Can ransomware affect backup?

by
Can ransomware affect backup

Ransomware is a type of malware that encrypts files on a device and demands a ransom payment in order to decrypt the files. Ransomware attacks have become increasingly common in recent years, affecting businesses and individuals around the world. One key question for organizations to consider is whether ransomware can affect backups of data, and if so, how backups can be properly protected.

Can ransomware encrypt backups?

Yes, ransomware has the capability to encrypt both production data and backups. If backups are connected to an infected device or networked in such a way that the ransomware can access them, the backups can be encrypted by the malware. There are a few ways this can happen:

  • Backups stored locally or on mapped/mounted drives connected to the infected device can be encrypted.
  • Network-attached storage devices with shares mapped as drives on the infected machine can have backups encrypted.
  • Cloud-based backups can be encrypted if the ransomware gets access to the cloud storage via a connected sync agent or mounted drive.
  • Backups on external drives can be encrypted if they are connected to the infected machine at the time of attack.

The key point is that if the ransomware process can gain access to the storage location where backups are kept, it can encrypt those backup files and folders. Proper isolation and segmentation of backups is crucial to prevent this.

How can backups be protected from ransomware?

There are several best practices that can help safeguard backups from encryption by ransomware:

  • Isolate backups: Backups should be isolated from production networks and systems as much as possible. Keep backups on devices not accessible over the network from production systems.
  • Use air-gapped backups: Maintaining recent backups offline and entirely disconnected from networks (“air-gapped”) ensures ransomware cannot reach them.
  • Restrict backup access: Only authorized backup management systems and personnel should be able to access backups.
  • Employ layered defenses: Use next-generation antivirus, firewalls, and other controls to block ransomware from impacting production systems and reaching backups.
  • Test backup recovery: Verify backup integrity and test restoration periodically to ensure recoverability.
  • Use immutable backups: Leverage immutable backup systems that cannot be deleted or encrypted once created.

Can ransomware delete backups?

In addition to encrypting backup files and folders, some ransomware variants attempt to disable recovery by deleting backups. This removes the possibility for recovering files via backups without paying the ransom.

Most ransomware cannot directly delete cloud-based backups, as these are controlled through cloud provider access controls. However, if ransomware gets access to backup agents or infrastructure, it can delete local backup copies and remove cloud-based backups by deleting from the sync directory.

To defend against backup deletion, it’s critical to ensure ransomware cannot gain access to backup infrastructure components such as directories, servers, or storage devices storing backup data. Air-gapped, isolated backups provide the best defense.

Can immutable backups prevent ransomware encryption?

Immutable backups provide an important safeguard against ransomware encryption and deletion. Immutable backups cannot be altered, encrypted, or deleted once created. This protects against ransomware tampering with backup files.

Solutions such as object storage with immutable retention, write-once storage arrays, and specialized immutable backup systems can all provide immutable protection. By only allowing new backups to be created, existing backups are safeguarded.

However, ransomware could still potentially encrypt production data, impacting primary storage. But immutable backups ensure recovery copies remain intact.

How often should backups be tested to ensure recoverability?

Organizations should test backups on a regular schedule to verify recoverability from ransomware attacks. Testing backups helps confirm:

  • Backups are properly isolated from production networks.
  • Recovery processes function correctly.
  • Backup copies are free from corruption and readable.
  • The right data is being backed up and data recovery meets SLAs.

Performing backup tests quarterly is a good starting point. High-risk environments may warrant monthly or even bi-weekly testing. Testing backups using non-production copies recreates ransomware conditions without business impact.

What are the best practices for mitigating ransomware risk?

A multi-layer defensive strategy focused on prevention, detection, and recovery is key to mitigating overall ransomware risk. Best practices include:

  • User security training – Train staff to recognize phishing attempts, use strong passwords, and avoid high-risk sites.
  • Email security – Filter attachments, block dangerous file types, and monitor links/web traffic patterns.
  • Vulnerability management – Patch and update systems promptly to eliminate security gaps.
  • Segmentation – Isolate and segregate systems to limit ransomware spread.
  • Antivirus/antimalware – Employ endpoint and network protections to block malicious code.
  • Access controls – Limit user and service account access to only essential systems.
  • Backups – Maintain regularly-tested isolated, immutable backups.

Taking a layered approach reduces the attack surface and enables early threat detection.

What are the main types of ransomware and how do they work?

There are a few major types of ransomware that use different techniques:

  • Encrypting ransomware – Encrypts files, often utilizing encryption algorithms like AES and RSA.
  • Locker ransomware – Locks users out of the OS or certain functions like files/folders.
  • Doxware – Exfiltrates data and threatens to publish it online unless ransom is paid.
  • RaaS – Ransomware sold as a service via criminal networks on the dark web.

Encrypting ransomware like Ryuk, REvil, and Hive is currently the most prevalent type. It spreads via phishing, exploits, and botnets and then encrypts files once activated. A ransom payment is demanded in bitcoin or other cryptocurrencies to decrypt.

What options exist for recovering encrypted files without paying ransom?

There are some options that may work for recovering encrypted files without paying ransom, depending on the specific ransomware variant:

  • Backups – Restore files from unencrypted backups if available.
  • Decryption software – Antivirus vendors sometimes release decryption tools for common ransomware strains.
  • Decryption keys – Keys may be recoverable from the ransomware’s memory, backups, or logs.
  • Brute forcing – For simple encryption schemes, decryption via brute force methods may be possible.

However, newer ransomware often utilizes strong, complex encryption algorithms that make direct decryption without keys extremely difficult in most cases. Restoring from backups is typically the most reliable method.

What steps should be taken first when ransomware is detected in a network?

