Dennis Underwood
Published on
July 15, 2022

Backups lack efficacy in the face of advanced Ransomware. (Part 1)

Backups are for “Normal” Disaster Recovery and NOT designed to defend against Malware! This is Part 1 of our 2 part series on efficacy of backups as a ransomware prevention / recovery tool. Today we dive into Local Online and Network Online and discuss some obstacles / challenges with them from the POV of an attacker hell bent on exfiltrating, corrupting and / or ransoming your organization's data! Attackers next milestone after asserting persistence is to cripple your means to recover the data they plan on encrypting.

First off, let’s get some things straight. Ransomware isn’t the “thing”. It has been over marketed to the point where it is interchanged with malware. But they are not the same thing. Ransomware is the effect whereas malware is the cause. Well… sort of… vulnerabilities exploited by criminal attackers who then install malware are the real cause.

Backups are for “Normal” Disaster Recovery and NOT designed to defend against Malware

Backups typically fall under 4 types:

  1. Local Online (Shadow Copy, etc.)
  2. Network Online (NAS, SAN, Cloud Service, etc.)
  3. Local Offline (USB Drives, etc)
  4. Remote Offline (Enterprise, Possibly Cloud-based, etc.)

In part 1 of this 2 part series we will discuss the risks associated with Local Online (1) and Network Online (2) and why you cannot rely on them as a defense strategy when dealing with Cyber attacks resulting in Ransomware

Attacker’s Have Goals!

We must first understand the goals and steps an attacker uses before we get into specific challenges for each backup type.

  1. Attackers assert persistence after gaining entry to the network
  2. Attackers elevate their access across the network. They may need an account of one of your IT Team, for example.
  3. Attackers hunt for prevention and recovery services and disable them
  4. Attackers install device monitors that “watch” for point 3 and act
  5. Attackers finally encrypt the files on all devices under their control when your ability to recover on your own is compromised

Steps 1-5 may take months to complete. All the while the Attacker is stealing your data for future extortion and social engineering

Local Online Backups (Shadow Copy, etc)

Local backup tools such as Windows Shadow Copy are one of the first technologies attackers remove when they assume control over a device and / or network.

These “backup” services are a second chance recovery option at best and are mainly designed for state recovery by default.

They are also typically not very well protected by the system. You also run into situations where some malware defence tools disable the service as it conflicts with their own tool chain.

Multiple security vendors actually use these highly vulnerable backups as their “ransomware recovery” defense.

These are great assets for simple use cases such as accidental file deletion or help recover a bricked system that just installed a device driver it couldn’t digest properly.

But… It is not a viable defence against modern Ransomware! Local online backups are easily evaded by attackers so they cannot be part of your ransomware prevention tool chain!

Network Online Backups (NAS, SAN, Cloud Service, etc.)

We must first understand the importance of gaining access and control over backup servers. The attackers consider this one of the most important targets to compromise during their long winded attack phase.

Gaining access to NAS, SAN, Backup Specific Servers, etc is basically hitting the jackpot and for lack of a better phrase… get the “crown jewels”

In order to compromise and gain access to your Online Backup system, the attacker adds a few extra steps in their attack process.

  1. Attackers SCAN and locate the IP of the backup device. They already do this for other systems so not much added work here. They are just being more specific and strategic in their search.
  2. Attackers CAPTURE credentials to the NAS / SAN or backup clients and / or API’s.
  3. Attackers EVADE backup and storage server protections which in many cases are not configured correctly. Always REMEMBER… Evasion is what they do for a living!

You have to understand that gaining access to storage systems and backup systems are a crucial and necessary step for the Attackers to succeed in their efforts to hold your data and company hostage. So Online Network Backups cannot be part of your ransomware prevention tool chain!

In Conclusion

Local and Network Online Backups are an essential part of your business and are vital for normal recovery operations; whether it is regular file retrieval operations from user error or disaster recovery due to hardware and software failures.

But, you cannot rely on them when staring down the barrel of a Ransomware attack and note. Remember that many attacks take months of planning all the while the attackers sow the seeds of the Ransomware End Game.. all the while exfiltrating data to be used for extortion and social engineering.

So, it is imperative that the Attackers are STOPPED before backups are even considered. As we stated above… they will most likely not even be there to save you at this point.

What’s next?

In our next article we will discuss Local and Remote offline backups and shed some light on why these also cannot be considered viable for preventing Ransomware or recovering from an attack once the Attackers drop the hammer.

Ransomware Rewind Elevator Pitch

Ransomware Rewind stops Ransomware COLD so you aren’t left mopping up the mess of partial recovery and expensive missed SLA’s!

Ransomware Rewind allows you to keep working with NO data loss and NO extortion worthy data exfiltration.

We do this through innovative technology that we have created after fighting the malware and Ransomware threats for many years.

Ransomware Rewind was specifically designed to combat malware and stop Ransomware from happening. We can detect modern and ancient malware alike and prevent it from taking hold of the system before exfiltration is possible.

Our benchmarks have shown we can mitigate a Ransomware encrypt attack in less than 100 milliseconds!

About the author
Dennis Underwood

Dennis Underwood is a veteran, cybersecurity leader, inventor, and entrepreneur with over 20 years of experience. He is an expert at cryptography, intrusion discovery and analysis, having discovered multiple previously unreported intrusions to clients throughout his career. Currently, he is leading a team of like-minded experts delivering next generation intrusion discovery and ransomware response automation tools to consumers.

Start a free trial today

Sign up for Cyber Crucible today to protect your system against ransomware extortion.

Create an account