Backup and restore plan to protect against ransomware
During ransomware attacks, data and systems are purposefully encrypted or erased to force your organization to pay money to the attackers. These attacks target your data, your backups, and also critical documentation that you will need to recover without having to pay the attackers any money (as a means to increase the chances your organization will pay).
This article discusses what you should do before an attack to protect your critical business systems, as well as what you should do during an attack to ensure that business operations can be resumed quickly.
Preparing for ransomware also increases your organization’s ability to withstand natural disasters and rapid attacks such as WannaCry and (Not)Petya.
What is ransomware?
Ransomware is a type of extortion attack that encrypts files and folders, preventing users from accessing critical data and computer systems. Using ransomware, cybercriminals extort money from their victims by demanding money, usually in the form of cryptocurrencies, in exchange for a decryption key or in exchange for not releasing sensitive data to the dark web or the general public internet.
In contrast to early ransomware, which was primarily malware that was spread through phishing or between devices, human-operated ransomware has emerged, in which a gang of active attackers is directed by human attack operators and targets all systems within an organisation (rather than a single device or set of devices). An attack has the potential to:
- Protect your information with encryption.
- Exfiltrate your information
- Make your backups unusable.
- The ransomware takes advantage of the attackers’ knowledge of common system and security misconfigurations and vulnerabilities in order to infiltrate the organisation, navigate the enterprise network, and adapt to the environment and its weaknesses as they move through the organisation.
After exfiltrating your data over a period of several weeks or months, ransomware can be staged to execute on a specific date in the future.
Ransomware can also slowly encrypt your data while still retaining access to your key on your computer. Because your key is still in your possession, your data is still accessible to you, and the ransomware remains undetected. Your backups, on the other hand, are copies of the encrypted data. Once all of your data has been encrypted, and all recent backups have also been encrypted, your key will be removed, and you will no longer be able to access your data.
When a ransomware attack exfiltrates files from a network while also leaving backdoors in the network for future malicious activity, the real damage is often done—and these risks persist whether or not the ransom is paid. These attacks can be devastating to a company’s operations and difficult to clean up, necessitating complete adversary eviction in order to protect the company from further attack. Human-operated ransomware, in contrast to earlier forms of ransomware that only required malware remediation, can continue to pose a threat to your business operations after the initial encounter.
Impact of an attack
It is difficult to accurately assess the impact of a ransomware attack on any organisation. Depending on the scope of the attack, the following consequences may result:
- The inability to access data
- Disruption of normal business operations
- There has been a financial loss.
- The infringement of intellectual property
- Customer confidence has been compromised, and your reputation has been tarnished.
Expenses for legal representation
How can you protect yourself?
Putting in place preventive measures and having tools that protect your organisation from every step that attackers take to infiltrate your systems are the best ways to avoid becoming a victim of ransomware.
By transferring your organisation to a cloud-based service, you can reduce your on-premises exposure. Microsoft has made significant investments in native security capabilities that make Microsoft Azure more resilient to ransomware attacks and that assist organisations in defeating ransomware attack techniques, according to the company. The information in the Human-Operated Ransomware Mitigation Project Plan PowerPoint presentation will provide you with a comprehensive overview of ransomware and extortion, as well as tips on how to protect your organisation.
The likelihood that you will become a victim of ransomware should be taken into consideration. In order to protect your data and avoid paying a ransom, one of the most important steps you can take is to create a reliable backup and restore plan for your mission-critical information. Considering that ransomware attackers have devoted a significant amount of resources to neutralising backup applications and operating system features such as volume shadow copy, it is essential to maintain backups that are inaccessible to a malicious attacker.
Azure Backup is a service that allows you to back up your data to the cloud.
Your backup environment is protected by Azure Backup, which protects your data both while it is in transit and while it is at rest. Azure Backup allows you to back up the following types of data:
- Files, folders, and system state stored on-premises
- Virtual machines running Windows and Linux in their entirety
- Azure Managed Disks are a type of storage that is managed by Azure.
- A storage account for Azure file shares SQL Server databases running on Azure virtual machines
- The backup data is stored in Azure storage, and neither the guest nor the attacker has direct access to the backup storage or its contents, according to Microsoft. When using
- virtual machine backup, the creation and storage of backup snapshots is handled entirely by the Azure fabric, with no involvement on the part of the guest or attacker other than quiescing the workload for application consistent backups. Backup extensions are granted temporary access to write to specific blobs when working with SQL and SAP
- HANA. Existing backups can’t be tampered with or deleted by the attacker, even if the environment is compromised in some way.
In addition, Azure Backup includes built-in monitoring and alerting capabilities that allow you to view and configure actions for events that occur in the Azure Backup environment. Backup Reports are a one-stop shop for tracking usage, auditing backups and restores, and identifying key trends at various levels of granularity. Backup Reports are available in both HTML and PDF formats. The monitoring and reporting tools provided by Azure Backup can notify you of any unauthorised, suspicious, or malicious activity as soon as it occurs.
Checks have been added to ensure that only legitimate users are able to perform different operations. Among these are the addition of an additional layer of authentication. Before making changes to online backups, you’ll be prompted to enter a security PIN as part of the effort to add an additional layer of authentication for critical operations.
In this article, you will learn more about the security features that are built into Azure Backup.
Check that your backup is in good working order as soon as it is created and again before you restore. We recommend that you make use of a Recovery Services vault, which is a storage entity in Azure that serves as a data storage repository. The data typically consists of copies of data or configuration information for virtual machines (VMs), workloads, servers, or workstations, among other things. Recovery Services vaults can be used to store backup data for a variety of Azure services, such as IaaS virtual machines (Linux or Windows), Azure SQL databases, and on-premises assets, among other things. Recovery Services vaults make it simple to organise your backup data, and they include features such as the ones listed below:
In Azure Backup, there are two different types of vaults. In addition to the Recovery Services vaults, there are Backup vaults that store data for newer workloads that are supported by Azure Backup in addition to Recovery Services vaults.
What to do in the lead-up to an attack
As previously stated, you should prepare yourself for the possibility that you will become a victim of a ransomware attack at some point in the future. Determine your mission-critical systems and implement best practises before an attack will help you get back up and running as quickly as possible after a cyberattack occurs.
Decide what is the most important thing to you.
Due to the fact that ransomware can attack even while you are preparing for an attack, your first priority should be to identify the business-critical systems that are the most important to you and to begin performing regular backups on those systems as soon as possible.
What to do before an attack
Authentication systems – required for users to access any systems (including all others described below), such as Active Directory, Azure Active Directory Connect, and Active Directory domain controllers
Medical or life support systems, safety systems (ambulance, dispatch systems, traffic light control, and others), large machinery, chemical or biological systems, food or personal product manufacturing, and other systems that support or put human life in danger are examples.
The term “financial systems” refers to systems that process monetary transactions and keep a business running. Examples include payment systems and related databases, as well as financial systems for quarterly reporting.
enabling systems for product or service delivery – any systems that are required to provide the business services or manufacture/deliver physical products that your customers pay you for, such as factory control systems, product delivery/dispatch systems, and other similar systems
Security (at the bare minimum) – Security systems that are required to monitor for attacks and provide the bare minimum in security services should be prioritised as well. As a result, your efforts should be concentrated on ensuring that the current attacks (or easy opportunistic ones) do not gain (or regain) access to your restored systems immediately.
Your prioritised backup list will also become your prioritised restore list when you perform a restore. Following the identification of critical systems and the implementation of regular backups, you should take steps to reduce your level of exposure.