Backups Are Key Targets in the Ransomware Battle

THE AUTHOR

Brad Rudisail
May 19, 2022

Backups Are Key Targets in the Ransomware Battle

It’s a standard military tactic for an army to keep uncommitted troops in reserve behind the front lines to make them available for unforeseen situations or exploitable opportunities. In some instance they serve as a last line of defense should those units be asked to hold the line at all costs.

When battling ransomware, that reserve unit is your backup system. In the event of a massive encryption attack, your backup serves as the calvary that rushes in to save the day and restore your data to its former production state. This ability to thwart a ransomware attack has given backup systems a greatly-enhanced importance within the enterprise.

Two Ways to Subvert your Backup

This is exactly why ransomware gangs have modified their tactics—reducing backup system effectiveness is one of the best ways to ensure they get paid. Currently there are two primary ways of achieving this:

  • A flanking movement in which they exfiltrate data before encrypting it, adding another level of extortion. The attackers then use the threat of publishing stolen, sensitive data as a second means of obtaining a ransom. Of course, there’s nothing a backup system can do in this case.
  • Launch a preemptive strike and eliminate its ability to restore anything.

While a backup cannot save you from an exfiltrated data occurrence, you can ensure that it’s ready for the inevitable anticipatory strike.

The Skirmish

In the same way that an attacking army today will launch a strike to take out airfields and defensive positions, there is often a skirmish involving your backup system just prior to the main attack.

Whether it means deleting your backup data, encrypting it, corrupting it, or modifying it, the aim is to take out your backups, thus making your reserves quite useless. Often, a sophisticated ransomware attack will immediately scout your network for the backups, probe its defenses and then launch the attack.

Backup Expertise

Remember that a sophisticated ransomware organization has personnel that know your backup systems probably better than you do. A case in point is the infamous Conti organization, known for its backup-removal expertise—it actively recruits talent specifically trained in knowing how to destroy backup systems.

For instance, Conti has exceptional knowledge of Veeam, a popular backup system commonly used in VMware environments. The group attempts to exfiltrate data from the backups before damaging them.

A Perimeter Within Your Perimeter

This means that you must secure your backups with their own defensive strategies. Those organizations that utilize a security monitoring service must keep their eye on their backup environment, as it can also serve as an early detection alarm for your IT teams before your servers are targeted.

A growing number of modern backup solutions today have internal monitoring functions that can identify encrypted files and unusual behavior. Another feature of safe backup systems is immutability, which prevents backup files from being altered in any way. Your backup system should also be segmented from your production network by a next-generation firewall (NGFW) that utilizes policy-driven security.

Fight the Good Fight

An ancient military strategist once said, “Every battle is won or lost before it is ever fought.” By winning the initial skirmish, it’s possible to prevent the main battle from occurring in the first place. A key to that is to not just focus on the network perimeter—make sure your backup reserves are secured and ready to be deployed when needed.

Sign Up For Our Newsletter

Don't worry, we hate spam too!

Other Articles You May Be Interested In:

Get Help Preparing For; Preventing;

Or Recovering From Ransomware Now

Get The Latest On Ransomware 
Right In Your Inbox

Sign Up To Receive Our 
Monthly Ransomware Newsletter

© Future US LLC, Full 7th Floor, 130 West 42nd Street, New York, NY 10036
envelope linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram