Ransomware Targeting Backups

Will Ransomware Start Targeting Enterprise Backups?

Let’s get to the facts. WannaCry, a new ransomware-type, was spread across the internet on May 12, 2017. It infected 60 organizations that were part of the UK’s National Health Service. FedEx was shut down and Telefonica in Spain was stopped.

Despite all of this damage, however–which may include up to $100 million in the UK alone–WannaCry itself was almost pathetically unsuccessful. It has only garnered $120,000 in just three weeks, according to the site at the time of writing.

Comparatively, ransomware has been seen to collect up to $30,000 per day for several weeks.

Although there are many theories about why WannaCry has failed, there isn’t a consensus. Notably, most of the affected parties were able to restore their infected ends from backups very quickly. This could indicate that ransomware is becoming more popular in enterprises. Ransomware authors will design ransomware to target advanced backup strategies.

What is ransomware and how does it target system backups

It can be difficult for the target to recover encrypted data from backup if you are trying to hold their data hostage for ransom. While municipal and home users are not usually well-known for investing in advanced data backup and recovery methods, they are often protected by the Windows Volume Shadow Copy. This process is included in Windows XP and Server 2003. It takes discreet snapshots of files on an Endpoint. This tool is useful for small businesses and home users. WannaCry ransomware has tools to delete it.

CryptXXXX, Locky, and Cryptolocker all have mechanisms that can delete volume shadow copies by using strings in the command line. (CrytpXXXX will, however, attempt to delete shadow copies but isn’t well-programmed enough to do so). This could explain why WannaCry failed to make any profit. Most enterprises will use stronger protections than shadow copies.

WannaCry is chomping at more than it can chew

WannaCry accomplished something that many ransomware variations have yet to achieve. Instead of targeting low-hanging fruits like home users, small businesses, and municipal organizations, it targeted enterprises. WannaCry affected companies with hundreds of locations around the world and thousands of employees. These companies also have the greatest potential to withstand a ransomware attack and restore from backup.

The enterprise is embracing backup at high levels. Cloud backup and recovery services represent the second-highest percentage of cloud-based investments within companies, as well as the second-highest percentage of managed services investment. Meanwhile, the Uptime Institute reports that 68% of companies have implemented an IT resiliency plan that can instantly restore functionality to a compromised or underperforming application.

Companies like Telefonica and FedEx, which were both affected by WannaCry, are most likely to be able to recover from any attack on their data. Even the NHS, which is in the more traditional spectrum of targets affected by ransomware, was able to restore from backups with zero data loss after just one day.

Is ransomware going to be more prevalent?

Here’s the current situation: Ransomware authors have proven that they can infect enterprises with malware such as WannaCry. They don’t have a persistence mechanism. Backups for enterprises are usually too robust. Backups of encrypted data can be restored within a maximum of one day. Ransomware cannot cause enough damage to make enterprises pay more for their data than they can restore.

Is this the future? Attackers have had great success targeting less tech-savvy individuals and companies. However, hackers can invent around technical hurdles and have an excellent track record of obtaining deep pockets. Companies should be prepared for ransomware attacks that might target backups to delete or encrypt them.

Find out more about how our appliance adds convenience and ransomware protection to your enterprise backups.