Preparing for Ransomware: Are Backups Enough?
In a year where ransomware has raised the alert levels everywhere, the go-to answer from many is redundancy through offline, remote backups – but are they enough?
Backups are a critical component of any enterprise cybersecurity posture, but they are not an airtight strategy. Like any other digital machine, backup systems are vulnerable to data loss and compromise. From the rooftops, industry analysts shout, “Move your backups offline and away from production environments!” But access to and confidence in backups alone aren’t enough.
As ransomware threats loom, we look at where backups fall short, and what to keep in mind to optimize network and data security.
Why Are Backups Critical?
Backups are the specialized physical or virtual machines built to restore an organization’s data or systems to a previous state. Whether it’s a ransomware attack, natural disaster, machine or human error, backups are critical to restoring lost, damaged, and inaccessible resources.
Though this article looks at the shortcomings of relying on backups, the truth remains that backups are one of the best defensive solutions against ransomware if done right.
The Argument For Backups
In today’s digital ecosystem, organizations’ digital records and systems rely on operational continuity to make a difference in business success. For vendors, downtime caused by disasters can be resource exhaustive, costly, and cause long-term reputational damage.
For ransomware attacks where network data gets encrypted, backups are the definitive method for restoring network infrastructure. Administrators can start the restoration process and return to the pre-attack state with an offline backup isolated from the impacted network.
Where Backups Fall Short Against Ransomware
Backups aren’t solely to blame for ransomware recovery failures, but they can be compromised by ransomware attacks if not done right. The following sections speak to how ransomware can affect organizations with backup strategies in place, the implications of advanced malware, and why the type of backup solution matters.
Backups Don’t Preclude Expensive Recovery
Even if an organization has an offline backup ready to go, ransomware attacks and the recovery process can still carry quite a cost. The technical approach for restoration, digital forensics and incident response, and restoring client services all take time and resources.
The Restoration Process Takes Time
After a ransomware attack, IT personnel attempt to identify the state of network segments and recovery options. With a remote backup available and uncorrupted, the restoration process begins. In addition to restoring data and systems from the backup, network technicians may also have to reimage computers, install new software, set configuration policies, or reapply patches. Tasks like rebuilding the Active Directory and configuration management database capabilities can take multiple weeks.
The technical process of restoring the network takes time, and the larger and more complex the backup or network, the longer it will take to recover.
Extended Downtime Can Be Deadly
In the event of a ransomware attack, an organization could lose access to part or all of its network data and systems, blocking further work. For service providers, this could mean downtime where client resources are inaccessible for an extended period.
Coveware reported earlier this year the average downtime for ransomware victims jumped from 15 days in 2019 to 21 days in 2020. The longer the downtime, the higher the chances are of lost revenues, reputational damage, and more. Other direct costs attached to ransomware attacks with a backup or not include:
Decreased productivity without network resources and systems
Loss of proprietary secrets or customers, directly affecting organization bottom line
Disaster recovery specialists to assist in digital forensics and incident response (DFIR)
Higher cybersecurity insurance premiums to meet the organization’s risk level
Retraining personnel to meet new challenges and avoid aftershock attacks
The ransom amount paid to avoid the public disclosure of data
Considering these costs, the Sophos State of Ransomware white paper reported the average cost to recover from a ransomware attack had doubled to $1.85 million within the last year. Relative to the average ransom paid for a mid-sized organization ($170,404), the costs add up.
Successful ransomware attacks additionally constitute a data breach that can push organizations into violating their governance, risk, and compliance (GRC) obligations. Victim organizations remain liable for regulatory fines and civil penalties for breaching sensitive user data.
Ransomware Grows More Dangerous
Whereas before, ransomware gangs would only encrypt a network’s data and (maybe) release the decryption key upon payment, today’s attackers are taking their network access a step further.
Like any malware, ransomware enters the network through attack vectors like phishing emails, social engineering, software and remote desktop protocol (RDP) vulnerabilities, and malicious websites. Ransomware’s success in the last two years has been exacerbated by COVID-19, with a 600% increase in malicious emails during the pandemic.
Once inside the network, sophisticated threat actors can use their access to escalate permissions, move laterally, and encrypt the entire network infrastructure. From on-premises systems to the cloud, they are at risk if network segments are connected and accessible to a compromised privileged user.
Alongside these more sophisticated tactics, ransomware attacks now go beyond just encrypting network data. Most current backups don’t extend far enough to meet the added threats posed by advanced ransomware attacks.
Beyond Encryption: Exfiltration And Extortion
Malware constantly evolves to match advancing cybersecurity standards and solutions, and ransomware is no exception. Two additional angles added to the ransomware attack tactics include data exfiltration and double extortion.
After malware gains access to a network and before encrypting organization systems, threat actors can take steps to exfiltrate data. A secure backup can allow leadership to say “no thanks” to the offer of a decryption key. Still, the prospect of exposed proprietary systems or sensitive data pressures the organization to pay the ransom anyway, backup or no backup, so preventing ransomware attacks in the first place remains critical.
Despite making the payment, there is no guarantee attackers act in good faith and respect data in their possession. Several instances show ransomware hackers going against their word and disclosing sensitive data to the public. The prospect of stolen data getting reused for a second ransom is known as double extortion.
