How to protect backups from ransomware

Ransomware is getting smarter, attacking backups to prevent recovery. Prevent this from happening by taking a few simple steps.

Despite a recent decline in attacks, ransomware still poses significant threats to enterprises, as the attacks against several major newspapers demonstrated this month. It is also becoming more capable. In particular, ransomware writers are aware that backups are an effective defense and are modifying their malware to track down and eliminate the backups.

Ransomware down, but not out

McAfee reports a decline in both malware and samples this past year. According to the latest report, in the third quarter of 2018, the number of ransomware samples was less than half of peak at the end of 2017, when it was reached around 2.3 million. According to Kaspersky Labs, 765,000 of its users were attacked by malware that encrypted files during the past year, compared to more than five million that were attacked by cryptominers.

Bitdefender's director of threat research Bogdan Botezatu says that the main reason for the drop in ransomware attacks is that security companies are getting better at defending against it. "There will always be new versions of ransomware, some more complex than others and some harder to catch, but we don’t expect ransomware to take on much bigger proportions," he says. "At least not bigger than in the past year."

"Ransomware was the number one big threat for a few years, but it's dropped back significantly," says Adam Kujawa, head of malware intelligence at Malwarebytes. The ransomware that is out there, however, is evolving, he says. For example, malware writers are taking advantage of the latest exploits, such as those leaked from the NSA. "We see those popping up in a lot of malware families," he says. "When you use that kind of exploit, then if you infect a single system you can move laterally by using these exploits. You create a much larger target — that's a trend that we definitely see happening."

Ransomware targeting backups

Ransomware will now delete any backups it happens to come across along the way, Kujawa says. For example, a common tactic for ransomware is to delete automatic copies of files that Windows creates. "So if you go to system restore, you can't revert back," he said. "We've also seen them reach out to shared network drives."

Two recent examples of ransomware that has backups in its sights are SamSam and Ryuk. In November, the US Department of Justice indicted two Iranians for using the SamSam malware to extort more than $30 million from over 200 victims, including hospitals. Attackers maximized the damage, by launching attacks outside regular business hours and by "by encrypting backups of the victims’ computers," said the indictment.

More recently, Ryuk hit several high-profile targets, including the Los Angeles Times and cloud hosting provider Data Resolution. According to security researchers at Check Point, Ryuk includes a script that deletes shadow volumes and backup files. “While this particular variant of malware does not specifically target backups it does put more simplistic backup solutions – ones that result in data residing on file shares – at risk," says Brian Downey, senior director of product management at Continuum, a Boston-based technology company that offers backup and recovery services.

The most common way of doing this is through a Microsoft Windows feature called Previous Versions, says Mounir Hahad, head of threat research at Juniper Networks. It allows users to restore earlier versions of files. "Most ransomware variants delete shadow copy snapshots," he says, adding that most ransomware attacks will also attack backups on mapped network drivers.

Ransomware attacks on backups opportunistic, not targeted

That doesn't mean that all backups are now vulnerable, however. When ransomware does go after backups, it's usually opportunistic, not deliberate, says David Lavinder, chief technologist at Booz Allen Hamilton. Depending on the ransomware, it typically operates by crawling a system looking for particular filetypes. "If it encounters a backup file extension, it will most certainly encrypt it," he says.

Ransomware also tries to spread, to infect as many other systems as possible, he says. This kind of worming capability, as with WannaCry, is where he expects to see more activity in the future. "We do not expect to see any deliberate targeting of backups, but we do expect to see a more focused effort on lateral movement," he says.

You can protect your backups and systems from these new ransomware tactics by taking a few basic precautions.

Supplement Windows backups with additional copies and third-party tools

To defend against ransomware that deletes or encrypts local backups of files, Kujawa suggests using additional backups or third-party utilities or other tools that aren't part of the default Windows configuration. "If it doesn't do things the same way, the malware won't know where to delete the backups," he says. "If your employees get infected with something, they can wipe it and [restore from that backup]."

Isolate the backups

The more barriers there are between an infected system and its backups, the harder it will be for the ransomware to get to it. One common mistake is when users have the same authentication method for their backups as they use elsewhere, says Landon Lewis, CEO at Pondurance, an Indianapolis-based cybersecurity services firm. "If your user’s account is compromised, the first thing the attacker wants to do is escalate their privileges," he said. "If the backup system uses the same authentication, they can just take over everything."

A separate authentication system, with different passwords, makes this step much more difficult.

Keep multiple copies at multiple locations

Lewis recommends that companies keep three different copies of their important files, using at least two different backup methods, and at least one of them needs to be at a different location. Cloud-based backups provide an easy-to-use, off-site backup option, he says. "Block storage on the internet is very inexpensive. It's hard to argue why someone would not use it as an additional backup method. And if you use a different authentication system, it's even better."

Many backup vendors also offer the option of rollbacks, or multiple versions of the same file.  If a ransomware attacks and encrypts files, then the backup utility automatically makes backups of the encrypted versions and overwrites the good ones, then the ransomware doesn't even have to go out of its way to get to the backups. As a result, rollbacks are becoming a standard feature, and companies should check before settling on a backup strategy. "I would add that to my criteria for sure," says Lewis.

Test, test, test

Many companies only find out that their backups didn't take, or are too cumbersome to get back, after they've fallen victim to an attack. "If you haven't done some type of restoration exercise and it's not documented and nobody is familiar with it, we still see a lot of clients consider paying, and in some cases actually doing so, because paying the attacker is actually operationally cheaper," he says.

Bob Antia, CSO at Kaseya, a technology company that provides backup solutions as part of its offerings, also recommends checking whether backup vendors can detect a ransomware attack, especially the newer, stealthier varieties. Some ransomware now deliberately moves slowly, or lies dormant before encrypting, he says. "These two techniques mean that it's difficult to know what point in time to recover to from your backups," he says. "I expect that ransomware will continue to find trickier ways to hide themselves to make recovery more difficult."

"We haven't seen many major global attacks like WannaCry and Petya recently," says Antia. But when it does happen, it can be extremely damaging, he says. "We've seen individual organizations hit with millions of dollars in losses as a result of recent attacks."



Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!