There used to be a single test to determine the effectiveness of your data backup strategy. It centered around successfully restoring your data from a backup, and you would rest easy knowing that you would, in theory, recover from a data loss event. It was really that simple. Still, there were some security concerns as you did not want just anyone accessing the backups who might accidently (or inadvertently) delete them. There was also the threat of confiscating a backup tape containing sensitive or valuable data by an imposter. For the most part, the data backup system was out of sight and out of mind for everyone other than the backup administrator.
Ransomware attacks involve the loss of data, thus giving data backup systems a critical role in the battle against increasingly rampant malware. As you can imagine, the evolving nature of ransomware eventually changed the practice referenced at the start of this article. While some organizations lacked a working backup, those that had implemented and operationalized a proven system were able to elude the extortion payment.
Despite a commitment to implementing adequate backup strategies, many company leaders still consider paying the ransom. The decision to do so involves more than simply regaining access to a company’s data. Often, it is looked at as a business decision in which the opportunity cost of spending days or even weeks rebuilding virtual data stores and recovering data directories can exceed the ransom itself. While government authorities continue to discourage paying the ransom, the opportunity to recover quickly often makes practical business sense.
As you can imagine, it didn’t take long for ransomware gangs to learn that a data backup can often be the one thing holding them back from a handsome payday. That’s why backup systems have a prominent bullseye on them now. Take out the backups, and the odds are in favor of the attackers. But if your cyber security team holds the line of attack against your backups, the odds are suddenly back in your favor. That’s also where your ransomware backup protection strategy plays such a pivotal role.
While there are still plenty of threats out there involving less sophisticated attackers who look for easy prey and quick payouts using Ransomware-as-a-Service (RaaS) applications, the large-scale ransomware attacks we read about in the headlines every week are carried about by highly experienced hackers using well-coordinated attack strategies. It is these high-caliber ransomware organizations that you must prepare for.
Ransomware Attacks are Performed in Stages
Infiltrating your network is only the first step of a multipronged ransomware attack. Attackers now spend weeks or even months silently observing your systems to not only find where your data resides, but to also discover how it is protected. Unnerving, isn’t it? It is during this undetected period of observation that the attackers decide how to best eliminate your data backup system.
You may be surprised to know that these ransomware groups are more familiar with the popular backup systems on the market than the customers that use them. It’s in the best interest of the attacker to understand how to eliminate your backups, whether that means deleting, corrupting, or adjusting them. Once your backups are eliminated, the next target is your virtual infrastructure, which they intend to destroy as well. After they shut down your servers, they begin the process of encrypting your data stores. For VMware environments, the objective is then to destroy the vCenter and encrypt the VMware data stores. They use similar strategies to take down Hyper-V or Nutanix architectures as well.
Properly securing your backups starts with implementing the best security standards. While air gapping is often discussed, do you know what that strategy entails? As a backup/recovery expert, I serve as WEI's solutions architect. I regularly conduct Veaam workshops throughout the year, and recently discussed the many challenges at hand and how to prepare for them. I also identified prominent mistakes that we continue to find in real world environments.
Here are some of the top mistakes that internal cybersecurity professionals make all too often. While my discussion exclusively involved Veeam solutions, these mistakes also apply to other backup platforms:
- Remoting into the server that hosts your backup solution: Never RDP into your backup server as these sessions can easily be compromised. Instead, use the backup system’s remote console software so that you are not logging onto the actual server.
- Joining your backup system to Microsoft Active Directory: Besides targeting your backup system, hackers are diligently working to crack your AD. Once compromised, they can get access to privileged accounts with administrator rights to your backups.
- Installing your backup software on a virtual server: One of the primary purposes of Veeam is to back up your VMs. If the hackers take out your virtual infrastructure, your backup system is gone, too. Consider using a physical server to host your backup solution whenever possible.
- Only relying on passwords to protect log-on processes: Many organizations use multifactor authentication to secure their O365 logons, yet solely rely on password authentication to protect their backup logons. Sometimes this is due to the outdated attitude of “its only the backup server.” In this new era of ransomware, the backup server is one of the most important systems in your security arsenal. It is no longer “just the backup server.”
- Leaving the local firewall disabled because they are unsure of what ports the hosted backup solution requires: They disable the firewall to install the new backup solution with the intention of properly configuring it at a later point. This leaves a wide-open opportunity for attack avenues that hackers easily take advantage of. Take care of your firewall configurations immediately!
Win Each Malware Battle with Robust Ransomware Backup Protection
Ransomware is a war, but it is a winnable war if you have the correct enterprise cybersecurity strategies in place. Within this war, there are battles you don’t have to fight alone as WEI’s team of backup and cybersecurity specialists can help outline a ransomware backup protection plan that fits your particular risk environment and budget. You may contact our experts at your convenience.
Next Steps: If you want to discover more proven tips and strategies to securing your backup solutions, we have published a fresh whitepaper titled, "The Mandatory Components of an Effective Ransomware Strategy."