Ransomware attacks have been on the rise in recent years, infecting computer systems and encrypting files until a ransom is paid. While backups provide an important way to recover data in the event of ransomware, they are not always immune to infection. Understanding the risks to backups and implementing proper protections is key to maintaining recovery options.
What is ransomware and how does it infect systems?
Ransomware is a type of malicious software that encrypts files on a computer system until a ransom payment is made. Once installed, ransomware will systematically encrypt files using encryption algorithms that make targeted files inaccessible. Encrypted files may have extensions appended such as “.encrypted” or “.locky.”
Ransomware is most often installed through:
- Phishing emails containing infected attachments or links
- Compromised websites that download malware onto visitors’ systems
- Drive-by downloads that install malware from malicious ads or compromised sites
- Remote desktop connections that are accessible to attackers
Modern ransomware strains are highly effective at propagating across networks to connect to and infect as many systems as possible. Worm-like functionalities allow ransomware to self-replicate and spread to storage systems, applications, and backups.
How are backups impacted by ransomware?
Many ransomware variants target backups and storage in addition to primary data stores. This increases the likelihood victims will pay ransoms to regain access to business-critical data. Backups may be infected in a few key ways:
- Connected backups: Backups maintained on continuously connected servers or devices are visible to ransomware as part of the wider network. Unless specifically protected, these backup stores are likely to be encrypted.
- Mapped network drives: Backup destinations may be mapped as network drives. Ransomware enumerates available network shares which may expose connected backup drives.
- Backup software: Some ransomware targets installed backup software, disabling reporting capabilities or making incremental backups unusable.
- Offline backups: Offline or disconnected backups like external drives may become infected if reconnected during the ransomware attack window.
What backup vulnerabilities lead to encryption?
Certain backup methodologies and practices introduce vulnerabilities that may allow ransomware to infiltrate backup systems:
- Always-on backups: Backups that continuously mirror primary storage provide easy access for ransomware to encrypt live data and backups in tandem.
- Accessible storage targets: Backups stored on continuously accessible network shares, storage area networks (SANs), or network-attached storage (NAS) remain visible to ransomware unless access controls are applied.
- Shared credentials: Shared service accounts, default credentials, or easily guessed passwords enable ransomware to access and propagate through storage systems.
- Unprotected backup catalogs: Metadata or catalogs of backup contents that are left unprotected may be modified or deleted, rendering backups useless.
Are cloud backups safe from ransomware?
Cloud backups that are implemented properly can provide protection against ransomware encryption. Benefits that help safeguard cloud backups include:
- Storage infrastructure is isolated from the corporate network
- Backups use separate credentials from the production environment
- Data transmission is encrypted
- Backups are pulled from production on a schedule, not constantly mirrored
- Historical backups are immutable as previous recovery points are maintained
- Access controls prevent unauthorized deletion or modification of backups
However, cloud backups may still be vulnerable if they are incorrectly configured or rely on integrations with on-premises infrastructure. Caution should be taken if cloud backups:
- Use the same service accounts utilized within the production network
- Have credentials stored on-premises where they could be accessible if compromised
- Are mounted as mapped drives to on-premises systems
- Have backup catalogs stored within the production environment
- Lack controls around deletion or modification of backups
Best practices for securing backups from ransomware
A multi-layer defensive strategy is key to protecting backups from ransomware exposure. Best practices include:
- Isolated backups: Maintain air-gapped, offline, and immutable backups that ransomware cannot reach.
- Access controls: Enforce strict permissions for backup credentials, storage targets, catalogs, and deletion capabilities.
- Segmentation: Architect network zones and tiers to prevent backup systems from being accessed from production layers.
- Authentication: Require multi-factor authentication for access to backup consoles and recovery functions.
- Encryption: Encrypt backups at rest and in transit to prevent contents from being viewed if accessed.
- Immutable storage: Leverage immutable backups and object lock for storage to prevent deletion or modification.
- Backup validation: Perform regularly tests to validate the integrity of backups and the recovery process.
Should you pay the ransom for encrypted backups?
If backups become encrypted by ransomware, victims face the dilemma of whether or not to pay the ransom. There are risks to consider in paying ransoms:
- There is no guarantee encrypted data will be recovered, as decryption relies on the attackers providing a working key. Ransomware gangs do not always follow through after payments.
- Paying ransoms funds criminal organizations and incentivizes further attacks.
- If you are seen to pay, this may mark your organization as one willing to pay in the future.
- Financial, reputational and legal risks arise from paying ransoms.
That said, gaining back access to encrypted backups may allow business operations to restart faster. Factors to consider include:
- The criticality of the encrypted data – is it absolutely required for continued operations?
- Are uncompromised backup copies available allowing restoration without paying ransom?
