Welcome back to part 2 of our two part series on Backups vs Ransomware. We can’t this stress enough so will repeat this again from the first article:
Backups are for “Normal” Disaster Recovery and NOT designed to defend against Malware
Backups typically fall under 4 types:
- Local Online (Shadow Copy, etc.) (See Article 1)
- Network Online (NAS, SAN, Cloud Service, etc.) (See Article 1)
- Local Offline (USB Drives, etc)
- Remote Offline (Enterprise, Possibly Cloud-based, etc.)
In part 2 of this two part series we will discuss the risks associated with Local Offline (3) and Remote Offline (4) and why you cannot rely on them as a defense strategy when dealing with Cyber attacks resulting in Ransomware
Remember… Attacker’s Have Goals!
We must first understand the goals and steps an attacker uses before we get into specific challenges for each backup type.
- Attackers assert persistence after gaining entry to the network
- Attackers elevate their access across the network. They may need an account of one of your IT Team, for example.
- Attackers hunt for prevention and recovery services and disable them
- Attackers install device monitors that “watch” for point 3 and act
- Attackers finally encrypt the files on all devices under their control when your ability to recover on your own is compromised
Steps 1-5 may take months to complete. All the while the Attacker is stealing your data for future extortion and social engineering
Local Offline Backups
So what is an Offline Local Backup?
Well, in a nutshell it is a storage device you plugin to your computer which is then used to store copies of your data to keep it safe in case of disaster or for simple retention and recovery of files.
The most common devices used are USB devices such as thumb / flash drives or external HDD or SSD connected by USB.
1. The data stored on them is not always encrypted.
2. The device must be connected to work and cyber criminals leave processes behind looking for the moment they become available... and... attack them!
3. They require manual user action... Plug in... Unplug... we know the human scheduling element introduces risk... people forget!
4. The backup tool (if one is even used) must be continually reviewed and new data locations added to the backup
5. People frankly forget to unplug it... so it isn't offline at all.
6. IT overhead of sending these out to users and trying to monitor if they are even doing the backups. WFH and Remote workers make this quite difficult.
Offline Local Backups cannot prevent Ransomware. They are rudimentary at best.
Remote Offline Backups
What are Remote Offline Backups?
These typically are defined as a backup to a disk or tape medium that is then taken offline and preferably off-site for managing risks such as fire, theft and other catastrophic use cases. It is often part of a larger backup strategy, such as the 3-2-1.
You should definitely have these in a well conceived backup strategy, BUT...
One major Issue with relying on these backups as part of a Ransomware prevention strategy is... attackers know you use these, know how you manage them, and they have the patience and means to attack and exploit them...
Once the cyber criminals get into your system and network, they quickly look for the right permissions and places to attack the management console, and will even install scripts that wait for the backup systems to go live and then pounce all over them.
They will corrupt the files on the backup device(s) directly or intercept the data on the way to the device(s) (Attack and Corrupt In Transit).
SO, it is CRITICAL that you prevent the malware BEFORE it ends in Downtime and an aggressively worded Ransom demand!
Remote Offline Backups are GREAT! And the attackers know it! And they work really hard to rid you of them!
Offline Backups are an essential part of your business and are vital for normal recovery operations; whether it is regular file retrieval operations from user error or disaster recovery due to hardware and software failures.
But, you cannot rely on them entirely when planning your Ransomware defence and recovery strategy. As we mentioned in Part 1, many attacks take months of planning and careful stealth execution while the attackers lay the seeds of their Ransomware End Game... all the while exfiltrating data to be used for extortion, double extortion and further social engineering of you, your clients and their customers… and so on.
So, it is imperative that the attack is prevented before you have to consider enumerating your backups as a recovery option. As we stated above… they will most likely not even be there to save you at this point. And if they are… they could be laced with malware allowing for further attacks. So please make sure that when you do recover from backups that you thoroughly scan them for infection and corruption.