Top five ways backup can protect against ransomware
Ransomware is the fastest-growing cybercrime threat. Trustwave security supplier says ransomware attacks outnumbered payment card information theft in 2017 according to Trustwave.
Meanwhile, Research by Sophos has found that half of the organizations were attacked by ransomware in 2019, and in almost 75% of cases, the attackers were able to encrypt data. Most organizations did retrieve their data, but twice as many did so from backup than by paying the ransom, and the cost to them was less than half what it was to those who paid up.
To avoid ransomware attacks, you need to ensure that your backups are reliable and tested. That means ensuring that good, clean backups are made regularly and that they are thorough, quite possibly “air-gapped” too. This means that backup policies and practices should be reviewed and tested regularly.
This article will discuss the five most important things you need to do with backup to ensure your organization is protected against ransomware.
Over the last few years, ransomware attacks have become more focused and potentially more damaging. Cyber security organizations are seeing slightly fewer attacks but, according to Sophos, what they do see is a shift from “mass market ‘spray and pray’ desktop ransomware” to targeted attacks aimed at businesses.
Whatever the target, ransomware has three main parts: the initial attack, or delivery of the malware payload; encryption of the victim’s data; and communications back to the attacker.
Malware uses different routes to attack organizations, and social engineering plays a key part: About one-third of ransomware attacks come from users downloading malicious files or emails with malicious links. Ransomware can also be spread via direct attacks on servers and malware attachments to emails, as well as via cloud resources.
The National Centre for Cyber Security also stated that ransomware is spreading via unpatched remote access devices and exposed remote desktop protocol (RDP).
Mail filtering, malware scanning, and firewalls are all useful security tools. You can also patch and limit the access privileges of network users.
But the most effective protection is a robust backup regime to protect data.
Protect yourself against ransomware by using backup: The top five steps
1. Review and update backup policies
The best defense against malware is being able to restore data from clean backups. Although an organization may pay a ransom to get the decryption keys, it is not guaranteed that they will. Backups are more reliable and cheaper than paying ransoms. It also doesn’t involve giving money to criminals.
Backups can only be effective if they are comprehensive and robust. CIOs should order a thorough audit of all business data locations. It’s easy to forget important data from a backup plan.
This is particularly important given the trend towards remote work during the Covid-19 pandemic.
Ask these questions:
- Are end-user systems being backed up?
- Is the backup plan designed to cover cloud data storage that is temporary or for consumers? While cloud storage should be resilient to physical failure, it will not protect against ransomware infecting files.
The best practice for backup remains the 3-2-1 rule: make three copies of data, store across two different forms of media and keep one copy off-site. The offsite backup should not be connected to the business network to protect against ransomware.
2. Air gap business data
Cloud storage is a great technology for long-term data backups. In some cases, it has even replaced optical disks and tape as backup media.
Cloud storage can protect data from physical disruptions such as power outages, fire, flood, and hardware failures. However, it won’t automatically protect against ransomware. Because cloud storage is part of shared infrastructure, it is also vulnerable to attacks from customers.
Learn more about ransomware backup
- Double extortion ransomware attacks and how to stop them. Hackers are changing their tactics to convince victims to pay larger amounts of money. We examine the rise in double extortion.
- Backup and security join forces for ransomware protection. Ransomware can disable backup systems which are the last line for protection against data loss. Data protection vendors have partnered with security companies to defend backups.
Fred Moore, an analyst at Horison Information Strategies warns that cloud providers are themselves vulnerable to ransomware attacks.
He says that attackers are now targeting cloud services because they don’t need to know a password to access cloud data. “They simply steal the credentials and delete or encrypt an organization’s cloud backups using a man-in-the-middle-attack.”
CISOs can supplement cloud backups by using tape or other media as backup media. Cloud can be the offsite copy, but keeping another dataset on tape, and keeping those tapes strictly offline, is the most reliable way to “air gap” data from a ransomware attack.
3. Regular backups are recommended.
It is important to note that organizations should regularly back up their data.
Again, the CIO should examine policies regarding backup frequency, including how often data is backed up to off-site locations (including cloud storage) or mechanically separated media like tape. You might need to back up more often.
IT departments should review the length of backups they keep, particularly air-gapped media. Ransomware can use time delays or “attack loops”, to steal information from seemingly clean systems.
Organizations may need to look through multiple generations of backups to locate clean copies. This could require longer retention or more copies. It is also a good idea to keep separate backups of critical business systems to make recovery simpler.
4. Make sure backups are robust and clean
It is difficult to ensure that backups are safe from malware, but organizations should do everything they can to ensure that their backups remain free from infection.
Not only are strict air-gap guidelines (such as taking media offline as soon as possible) but also up-to-date malware detection and system patching tools are vital.
For extra protection, companies should consider writing once read many (WORM) media such as optical disks, or tape configured as WORM. Some cloud storage providers now offer WORM-format cloud storage.
Additional security measures include data access controls. Tools such as Windows 10 Controlled Folder Access can be used to limit user access to sensitive data. This will help to prevent ransomware from spreading and increase security for backups.
5. Plan and test
It is essential to test all backup and recovery plans. This is essential to determine if data can be recovered and calculate recovery times.
It is best to use off-site media that has been air-gapped. But how long does it take for systems to be restored? What systems should be prioritized for recovery? Will firms require separate, clean networks to recover?
The recovery plan should be tested by the CIOs using duplicate media. It would be disastrous for existing backups to become contaminated by a recovery exercise.