Nice Backups. It Would be a Shame if They Got Encrypted…

Cyber extortionists continue to target all types of organizations with network-wide ransomware attacks. If you are familiar with ransomware, then you know that often the best chance of recovering data is by restoring from your backups. In fact, you may have even read a blog about how dangerous ransomware can be and how to prevent it. While backups are critical to restoring your business to its previous state, securing those backups is just as critical.

As you may know, attackers use ransomware to hunt for other targets. Typically, attackers aren’t going to stay on one system. They will instead try to identify and spread to your most critical systems. Ransomware tools don’t discriminate. If they see a backup repository and have the capability to encrypt it, they will. Let’s talk through some steps you can take to prevent cyber extortionists from infecting your backups.

Isolate Your Backups

We should get one thing straight first: there is a difference between backups and replication. Replication is typically done in real time and synchronizes changes immediately or close to it. Replication is NOT going to help you in a ransomware situation because, well, the ransomware gets replicated to your other site. Be sure that you have a backup strategy in place that doesn’t get overwritten as soon as changes are made.

The simplest way to isolate your backups is by keeping a copy offline. Yes, it may sound old school, but having a tape backup or a USB drive that contains a backup of your data is still a good idea. If there is one way to make sure that no attack can alter your data, it’s to keep the data off the grid. Whichever media suits you best will do the job, but have a plan to keep an offline copy somewhere safe. In fact, a safe is a good place to keep that backup, especially if sensitive information is at play. The details are not important here. What is important is that you have a plan and consistently follow through with it.

Cloud-based Backup Services

Don’t like old school? Well, then consider one of the many cloud-based backup services available today. Be sure to select a service that uses multi-factor authentication and similar controls to prevent an attacker who has stolen administrative passwords from your network from reaching the backup administration console.

Keeping your backup repository outside of the reach of file servers, workstations, and other frequently used systems is a good security practice in general. The risk of ransomware is one of the reasons why. If a machine susceptible to ransomware can’t talk to your backup servers, the ransomware won’t be able to either. Each organization will have its own unique network layout, so going too granular here isn’t going to help. However, an example may be having a hypervisor-level backup solution that does not utilize a Server Message Block (SMB) share. Perhaps it’s also a good idea to configure the proper authentication between your backup service and the data you are backing up. Segmentation is key here, and if you need help testing that, feel free to reach out to our team at Sikich, and we’ll be happy to help.

How Many Backups Do You Have?

Something else to keep in mind here is the frequency and number of backups upon which you rely. If you are backing up your data each night and removing it the following night, what happens when ransomware hits on Friday? Sure, the ransomware couldn’t access your backup repository, because you’ve implemented the proper security controls, but now you just have a backup of encrypted data, which doesn’t help.

Additionally, if your business is shut down for weeks due to COVID-19, how long is it going to take for you to notice there has been a breach of security? Consider taking a manual backup now and keeping it offline. It is important to have a backup plan that accounts for things like this. Make sure that you have enough recovery points available so that you can recover to a point where you know that your data is safe.

The tried and true “3-2-1” rule is a great place to start if you’re concerned that you may not meet any of the criteria we’ve covered. Keep at least three (3) copies of your data: your primary data and two copies. Retain the two (2) copies of the data on different types of media (this is where an offline copy comes into play). Lastly, keep one (1) copy of the data offsite. This is for that tornado, earthquake, or fire that damages the building.

Too often, an organization’s focus is on moving full speed ahead, and little thought is given to what’s in the past. However, if an attacker hits an organization with ransomware, having a recent, reliable backup might be the only way for it to continue moving forward.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author