Why are backups vulnerable to ransomware?
Ransomware is one of the biggest security threats to personal and business data today. Although research suggests that the number of attacks is in decline, there is evidence that suggests that the attacks that are occurring are now more lethal and effective than they were in the past. Fortunately, with a robust and considered data protection and cyber security strategy in place, it’s possible to ensure that the data that matters most to you and your organization is safe from these evolving threats.
While the first line of defence against ransomware are security basics like securing your network and keeping your software up to date, backup can also play an important role. However, a note of caution: although backup can mitigate the risks of ransomware encryption, it’s also vulnerable to ransomware encryption.
Indeed, such is the value of backup files to an organization’s disaster recovery and business continuity strategy, there are signs that they are becoming an important target for ransomware attacks. If your backup files are the only thing you have in place that will allow you to recover in the event of disaster, criminals know that they have a better chance of you paying the ransom.
In this post, we’ll take a look at why backup files in particular are vulnerable to ransomware encryption — and then look at some options for minimizing the risks.
Examples of backups being encrypted by ransomware
There are a number of very recent examples that highlight some of the risks that ransomware can pose to backup files. The SamSam attack, for example, in which cyber criminals extorted $30 million from its victims, was particularly potent because of the way in which it reportedly encrypted backups.
Meanwhile, the Ryuk attack also targeted backup files as a means of raising the stakes for its victims. Essentially, it works by injecting code into existing running processes. When analysing the ransomware, cyber security researchers at Check Point identified a “script used to delete shadow volumes [shadow copies] and backup files,” indicating that the malware was specifically designed to find a way inside victims defensive lines.
Those are just two examples — there are undoubtedly many more, and it’s likely that we’ll continue to see this technique in the future.
Why are backups vulnerable to ransomware?
At one level — and as already mentioned — the reason backups are so vulnerable to ransomware is the fact that they are so valuable to users. As far as traditional ransomware is concerned, if you can encrypt victims’ backup files, there will be no way for them to circumvent the ransom.
At a more technical level, however, the reason that backups are today so vulnerable to ransomware is because strains have been developed that are able to spread across a given network.
Ransomware rarely just infects a specific endpoint. Typically it will move from computer to computer, to mapped network drives, and connected external storage (such as NAS). It can also infect data held on the cloud if encrypted local files sync with cloud files.
Human error and improper backup implementation
But there’s another reason why backups are vulnerable to ransomware: human error and a disjointed approach to backup and data protection. Or, to put it another way, plain old bad practice.
- Making only individual backups, or doing so only on a semi-regular basis
- Failing to isolate backups — both in terms of access and location
- Failing to test backups
- Relying only on native recovery tools, which, while sometimes effective, can be vulnerable themselves to ransomware encryption.
So, while actively implementing backup is, of course, a really important activity for IT teams — and something that is far from commonplace across all IT teams — it’s important to be sensitive to some of the threats and issues that can still affect you even when you do backup.
What can be done about it?
There are many things that can be done to minimize the risks of your backup files becoming encrypted by ransomware.
The 3–2–1 rule
One of the most fundamental principles of data protection is what is known as the 3–2–1 rule.
This states that to mitigate against data loss from any event — even non-malicious ones like disasters — you need:
- 3 copies of your data
- Stored on 2 separate storage mediums
- 1 copy saved in an offsite location
This is very useful in the fight against ransomware, and should certainly be adopted by any IT team (if you’re not using it already). However, in the context of ransomware, it’s worth adding an extra detail to point two:
- Stored on 2 separate storage mediums — at least one offline and the other protected against malware.
How to maintain an offline synced copy is a subject for another post, but the important point to keep in mind is that it should only have one available online operation: new file copy. Modification, overwrite, and deletion must be prohibited.
What else can mitigate the risks of ransomware encryption?
As well as the 3–2–1 rule, it’s also essential to ensure that backups are being both created and tested on a regular basis.
Regular backups, stored appropriately is important because ransomware can take a while to encrypt — by the time the attack is noticed, you might well have lost
As this article neatly puts it:
“data backups are useless if they are unusable to restore operations and get employees back up and running.”
How Macrium can help protect backups against ransomware
Quoted in this article on CSO, Adam Kujawa, Head of Malware Intelligence at MalwareBytes, stresses the importance of using third party tools for combating ransomware, rather than simply relying on in-built backup and data recovery utilities. “If [the software] doesn’t do things the same way, the malware won’t know where to delete the backups,” he says.
Here at Macrium, this is something we wholeheartedly agree with. And because we’re well aware of the threat that ransomware poses to backup files, we’ve added ransomware protection — the Macrium Image Guardian (MIG) feature — to our Macrium Reflect product to ensure that your online backup storage is protected in the event of an attack.
Although traditional antivirus software has its place, Macrium Image Guardian provides a higher level of protection because its narrow scope enables the avoidance of false negative matches inherent in generalised protection.
Learn more about Macrium Image Guardian.