It’s a standard military tactic for an army to keep uncommitted troops in reserve behind the front lines to make them available for unforeseen situations or exploitable opportunities. In some instance they serve as a last line of defense should those units be asked to hold the line at all costs.
When battling ransomware, that reserve unit is your backup system. In the event of a massive encryption attack, your backup serves as the calvary that rushes in to save the day and restore your data to its former production state. This ability to thwart a ransomware attack has given backup systems a greatly-enhanced importance within the enterprise.
Two Ways to Subvert your Backup
This is exactly why ransomware gangs have modified their tactics—reducing backup system effectiveness is one of the best ways to ensure they get paid. Currently there are two primary ways of achieving this:
- A flanking movement in which they exfiltrate data before encrypting it, adding another level of extortion. The attackers then use the threat of publishing stolen, sensitive data as a second means of obtaining a ransom. Of course, there’s nothing a backup system can do in this case.
- Launch a preemptive strike and eliminate its ability to restore anything.
While a backup cannot save you from an exfiltrated data occurrence, you can ensure that it’s ready for the inevitable anticipatory strike.
In the same way that an attacking army today will launch a strike to take out airfields and defensive positions, there is often a skirmish involving your backup system just prior to the main attack.
Whether it means deleting your backup data, encrypting it, corrupting it, or modifying it, the aim is to take out your backups, thus making your reserves quite useless. Often, a sophisticated ransomware attack will immediately scout your network for the backups, probe its defenses and then launch the attack.
Remember that a sophisticated ransomware organization has personnel that know your backup systems probably better than you do. A case in point is the infamous Conti organization, known for its backup-removal expertise—it actively recruits talent specifically trained in knowing how to destroy backup systems.
For instance, Conti has exceptional knowledge of Veeam, a popular backup system commonly used in VMware environments. The group attempts to exfiltrate data from the backups before damaging them.
A Perimeter Within Your Perimeter
This means that you must secure your backups with their own defensive strategies. Those organizations that utilize a security monitoring service must keep their eye on their backup environment, as it can also serve as an early detection alarm for your IT teams before your servers are targeted.
A growing number of modern backup solutions today have internal monitoring functions that can identify encrypted files and unusual behavior. Another feature of safe backup systems is immutability, which prevents backup files from being altered in any way. Your backup system should also be segmented from your production network by a next-generation firewall (NGFW) that utilizes policy-driven security.
Fight the Good Fight
An ancient military strategist once said, “Every battle is won or lost before it is ever fought.” By winning the initial skirmish, it’s possible to prevent the main battle from occurring in the first place. A key to that is to not just focus on the network perimeter—make sure your backup reserves are secured and ready to be deployed when needed.