Encrypted backups have become a standard security practice for protecting data against unauthorized access and data breaches. Encryption scrambles data using cryptographic algorithms and keys so that the information is indecipherable without the proper decryption key. Backups that use encryption can provide an extra layer of protection in case the live data gets corrupted, deleted, or encrypted by malware like ransomware.
Ransomware is a type of malware that encrypts files on a system and demands a ransom payment in order to decrypt them. Ransomware attacks have been rapidly increasing, costing businesses and individuals billions of dollars in ransom payments. Even with security measures in place, ransomware represents a serious threat capable of crippling operations and causing major financial and reputational damage.
This article will examine the intersection of encrypted backups and ransomware. While encryption provides a way to safeguard backup data, weaknesses still exist that ransomware can exploit. Understanding these vulnerabilities is crucial for having adequate protection against ransomware. Implementing best practices for key management, access controls, and testing recovery ensures encrypted backups provide maximum resilience against ransomware.
How Encrypted Backups Work
Encrypted backups utilize encryption algorithms to scramble data so that it cannot be read without the encryption key. When a user initiates a backup, the backup software will encrypt the files and data before transferring them to the backup destination (1).
Common encryption methods used for backups include AES-256, Blowfish, and Twofish. AES-256 is considered one of the strongest encryption algorithms available (2). The encryption key serves as the password to decrypt the backups. Without the proper encryption key, the backups remain securely scrambled and inaccessible.
Popular backup software platforms like Apple’s Time Machine, Microsoft Azure Backup, Acronis, and Veeam have built-in encryption options. Users can choose to enable encryption to add a critical layer of security to their backups. The encryption keys are stored separately from the backups and required to restore the data.
Overall, encryption converts readable data into scrambled code during the backup process. Backup software handles the encryption automatically allowing users to protect their data securely.
How Ransomware Attacks
Ransomware typically infects systems through phishing emails, compromised websites, or infected software downloads. The malware then runs quietly in the background, searching for files and data to encrypt. Once it has encrypted enough critical files and backups, the ransomware alerts the user that their files are encrypted and demands a ransom payment in cryptocurrency to decrypt them.
There are a few common types of ransomware:
- Locker ransomware locks users out of their devices or accounts.
- Encrypting ransomware encrypts files and data.
- Leaking ransomware exfiltrates data and threatens to publish it online if the ransom isn’t paid.
- Ransomware-as-a-Service allows cybercriminals to purchase ransomware kits on the dark web.
Some of the most damaging ransomware strains include WannaCry, NotPetya, Cryptolocker, Ryuk, Conti, Black Basta, and others. These ransomware families encrypt hundreds of file types using strong encryption algorithms that can be nearly impossible to break without the decryption key.
Weaknesses of Encrypted Backups
While encrypted backups provide an important layer of protection against data loss and unauthorized access, they can still have vulnerabilities that could potentially allow ransomware to infect backups as well (RMAN Backup Encryption: Challenges and Risks). Some potential weaknesses include:
Hard-coded or weak passwords – If the encryption keys or passwords used to secure backups are hard-coded or easy to guess, this provides a pathway for attackers to decrypt backups (What are the advantages and disadvantages of encrypted versus non-encrypted time machine back ups?). Strong, randomly generated passwords should be used.
Flaws in encryption implementation – Bugs or backdoors in the encryption software itself could allow attackers to bypass encryption. Keeping encryption software up-to-date is critical (Should I Encrypt My Backups? Backup Encryption Guide).
Insecure storage of encryption keys – Encryption keys should be stored separately from encrypted backup data, such as in a password manager. Storing keys alongside backups risks exposure.
Limited encryption scope – Only encrypting certain backup files or directories could leave unencrypted backups accessible.
Outdated algorithms – Using obsolete encryption methods with known vulnerabilities allows attackers to crack encryption.
To minimize these risks, organizations should follow cybersecurity best practices around encryption key management, use multifactor authentication, test restoration of encrypted backups regularly, and keep encryption software updated.
Best Practices for Securing Backups
There are several best practices that can help properly secure backups from ransomware attacks:
- Use strong, unique passwords for backup systems and do not reuse passwords. Long, complex, randomly generated passwords are ideal. [1]
- Store backup passwords separately from backup systems in a secure password manager. Do not leave passwords written down.
- Test restoring from backups regularly to ensure the backups are intact and can be decrypted. Make sure files come back readable.
- Use an air-gapped backup that is physically disconnected and isolated from networks. This prevents ransomware from finding and infecting the backups.
- Limit access to the backup systems so that minimal staff can reach the backups. Role-based access control is recommended.
- Do not leave external drives constantly connected to the network. Only connect when backups run, then disconnect.
