Before Clay Heuckendorf and members of his team could even hazard a guess as to why some of a client’s backup data was missing, bad actors launched a ransomware attack right before their eyes.
“The ransomware attack started while we were sitting there, observing,” says Heuckendorf, senior architect at Insight Enterprises, which bills itself as modernizing and securing critical platforms and transforming IT for its customers.
The timing was coincidental – and fortuitous. Heuckendorf’s team was onsite to discuss a separate solution they were building for the company when the client brought up anomalies with its backup data. It was the first time Heuckendorf had seen an attack on data protection systems – but it would not be the last. In short order, another client reported missing and corrupted backup data followed by a ransomware attack.
In both cases, the organizations hit “said the backups were the first one to go,” said Heuckendorf. “We looked at each other and said, ‘tell us more.’”
The attackers, as he discovered, had deleted their clients’ backup images and activated ransomware in servers, playing a very thorough long game. In at least one case, “malicious software had been sitting out there for six months and they put a key logger in place,” he said “They targeted arrays first and then went in and attacked.”
Backup attacks typically wipe away an organization’s backup infrastructure and storage snapshots before locking and encrypting file systems, preventing the recovery of backup data, thereby giving bad actors the leverage to coerce a company into paying ransom.
“If you can’t access backup, you aren’t going to be able to restore files and you’re more likely to pay the ransom,” said Diana Kelley, chief technology officer and founding partner at Security Curve.
Backup data, of course, has long been the (fairly reliable) fall back for companies looking to mitigate damage from ransomware attacks without being at the mercy of bad actors. The data can be used to restore quickly and more completely without giving in to attackers demands. But backup attacks are becoming more prevalent so bad actors can gain “much more leverage on the victim,” said Eddy Brobitsky, CEO at Minerva Labs, putting the efficacy of that mitigation strategy at risk.
“Sophisticated ransomware attacks that target system backups are effective, because they take away the victim organization’s perceived insurance policy,” said Kacey Clark, threat researcher at Digital Shadows. “Without the ability to successfully restore systems and maintain business continuity, organizations’ options become severely limited, leading to increased pressure to pay ransom demands.”
But in a world where ransomware is a recognized and growing menace – Bitdefender’s Mid-Year Threat Landscape Report 2020 noted a “seven-fold year-on-year increase in ransomware reports – backup ransomware attacks in particular haven’t gotten the attention they deserve.
“There’s always been this idea with ransomware, that as long as we protect the edge, we don’t have to worry about backup,” said Heuckendorf. “You do what client wants – bigger, faster, better.”
The effects of ransomware attacks aimed at backup, though, can be devastating, and not just because they could coax ransom payment from an organization that typically wouldn’t be inclined to do so.
“In the case of ransomware, the damage to an organization goes far beyond the necessity to pay the ransom if an available backup is not a possibility,” said Caroline Thompson, head of underwriting at Cowbell Cyber. “Loss of revenue, business disruption and damage to the reputation of the organization are all financial burdens.”
Backup attacks, too, can offer attackers broad access and the opportunity to spread their malign activities throughout an organization. For instance, if different backup systems are connected, Kelley pointed out, attackers can reach across business systems.
Organizations stand to lose valuable data, as well, that they can’t necessarily replicate. Insight Enterprises points to one backup attack that “caused an expected 30 percent data loss at an organization that refused to meet payment demands.”
Help is on the way in 3-2-1…
Seeing first-hand the damage that ransomware attacks on backup systems can have prompted Insight Enterprises to rethink backup protections. Architects were tasked to reexamine the threat with data protection in mind, said Heuckendorf, including “what we need to be cognizant of when building back up.”
Kelley still favors the 3-2-1 backup strategy which traditionally called for three copies of data (production data and two backup copies) on two different backup media, such as disk and tape, with one copy stored off-site. As companies have embraced the cloud, 3-2-1 has been updated to include backup – preferably two copies – stored in two geographically separated areas of the cloud.
“The 3-2-1 method is an improved and more reliable approach to storing backups, which [now] involves keeping three or more copies of your data across two storage mediums or locations and one cloud storage provider,” said Clark.
While Kelley is a fan of cloud storage, there’s a benefit to keeping backups at a cold site, where they’re segregated from an organization’s production systems and out of the reach of hackers. “The core approach is to make sure some backup is offline,” she said.
The downside? Depending on how frequently a company backs up to the cold site, the data stored might not be as fresh, which can be an issue during restoration. “Even if your backup is one hour old, it’s still going to be work getting [data] back up,” said Kelley.
Of course, for nearly any backup strategy, the data is only as fresh as the last backup. And every organization must weigh a variety of factors to determine how frequently to backup or whether to add segmentation or microsegmentation to the mix, including the cost of downtime and the resources needed to bring business back online. All of those factors vary from company to company, depending on size, the nature of the business, budget and critical operations. A bank, for instance, could lose business – and money – if backup data is even just a few hours old while a small doctor’s practice could get by with weekly backups. If there’s an attack on the latter, “someone may have to come in on the weekend to do the restoration,” Kelley explained, a pain but not a hit to the business.
Regardless of strategy, companies can’t just park their data in backup and hope for the best.
“When you get backup in place, you need to make sure it’s backing up as expected and you can access it,” said Kelley.
Likewise, while the 3-2-1 method is dependable, "organizations should also ensure that they can effectively restore from backups by practicing their respective disaster recovery plans,” said Clark.
Companies, too, should monitor their backup carefully, setting alerts to warn IT security that attackers are trying to get at backed up data, Kelley said, and be flexible enough to change backup frequency and methods to suit their evolving businesses.
Other basic hygiene can also help fend off ransomware attacks on backup. “The success of ransomware is reliant on whether or not the target organization has patched its devices properly. Therefore, having all systems patched and current is a minimum for security,” said Daniel Norman, senior solutions analyst at the Information Security Forum. “Also, a strong antivirus and antispam solution should be able to frequently scan devices for malware.”
"An organization ought to have an incident response or crisis management plan for ransomware events, knowing who to contact and what to do," Norman added. "This should be regularly rehearsed so that if ransomware hits, the organization can recover quickly.”