Ransomware is a menace that isn’t going away – and threat actors are increasingly finding novel ways to make avoiding and recovering from ransomware even harder than it was.
Lately, that includes locking up backups during a ransomware attack. A Veeam 2023 Ransomware trends report finds that 93% of ransomware attacks specifically target backups, with three-quarters doing so successfully.
Backups are one of the cornerstones of cyber resiliency. Whether it’s hardware failure, a cyberattack from a nation-state or a ransomware actor – backups are always one of the key ways an organization can recover from an incident. But what does an organization do to recover from a ransomware attack if they don’t have access to backups?
In this article, we’ll outline how data discovery and classification tools, testing backups, and improving security around backups are critical to keeping ransomware attackers away from one of the key recovery tools in the cybersecurity arsenal.
Backups Are Critical to Recovery from Ransomware
Ransomware encrypts a victim’s files, blocking access to files, until a ransom is paid, usually in a cryptocurrency like Bitcoin. Common strategies used by attackers include phishing campaigns, and exploit kits, which take advantage of vulnerabilities in systems to install ransomware. Increasingly, attackers also use a method known as “Ransomware as a Service” (RaaS), offering ransomware tools to other criminals in exchange for a share of the profits.
The vital role of backups in business continuity is indisputable: backups are safety nets that organizations fall back on when disaster strikes. Functioning backups are critical during a ransomware attack because it provides a route to restore encrypted data. Given that these attacks can encrypt a business’s entire operational data, backups become the last resort to restore operations and key data.
With functioning backups in place, organizations can say “no” to a ransomware demand, relying on the backups for recovery instead. After all, there’s no guarantee that paying a ransomware demand leads to a decryption key.
What’s more, decrypting large volumes of data can take a long time, so even if the ransom is paid a company can wait a substantial amount of time to regain data access. In contrast, assuming backups are made regularly and tested frequently, backups can be restored much faster than decrypting all the data encrypted by a threat actor.
Ransomware Targets Backups
Increasingly, however, ransomware attackers are now also working to encrypt backups before asking for a ransom – ensuring that backups are not a recovery option. We see this in Veeam’s data which shows that ransomware attackers are no longer merely focusing on real-time operational data; attention is increasingly gravitating to backup data too.
After all, if a firm’s best bet to sidestep the ransom following an attack is by recovering from its most recent reliable copies of data, then it stands to reason that an attacker would go and encrypt that data, too, to limit the organization’s options for recovery.
With no backups, paying the ransom may well end up being the only option for a victim. In other words, if a ransomware attacker can get access to encrypt their victim’s backup systems then they can most likely reduce recovery options to one: paying the ransom.
Ensuring Backups Are Usable
Data discovery and classification is the first step in thwarting ransomware attacks because you can’t back up what you don’t know about. That includes understanding where your data resides and classifying data appropriately so that you know what data to back up at what frequency.
Organizations also need to have real clarity about where backups are located, and how often they’re refreshed. It makes it easier to monitor and shield these assets from attacks.
It’s also critical to test backups. Without regular testing, there’s no certainty that the backed-up data is accurate and complete. Errors could be happening during the backup process, and it’s important to find this while testing – not when trying to restore the backups during a crisis.
Testing also helps verify that the recovery procedures work as intended – identifying any flaws or gaps in the process which can then be rectified. In case of a cybersecurity incident, a well-tested recovery procedure can help restore operations more quickly and efficiently.
Backup Security Is Paramount
But testing only gets you so far. Companies must implement rigorous monitoring systems and integrate anti-ransomware measures to fortify their backups. In big organizations, it requires a cross-functional synergy between backup and cybersecurity teams.
For example, it requires the creation of immutable copies of data, i.e., data that cannot be altered or deleted. That means that a ransomware attacker won’t be able to encrypt the backup data, because the data simply can’t be changed after the backup was completed.
Organizations should also consider employing air-gapping techniques, which involve isolating backup systems from the rest of the network, adding an extra layer of protection against attacks. An airgap can ensure that ransomware attackers can’t reach backups – no matter how far they’ve intruded into an organization’s technology estate.
According to the Veeam survey, an encouraging 82% of organizations utilize immutable clouds, and 64% use immutable disks, highlighting a strong trend towards fortifying backup security by focusing on limiting the ability to change backups once these have been made.
Watch out for Re-infection During Recovery
During recovery, an often overlooked but critical consideration is to ensure that the data being restored is clean and not infected with any lingering ransomware.
In the Veeam survey it was found that 56% of companies risked re-infecting their systems by not following this crucial step: re-scanning data from backup repositories in an isolated staging environment before reintroducing it to the production environment.
Either way, seeing backups as something that’ll always be there to save an organization from a ransomware attack is no longer a safe outlook. Ransomware attackers now consistently target backups, and companies must take a proactive approach to secure backups, over and above investing in reliable backup solutions.
Rigorous protocols to ensure their backups remain resilient against the evolving ransomware landscape and regular testing and the use of techniques like data immutability and air-gapping are key factors in ensuring comprehensive protection against the menace of ransomware attacks.