Following cybersecurity best practices for backup systems is crucial to prevent ransomware from infecting backups. Proper configuration and access restrictions keep encrypted backups immune when under a ransomware attack.
Misconceptions About Encrypted Backups
There are several common misconceptions that people have about the security of encrypted backups when it comes to ransomware attacks:
One misconception is that encrypted backups cannot be infected by ransomware. However, this is not true – ransomware is still able to encrypt backup files even if they are encrypted themselves (https://www.comparitech.com/net-admin/protect-backups-from-ransomware/). The encryption protects the contents of the backup, but does not stop the actual backup files from being encrypted by ransomware.
Another misconception is that disconnected or offline backups are automatically protected from ransomware. But some sophisticated ransomware strains are designed to search for and infect external drives and network shares, so offline backups may still be vulnerable (https://www.baculasystems.com/blog/ransomware-backup-strategy/).
Additionally, some believe that backups stored in the cloud are inherently safer from ransomware. But if the cloud backup solution is continuously connected, ransomware can still reach and encrypt those backup files. So cloud backups need additional safeguards as well.
The key point is that while encryption protects the contents of backups, additional layers of protection are still needed to secure backups from being infected by ransomware in the first place.
Real World Examples
There have been several high-profile ransomware attacks in recent years that have impacted encrypted backups. For example, according to an article on the Macrium blog, the Ryuk ransomware attack targeted and encrypted network-attached backups at several organizations in 2019 (source). The article states “Because the backups were connected to the network, Ryuk was able to encrypt these too.”
Another real-world example cited in an article from Bacula Systems is the 2021 attack on Ireland’s national health service, the HSE. The Conti ransomware variant disrupted healthcare services by encrypting both production data and backups (source). This demonstrates that even encrypted backups can fall victim to ransomware if proper security precautions are not taken.
According to guidance from the US Cybersecurity and Infrastructure Security Agency, many organizations impacted by ransomware have faced issues restoring data from backups due to the backups also being encrypted (source). These real-world incidents underscore the importance of keeping backups isolated from networks and ensuring robust security controls are in place.
Additional Layers of Protection
While encrypted backups provide a baseline level of protection, additional layers can further secure backups against ransomware attacks. Some key strategies include:
Access controls – Restricting access to backups and storage devices prevents unauthorized changes. Role-based access and multi-factor authentication creates additional barriers for malware. As SecureData notes, limiting administrative and root privileges also reduces exposure.
Offline storage – Storing backups on disconnected, offline media like external hard drives and tapes avoids access over the network. Air-gapped storage is immune to remote encryption attempts. As Bacula Systems recommends, rotating drives offline once backups complete enhances protection.
Immutable backups – Backup solutions like object storage using WORM (Write Once, Read Many) create immutable copies that cannot be encrypted or deleted by ransomware. Each backup is a read-only snapshot able to be recovered. Halcyon AI suggests combining versioning with object immutability for strongest defense.
Implementing complementary controls makes layered backup security possible. Offline copies maintained through immutable versioning represent the future for comprehensive data protection.
The Future of Ransomware
Ransomware attacks will likely continue to evolve and become more sophisticated in the coming years. According to Trend Micro, ransomware developers are expected to begin targeting cloud environments more frequently, as many organizations have migrated data storage and operations to the cloud [1]. Attackers may also invest more in zero-day research to remove the need for access brokers and affiliates, making their attacks more self-sufficient.
As per a recent report by Security Intelligence, ransomware developers are expected to leverage advanced technologies like artificial intelligence and cryptography to make their malware increasingly evasive and damaging [2]. Attackers may also shift their targets and methods to stay under the radar, while expanding their extortion and pressure tactics.
According to Sapphire Networks, new strains of ransomware could emerge targeting lesser-protected industries like manufacturing, transportation, and retail [3]. Attackers are also expected to demand larger ransom amounts and turn to new forms of pressure when initial extortion fails.
In summary, the evolution of ransomware is an escalating arms race, and organizations must stay vigilant and proactively invest in security to defend against future threats.
Conclusion
After looking at how encrypted backups work and the risks they face from ransomware attacks, several key takeaways are clear:
Encrypted backups are not inherently immune to ransomware. While encryption protects backed up data at rest, vulnerabilities in backup software, improper encryption key management, and flaws in backup processes can expose backups to compromise.
Properly securing backups is critical for protection against ransomware. Strong encryption keys, air-gapped offline backups, immutable backups, multi-factor access controls, and comprehensive cybersecurity training can help keep backups ransomware-free.
With ransomware continuing to evolve, no single solution provides perfect protection. Taking a defense-in-depth approach across people, processes and technology is essential to safeguard your most critical data from catastrophic loss.
By understanding the limitations of encrypted backups and implementing best practices, organizations can develop a resilient data protection strategy in the ongoing fight against ransomware.
