can provide numerous point-in-time recovery points, as well as replicating backups to immutable cloud storage. An additional safety net for protecting against intentional as well as accidental deletion is to create an ‘undelete’ time window during which you can regain access to deleted backup data.
When testing backups – and this needs to happen very regularly – make sure you fully test their ability to restore. Know how to perform a bare metal restore as you would in a real disaster situation. Ensure that network connectivity can be re-established, Active Directory is working correctly, and applications can communicate with each other, and carefully document everything.
Being properly prepared is key when a cyber-attack hits. Backups really are your last line of defence. Attackers know this, and are increasingly looking for vulnerabilities in backup software, backup files and the systems on which backup data is stored. Act now and take the necessary steps to ensure they are safe, uncorrupted and readily available for instant recovery.