Sophisticated tactics, like those used against Colonial Pipeline, JBS Foods, and Kaseya, enable attackers to linger for periods before using their access to inflict damage. Today’s ransomware gangs deploy advanced malware capable of exposing any number of network vulnerabilities.
Hackers Target Backups
Another development in recent ransomware strains has been the automatic detection of backups connected to or within an organization’s infrastructure.
Because holding offline backups isn’t a universal practice or publicly mandated, hackers know there’s the potential to encrypt an organization’s only viable backup. With knowledge of the most popular backup data files, today’s ransomware specifically targets backups for encryption.
For network administrators that haven’t heard the call for offline backups, they could easily stumble into restoration only to realize hackers encrypted the backup. Multiple airtight copies of data are necessary to protect against corruption of one copy. This also means organizations must be careful only to restore data using a clean, uncorrupted copy.
Not All Backups Are Created Equally
So far we’ve focused on why backups by themselves aren’t enough in the fight against ransomware, but that’s not to say there aren’t plenty of excellent solutions. Like other IT products and services, backups are a part of a growing and competitive marketplace, with many options for different organization requirements and price points.
Inadequate Or Excessive Redundancy
While digital systems become more critical to public and private ecosystems, there remain stragglers in adopting an effective backup strategy. Considerations like whether the existing solution covers part or all of the network and syncs on an hourly, daily or real-time basis determine what changes in coverage might be necessary. For a fast-moving startup, losing up to a month of network data would be a nightmare scenario.
On the other hand, excessive redundancy that throws the kitchen sink at backup solutions but fails to consider their vulnerabilities or cost also causes unnecessary strain. A more practical approach would identify sensitive network segments and deploy priority backups for those segments with a robust syncing schedule. In either case, too little coverage presents added risk, and too much coverage can be challenging to manage and expensive.
Storage Space And Sync Periods
When system backups are infrequent, it’s less likely the network can effectively return to a pre-ransomware attack state. Two considerations for every network when shopping for backup solutions are storage space and the frequency of backup syncs. Between full, differential, and incremental backup solutions, organizations have options that each have their benefits.
Of course, the more an organization duplicates network data, the more storage space is required to hold that backup data. Incremental backups remain a popular enterprise choice, as they restore the last full backup while also storing new gradual changes in a small data load.
Configuration Management And Malfunction
Backup systems aren’t immune to malfunctioning, failing to restore pertinent data, or only partially restoring intended data. Though consistent bugs are less likely with a top backup solution vendor, organizations can fall victim to poor configuration management. Like most software tools, backups work best when configured to meet the network’s needs, and controls and log activity are visible to administrators.
Implementing the Optimal Backup Strategy
A successful backup strategy optimizes syncing periods to reflect real-time business data and uses adequate backup tools to ensure administrators can bring back systems promptly.
Practice the 3-2-1 principle prescribing that organizations keep three copies of the select data, two types of storage (on-premises and cloud-based), and one off-site copy. And in the age of ransomware, multiple air-gapped copies of your data are desirable.
Deploy multiple backup systems that segment the network and maximize full, differential, and incremental backup strategy.
Prioritize the protection of backup catalogs, which contain all the metadata for backups (index, bar codes of tapes, full paths to data content on disk).
Inventory critical data and systems to enhance visibility into the network infrastructure.
Back up data and business processes, including software, components, dependencies, configurations, monitoring, and more, for business continuity.
Though restoring or rebuilding can be complex, cloud and virtualization technology offer secure, accessible, and cost-effective hot-swap architectures.
If staying online is critical and downtime could be damaging to continuity, consider the pricier and complete hot backup site for the fastest recovery.
Conduct regular penetrating testing and breach and attack simulation to ensure backups work as planned and remain secure and accessible during a ransomware attack.
Going Beyond Backups
There’s little guarantee an organization can fend off a determined attacker. For network security administrators, the prospect of a ransomware attack should be considered as a “when,” not “if.”
As the most dangerous malware threat, much of the traditional wisdom defending the network at large also applies to guarding against ransomware.
Network cybersecurity solutions do stellar work identifying and proactively defending the network against malware. Administrators must properly configure these tools, keep software up to date, avoid suspicious executables, and limit risky web content to solidify their impact. But as networks grow larger and more complex, the mindset of protecting the perimeter is shifting toward protecting specific network data.
The Optimal Defense
Zero trust continues to be the most sought-after cybersecurity framework on the block, and it’s easy to see why. When network administrators have a more robust understanding of their protect surfaces (i.e., the most valuable or sensitive network data and systems), they have the agency to prioritize the defenses of those segments.
The network perimeter is growing too large and complex for most organization security operations to manage. Though network firewalls and EDR remain trusty defense layers, they fail to guard against the advanced insider threat. In addition to walling off your most critical data with zero trust and microsegmentation, advanced security tools like UEBA and machine learning-based detection can help you spot more insidious threats.
Building a Network Ready for Ransomware
With sufficient offline backup, organizations can restore their data and operations without paying a ransom to cybercriminals. Unfortunately, backups alone don’t ease the restoration process or mitigate ransomware extortion tactics.
At this time, the best solution to ransomware is avoiding the initial breach. To prepare, administrators must continue to build a holistic cybersecurity posture that’s ready for any intruding malware. An intelligent backup strategy can mitigate the effects of ransomware, but it’s not a cure.
Sam Ingalls – September 10, 2021