- Can encryption be broken through other means like brute forcing keys?
- Is the ransom amount low enough to be an acceptable loss compared to outage costs?
If paying the ransom is the only viable path to data recovery, consult legal counsel, cybersecurity professionals, and law enforcement first.
Steps to recover from encrypted backups
If backups become encrypted and inaccessible, recovery steps include:
- Isolate infected systems to contain and prevent ransomware from spreading further.
- Evaluate the scope of encryption across primary data and backups to understand exposure.
- Check for any unaffected backup copies that ransomware did not access.
- Assess options to decrypt backup data through keys or brute forcing.
- Determine if paying ransom is an acceptable option for data recovery.
- Wipe and restore encrypted systems from last known good backup versions after eradicating malware.
- Strengthen protections for backups and storage systems to prevent reinfection.
- Confirm restored data integrity through comparison checks against originals.
While this process is involved, methodical assessment and restoration can recover critical systems and data after ransomware strikes backups.
How can backups be better protected?
Preventing ransomware from compromising backups requires an ongoing strategy to identify and mitigate vulnerabilities. Protecting backups includes:
- Constantly inventorying connected systems and backups to map out potential ransomware pathways.
- Penetration testing backup systems to locate risks ransomware could exploit.
- Monitoring backup access attempts, service accounts, and permissions for anomalies.
- Securing and tightly controlling backup credentials and storage access.
- Enabling immutable storage and object locks to prevent data deletion or modification.
- Ensuring air-gapped offline backups remain fully isolated from networks.
Ongoing vigilance is required to ensure ransomware does not infiltrate existing vulnerabilities within the backup infrastructure.
The role of backup testing in ransomware prevention
Regular testing and validation of backups is a key control for maintaining ransomware protection. Test objectives should confirm:
- Backups are encrypting and capturing data completely and accurately.
- Backups are isolating from production systems as expected.
- Recovery from backups actually restores data properly when needed.
- Backup schedules are adhered to consistently.
- Authentication controls function properly by only allowing authorized access.
- Backup integrity checking identifies any tampering or malicious encryption.
Conducting periodic recovery tests validates that backups are intact, processes are effective, and systems can be restored reliably. Test results should be used to continue refining defenses against ransomware threats.
Using air-gapped backups to mitigate ransomware risks
Air-gapped backups that are physically isolated from networks provide the strongest protection against ransomware encryption attacks. Effective practices for air-gapped backups include:
- Storing backup media like tapes or external disks offline in secured, access-controlled facilities. This prevents backups from being accessed through online means.
- Ensuring offline media cannot be accidentally reconnected or mapped to live networks during normal operations.
- Only connecting backup media to isolated, air-gapped systems during recovery testing or actual restoration events.
- Transporting backup media to recovery systems manually while keeping it physically isolated.
- Following strict chain of custody protocols for offline media handling and management.
While air-gapped backups require more management overhead, they provide highly resilient recovery points unaffected by network-based ransomware attacks.
Should companies pay ransoms to recover backups?
It is normally recommended that ransom payment demands are not met, as this further enables cybercrime while providing no firm guarantee of data recovery. Paying ransoms also creates obligations to report payments under regulations like OFAC. However, in cases where backup data encryption leaves core business systems inoperable, companies may consider paying if all alternatives are exhausted. Factors to weigh in the decision include:
| Considerations for paying ransom | Considerations against paying |
|---|---|
|
|
Weighing these factors helps determine if paying ransom is reasonable for business continuity, or if restoration must proceed without paying attackers.
Leveraging immutable backups as a safeguard
Immutable backups that cannot be deleted or modified are effective at guarding against ransomware encryption attacks. Solutions that provide immutable backups do so through features like:
- Object lock: Locks objects in the backup store from being changed or deleted within a defined retention period.
- Non-erasable storage: Uses WORM (write once, read many) storage that prevents backup alterations.
- Non-rewritable media: Backs up to non-rewritable physical media like optical discs or tape that cannot be overwritten.
- Multi-versioning: Maintains fixed retention of recovery points so previous backup versions persist.
Seeking out backup products and media with immutable storage capabilities closes vulnerabilities where backups could be targeted. Coupled with strict access controls, this can reduce the risk of compromise.
Conclusion
Ransomware continues to threaten business data availability and resilience. While backups provide a critical defense, gaps in backup security, configuration, and testing can allow ransomware to infect these recovery datasets and significantly amplify disruption.
Organizations must assess their backup infrastructure for risks, close off possible ransomware entry points, and adopt technologies that can protect the immutability of backups. Dedicated isolation, encryption, access management, and offline retention of backups allows companies to rebuild after attacks without paying ransoms.
Proactive prevention measures combined with backup protections and testing gives companies the best ability to successfully restore operations in the aftermath of ransomware attacks.