The first response steps when detecting an active ransomware attack include:

  1. Isolate infected systems immediately to prevent spread.
  2. Determine the variant of ransomware for analysis if possible.
  3. Check for impact on backups and determine backup recovery options.
  4. Take encrypted systems offline but do not delete anything.
  5. Notify leadership and activate incident response/DR plans.
  6. Contact law enforcement if appropriate.

Neutralizing the attack’s spread quickly is essential. Efforts to decrypt encrypted systems or pay ransom should only be considered after containing the incident.

Can paying ransom actually decrypt encrypted files? Are there risks?

In some cases, paying ransom may lead to file decryption, as cybercriminals want to maintain reputation for “honoring” payments. However, there are significant risks:

  • No guarantee files will be decrypted properly, if at all.
  • Cybercriminals may increase ransom demands after initial payment.
  • Payment encourages and funds further cybercrime activity.
  • Potential regulatory concerns depending on geography.

Some estimates indicate only around 65% of ransom payments result in file recovery. The FBI and most security experts do not recommend paying ransom.

What cyber insurance policies may help recover from a ransomware attack?

Several types of cyber insurance policies can provide coverage related to ransomware:

  • Cyber liability insurance – May cover costs of investigation, extortion payments, business interruption losses.
  • Technology errors & omissions – Can cover direct losses and liability to customers.
  • Crime/fidelity insurance – Covers financial loss due to cybercrime like ransomware.

However, policies vary greatly in the details of what ransomware-related claims are covered. Carefully assessing cyber insurance options as part of an overall risk management strategy is recommended.

What training can help employees be more aware of ransomware threats?

Some key ransomware security awareness training topics include:

  • Recognizing social engineering tactics like phishing.
  • Avoiding suspicious downloads, attachments, and links.
  • Securing credentials and using strong, unique passwords.
  • Identifying manipulation attempts and urgent demands for payment.
  • Reporting warning signs like system lockouts or encryption.

Combining general security awareness training with targeted ransomware education helps employees understand their role in prevention and mitigation. Simulated phishing and ransomware exercises can reinforce learning.

What are some of the common ways ransomware initially infects computer systems?

Initial ransomware infection often leverages:

  • Email phishing – Malicious attachments or links that download/deploy ransomware.
  • Malvertising – Malicious ads that direct to ransomware landing pages.
  • Drive-by downloads – Infectious scripts/code on websites that installs ransomware.
  • Remote desktop access – Brute forcing RDP then pushing ransomware across the network.
  • Software vulnerabilities – Exploiting unpatched apps, OSes, services to deploy ransomware.

Phishing is responsible for the vast majority of ransomware intrusions, highlighting the need for ongoing user education.

What are some ransomware infection vectors beyond email phishing attacks?

Beyond phishing emails, other common ransomware infection vectors include:

  • Compromised Remote Desktop Protocol (RDP) access – Brute forcing weak RDP passwords then spreading across the network.
  • Malvertising – Malicious ads leading to ransomware landing pages that trigger downloads.
  • Software supply chain attacks – Inserting ransomware into legitimate software then auto-deploying through mandatory updates.
  • Exploiting vulnerabilities – Utilizing unpatched flaws in operating systems, applications, or services to install ransomware.
  • Infected removable media – Spreading through USB drives, external hard drives, CDs/DVDs.

A comprehensive defensive strategy is required to address the diverse infection vectors ransomware leverages.

Which organizations and industries are most often targeted for ransomware attacks?

Ransomware attackers frequently target organizations in industries like:

  • Healthcare
  • Education
  • Finance
  • Manufacturing
  • Government
  • Energy

These organizations often have sensitive data, lax security controls, and/or operational reliance on IT/data accessibility. Attacks against critical infrastructure raise availability concerns.

Small and medium businesses are increasing targets as well due to weaker defenses. Ultimately, any organization in any sector could suffer a ransomware attack.

How can organizations determine the source and type of ransomware infecting systems?

Key ways to determine ransomware type and origin include:

  • Antivirus/antimalware tools detecting known strains through signature scanning.
  • Sandboxing unknown samples and observing behavior/analysis.
  • Reverse engineering ransomware executables to identify strains.
  • Tracing IP addresses, domains, signatures back to command and control servers.
  • Reviewing exploit techniques used for clues about threat actors or groups.

Combining static and dynamic analysis techniques gives greater perspective on the ransomware. Sharing these IOCs across industries improves defenses.

What are some common ransomware strains seen in recent attacks?

Some of the most prolific ransomware strains from recent, high-profile attacks include:

  • Ryuk
  • REvil/Sodinokibi
  • Conti
  • Maze
  • Egregor
  • DoppelPaymer
  • Phobos
  • AKO

Many top strains operate as Ransomware-as-a-Service (RaaS) within cybercriminal underground ecosystems. Ransomware techniques and infrastructure are readily accessible for malicious actors.

Conclusion

Ransomware presents a severe threat capable of causing significant encryption and disruption to organizations across sectors. Properly segmenting, isolating, and air-gapping backups can protect these last lines of defense from ransomware encryption or deletion. Comprehensive backups, combined with layered cybersecurity controls and employee education, form a sound ransomware resilience strategy.

Immutable backups provide the strongest defense against data loss, preserving point-in-time recovery points even during active attacks. Organizations should regularly test and verify backup integrity to confirm protection and recoverability. While difficult, recovering encrypted systems without paying ransom may be possible via decryption tools, brute force techniques, or built-in flaws.

Ransomware resilience requires a focus on prevention, detection, response, and recovery. Cyber insurance policies should also be assessed for adequate coverage of ransomware-related impacts and claims. Paying ransoms remains extremely risky and only encourages additional cybercrime. Backups and restoration, hardened security controls, and employee training will serve as the best safeguards against ransomware outbreaks moving forward.