Ransomware: Protect Your Data Backups, Too

Ransomware continues to be a growing and increasingly dangerous threat to businesses. The numbers are ominous: Every 11 seconds a business experiences a ransomware attack, according to current research from Veeam. Most organizations recognize the urgency of protecting their networks, but they may not realize that’s only half the battle. Experience shows that virtually all attackers also try to destroy or encrypt backup repositories. Without backups that can be used for a fast recovery, victims have no choice but to pay the ransom. Here’s how to defend against that threat.

Protect the Backups

Cybercriminals are well aware that backup and disaster recovery (DR) are generally an organization’s last line of protection. Consequently, they will do their utmost to find and destroy backups and replicas. They’ll find any vulnerability to exploit. For example, attackers may search out a user who hasn’t hardened their backup solution environment. If the backups are domain-joined, they can go after the backup chain.

The best way to thwart such an attack is to keep backup systems on a separate domain or in a different workgroup than the live data. That stands to reason: If the backup is in the same domain as the data, it will get encrypted right along with the data it’s supposed to be protecting. 

Keeping backups offline and inaccessible via the network, a strategy better known as “air-gapping”, sounds great in theory. Because there’s no internet or other network connection, an air-gapped backup can’t be remotely corrupted or hacked. In practice, however, it will take far too long to recover using offline backups. Downtime measured in weeks or even months would cause more disruption and ultimately cost more than paying a ransom in hopes of a quick recovery. 

Immutable backups, which can’t be altered in any way, and soft delete, which places a copy in a “recycle bin,” can provide stronger safeguards—provided they’re secured. Passwords alone aren’t adequate to authorize access to backups, as they’re often reused or shared. Implement strict guidelines for passwords and add multifactor authentication as another line of defense. It’s also important to educate employees on what to look for and how to avoid traps, including social engineering overtures, which are becoming more common. All too often, humans are the weak links that let hackers into the network.

Make Sure you Can Recover Quickly

Speed is of the essence when an attack occurs. Extensive downtime costs an organization revenue and can damage its reputation. That’s why many victims reluctantly conclude that it makes more financial sense to pay the ransom. But meeting the hackers’ demands doesn’t guarantee full recovery. One out of three organizations that pay the ransom demanded don’t get all their data back. Another downside: The criminals may decide to sell or publish your data even after you’ve forked over the payment.

Overall, paying ransom puts the company in a terrible position and gives cybercriminals the upper hand. If hackers have already penetrated your network, they’ve obviously figured out how to bypass your defenses. They may even have additional malware hiding in your network ready to be activated. Once they know you’re willing to pay up, you’ve become a juicy target to be exploited again and again. In fact, organizations hit by ransomware are often targeted repeatedly. Studies show that 80% of those who pay the ransom suffer another attack, often by the same bad actor. 

Ensuring Fast Recovery

Many organizations construct defenses that focus solely on backing up or replicating data. They don’t take the next step and plan on how they’ll use it. They need to practice recovery.

Start by prioritizing mission-critical workloads and create a plan and a timeline for getting data back on-premises. Understand your application and data dependencies and update the plan periodically. Things constantly change, so your response needs to evolve as well. 

Then test regularly, and not just on a tabletop—conduct simulated disasters in which you fail over to another location. Document everything so you know how the system is set up and how long it takes to recover. Iterating several times a year is advisable so you know what to expect.

When an attack occurs, clear communication is essential. Create an incident response plan specifying who will communicate with business leaders and when—set up regular touchpoints with leaders every hour and with end users every four hours, for example. You don’t want to figure that out on the fly when you’re under pressure.

Thinking ahead can help you avoid common mistakes. Regularly perform audits to make sure you are backing up all the data that needs to be protected. Networks change and expand, so you need to adapt accordingly. Say you originally set up automated backups for VMs one through 20. That’s great, but when you add VMs 21 through 25, they also need to be protected.

Encrypt backups that are at rest, but be sure to store the encryption key in a safe service that is not connected to the network. If the key is in the network that is hit by ransomware, the backups will be useless.

You also need to ensure you’ll always have a restore target. A ransomware attack, disaster or hardware failure can make your original equipment unusable. If your DR service provider has data available to send you, you’ll need someplace to put it, so plan ahead for the likelihood you’ll need an alternative to your regular hardware. 

All this might sound daunting, and it can be. Backup and DR are inherently complex tasks. Most IT professionals have never had to perform a full restore, so they’ll be learning as they go at the worst time possible.

The smartest strategy is to find a partner who’s expert and experienced. Teaming up with a pro who’s successfully dealt with many scenarios is the best way to protect your own assets as well as your clients’.

Avatar photo

Bret Piatt

Bret Piatt is CEO of CyberFortress, a global company providing backup built for the world’s best recovery. Previously, he was CEO and Chairman of the Board for Jungle Disk, now a part of CyberFortress, a company created by a management-led carve-out he orchestrated while at Rackspace. He also served as general manager at Rackspace, where he helped create OpenStack, the primary project in one of the world’s most successful open-source software communities. Bret has also held product management and engineering positions for AT&T.

bret-piatt has 1 posts and counting.See all posts by bret-piatt