Ransomware’s Next Target: Backup Data

Ransomware is a big business today and getting bigger all the time. It is so profitable that organized crime and state actors have gotten into it in a big way. It is easy for any criminal, terrorist organization or state sponsor to buy the latest variations of ransomware on the dark web.

The experts say the best defense against a ransomware attack is a good backup, replica or snapshot (referred to collectively as backup). The criminal coders running ransomware know that, too, and have been pouring their profits back into research and development to defeat ransomware backup defenses. As a result, the latest generation of ransomware attacks have included backup data as a target.

To understand this threat further requires a brief explanation about the various stages of ransomware.

Ransomware Stages

Ransomware is a type of malware that encrypts all of the data on the system upon which it resides and demands a ransom for the decryption key. It then ransoms access to the data back to the system owner(s). The ransomware perpetrators threaten to destroy the key if they are not paid in a set amount of time, and commonly demand payments in stages based on set time limits. If the disseminators of ransomware are not paid the ransom, the ransomware then destroys the key and thereby access to all of the data. There are five stages to ransomware: Infection, detonation, gestation, dormancy and destruction (or release).

Infection

Infection occurs when a tainted file, picture or website is connected to the system. Up-to-date anti-virus software can stop known infection signatures or blacklists, but not necessarily all. Whitelist-based anti-virus solutions can also miss signatures that mimic well-known applications. No front door prevention is leak-proof, however, so ransomware infections will occur and the statistics prove it. Approximately 71% of all businesses targeted in 2017 were infected with ransomware.

Detonation

Detonation is when the ransomware encrypts the data on the infected system. Early generations of ransomware detonated as soon as they infected the system. Unknown to the users of the system, the malware encrypted data immediately and transparently in the background. It takes time to encrypt all of the data, but once complete, the ransomware deletes the key on the now-detonated system, then holds the data up for ransom. If the ransom is not paid in full within a set period of time, it randomly deletes files to raise data owner anxiety. This creates a sense of urgency to pay the ransom: If ransomware is never paid, the malicious actor destroys their side of the key, making the data forever inaccessible.

Gestation

The latest generation of ransomware today does not detonate and encrypt immediately. It has a gestation period designed to maximize revenues and overcome the backup defense. The ransomware’s Phase One attack during the gestation period is to spread as far as it can from one system to another using the permissions of the systems it’s infected. When it cannot spread any further it goes to Phase Two of its attack by deleting or encrypting the backups it is able to locate. Backup files have a known signature and backup software of all kinds have published APIs that can be used to delete older backups no longer needed.  Ransomware uses that API to do just that—upon detonation the user discovers that their backups (snapshots and replicas, too) have been deleted. This data is very tough to recover when there are no backups. This evolved ransomware neuters the No. 1 defense against ransomware, forcing the ransom to be paid or the data is lost forever.

Dormancy

After spreading as far as it can, the latest variations of ransomware will lie dormant and not delete or encrypt the backup files.  Ransomware lies dormant for one, two, four, six, “n” months before finally detonating. This is analogous in humans who have a virus that can lie dormant for months or years before it makes an appearance.  The problem with dormant ransomware is that it will be backed up along with the legitimate data the entire time it is dormant. Any recoveries from infected backups will detonate all over again. This is called an attack-loop.

Destruction or Release

The final stage is when the ransomware destroys files. As previously discussed, if a valid encryption key is not entered within the specified time, hostage files may be randomly deleted and the ransomware price for the encryption key will be increased.  The malicious actor’s version of the key is destroyed if no ransomware is paid. The destruction of the encryption key effectively destroys the data, but paying the ransom is a poor choice. It may seem expedient, but it identifies the organization as a target that pays and it will be hit again. It’s also no guarantee that the encryption key will be released. There have been several documented cases where the encryption key was destroyed even though the ransomware was paid.

How Backup Vendors Are Responding

Backup and data protection vendors have responded to the increasingly sophisticated and disastrous ransomware attacks in three ways: Do nothing (a.k.a. denial), detect and react to ransomware detonations, or prevent backups from being deleted or encrypted.

Do Nothing

Doing nothing is ignoring the changing reality in the ransomware era. It’s analogous to treating an antibiotic-resistant infection with the same antibiotics the infection is resistant to. The backup defense is compromised while the backup vendor is refusing to acknowledge it. This is an ineffective response.

Reacting vs. Preventing Ransomware Detonations

This approach leverages the backup software’s incremental or changed block-tracking mechanism. After the first backup the amount of data being incrementally backed up is typically very small. When ransomware detonates and encrypts the data, the backup software sees the encrypted data as all new and is forced to back up all the data. That’s going to stick out like a sore thumb and the backup will take considerably longer. This action provides the backup software an alerting mechanism—the software enables user or software determined policy-based triggering thresholds to detect a likely ransomware detonation, notify the administrator and suggest recovery responses. Some can start the recovery process immediately.

The problem with this increasingly popular approach to ransomware recovery is that it’s reacting to a detonation, not preventing one. It assumes the ransomware infection has not made its way into the backups and is enabling recoveries from the most recent backup, solving the ransomware detonation. This is a dangerous supposition. Even assuming the backup software has an effective response to preventing the ransomware from encrypting or deleting the backup data as previously discussed, reacting to detonations does nothing to prevent the nefarious attack-loop. Detecting and reacting to ransomware detonations is an ineffective response.

Prevent Backups from Being Encrypted or Deleted

Successful prevention of a ransomware attack-loop requires a cybersecurity capability that needs to detect ransomware infections in the backup stream. The technology essentially isolates the infected files, prevents them from being backed up and notifies the backup and security administrators, who can then identify the infected files and remove them from their origin before they detonate, stopping ransomware in its tracks. A backup solution with this capability also prevents infected files that may have been backed up in previous generations of backup data to ensure a clean recovery. The solution would need to detect and isolate the infected file and notify the backup and security administrators of any issues, giving them an option to recover or not.

As part of a preventative strategy as opposed to a reactive approach, look for solutions that make specific types of backup data difficult to locate in the first place with variable repository naming. This will make it much more difficult for the more intelligent strains to identify backup data with important customer records, personally identifiable information, very important financial data or valuable operational data. Experts also recommend going further and demanding two-factor authentication (2FA) that prevents the deletion of data with a single mouse-click or API call.

Conclusion

While backups should be a critical component of every company’s data protection plan, simply having backup infrastructure in place is not enough. Backup technology has evolved and now it is possible to all but guarantee that backup data will be safe by using a cybersecurity-enabled backup/recovery solution, giving organizations the best chance of defeating the extortion attempts of malicious ransomware coders.

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Eran Farajun

Eran Farajun is the executive vice president of Asigra and an expert in the area of cloud-based data protection with more than 20 years in the industry. He has been instrumental in establishing Asigra as a leader in public, private and hybrid cloud-based data protection, bringing new levels of efficiency to organizations and addressing new challenges in the areas of data security and compliance.

eran-farajun has 1 posts and counting.See all posts by eran-farajun