It’s a standard military tactic for an army to keep uncommitted troops in reserve behind the front lines to make them available for unforeseen situations or exploitable opportunities. In some instance they serve as a last line of defense should those units be asked to hold the line at all costs.
When battling ransomware, that reserve unit is your backup system. In the event of a massive encryption attack, your backup serves as the calvary that rushes in to save the day and restore your data to its former production state. This ability to thwart a ransomware attack has given backup systems a greatly-enhanced importance within the enterprise.
This is exactly why ransomware gangs have modified their tactics—reducing backup system effectiveness is one of the best ways to ensure they get paid. Currently there are two primary ways of achieving this:
While a backup cannot save you from an exfiltrated data occurrence, you can ensure that it’s ready for the inevitable anticipatory strike.
In the same way that an attacking army today will launch a strike to take out airfields and defensive positions, there is often a skirmish involving your backup system just prior to the main attack.
Whether it means deleting your backup data, encrypting it, corrupting it, or modifying it, the aim is to take out your backups, thus making your reserves quite useless. Often, a sophisticated ransomware attack will immediately scout your network for the backups, probe its defenses and then launch the attack.
Remember that a sophisticated ransomware organization has personnel that know your backup systems probably better than you do. A case in point is the infamous Conti organization, known for its backup-removal expertise—it actively recruits talent specifically trained in knowing how to destroy backup systems.
For instance, Conti has exceptional knowledge of Veeam, a popular backup system commonly used in VMware environments. The group attempts to exfiltrate data from the backups before damaging them.
This means that you must secure your backups with their own defensive strategies. Those organizations that utilize a security monitoring service must keep their eye on their backup environment, as it can also serve as an early detection alarm for your IT teams before your servers are targeted.
A growing number of modern backup solutions today have internal monitoring functions that can identify encrypted files and unusual behavior. Another feature of safe backup systems is immutability, which prevents backup files from being altered in any way. Your backup system should also be segmented from your production network by a next-generation firewall (NGFW) that utilizes policy-driven security.
An ancient military strategist once said, “Every battle is won or lost before it is ever fought.” By winning the initial skirmish, it’s possible to prevent the main battle from occurring in the first place. A key to that is to not just focus on the network perimeter—make sure your backup reserves are secured and ready to be deployed when needed.