Despite a recent decline in attacks, ransomware still poses significant threats to enterprises, as the attacks against healthcare organizations demonstrated this month. It is also becoming more capable. In particular, ransomware writers are aware that backups are an effective defense and are modifying their malware to track down and eliminate the backups.
Ransomware targeting backups
Ransomware will now delete any backups it happens to come across along the way, says Adam Kujawa, head of malware intelligence at Malwarebytes. For example, a common tactic for ransomware is to delete automatic copies of files that Windows creates. “So, if you go to system restore, you can’t revert back,” he said. “We’ve also seen them reach out to shared network drives.”
Two well-known examples of ransomware that has backups in its sights are SamSam and Ryuk. In November, the US Department of Justice indicted two Iranians for using the SamSam malware to extort more than $30 million from over 200 victims, including hospitals. Attackers maximized the damage, by launching attacks outside regular business hours and by “by encrypting backups of the victims’ computers,” said the indictment.
Ryuk hit several high-profile targets, including the Los Angeles Times and cloud hosting provider Data Resolution. According to security researchers at Check Point, Ryuk includes a script that deletes shadow volumes and backup files. “While this particular variant of malware does not specifically target backups it does put more simplistic backup solutions – ones that result in data residing on file shares – at risk,” says Brian Downey, senior director of product management at Continuum, a Boston-based technology company that offers backup and recovery services.
The most common way of doing this is through a Microsoft Windows feature called Previous Versions, says Mounir Hahad, head of threat research at Juniper Networks. It allows users to restore earlier versions of files. “Most ransomware variants delete shadow copy snapshots,” he says, adding that most ransomware attacks will also attack backups on mapped network drivers.
Ransomware attacks on backups opportunistic, not targeted
When ransomware goes after backups, it’s usually opportunistic, not deliberate, says David Lavinder, chief technologist at Booz Allen Hamilton. Depending on the ransomware, it typically operates by crawling a system looking for particular filetypes. “If it encounters a backup file extension, it will most certainly encrypt it,” he says.
Ransomware also tries to spread, to infect as many other systems as possible, he says. This kind of worming capability, as with WannaCry, is where he expects to see more activity in the future. “We do not expect to see any deliberate targeting of backups, but we do expect to see a more focused effort on lateral movement,” he says.
You can protect your backups and systems from these new ransomware tactics by taking a few basic precautions.
Supplement Windows backups with additional copies and third-party tools
To defend against ransomware that deletes or encrypts local backups of files, Kujawa suggests using additional backups or third-party utilities or other tools that aren’t part of the default Windows configuration. “If it doesn’t do things the same way, the malware won’t know where to delete the backups,” he says. “If your employees get infected with something, they can wipe it and [restore from that backup].”
Isolate the backups
The more barriers there are between an infected system and its backups, the harder it will be for the ransomware to get to it. One common mistake is when users have the same authentication method for their backups as they use elsewhere, says Landon Lewis, CEO at Pondurance, an Indianapolis-based cybersecurity services firm. “If your user’s account is compromised, the first thing the attacker wants to do is escalate their privileges,” he said. “If the backup system uses the same authentication, they can just take over everything.”
A separate authentication system, with different passwords, makes this step much more difficult.
Keep multiple backup copies at multiple locations
Lewis recommends that companies keep three different copies of their important files, using at least two different backup methods, and at least one of them needs to be at a different location. Cloud-based backups provide an easy-to-use, off-site backup option, he says. “Block storage on the internet is very inexpensive. It’s hard to argue why someone would not use it as an additional backup method. If you use a different authentication system, it’s even better.”
Many backup vendors also offer the option of rollbacks, or multiple versions of the same file. If a ransomware attacks and encrypts files, then the backup utility automatically makes backups of the encrypted versions and overwrites the good ones, then the ransomware doesn’t even have to go out of its way to get to the backups. As a result, rollbacks are becoming a standard feature, and companies should check before settling on a backup strategy. “I would add that to my criteria for sure,” says Lewis.
Test, test, test your backups
Many companies only find out that their backups didn’t take, or are too cumbersome to get back, after they’ve fallen victim to an attack. “If you haven’t done some type of restoration exercise and it’s not documented and nobody is familiar with it, we still see a lot of clients consider paying, and in some cases actually doing so, because paying the attacker is actually operationally cheaper,” Lewis says.
Bob Antia, CSO at Kaseya, a technology company that provides backup solutions as part of its offerings, also recommends checking whether backup vendors can detect a ransomware attack, especially the newer, stealthier varieties. Some ransomware deliberately moves slowly, or lies dormant before encrypting, he says. “These two techniques mean that it’s difficult to know what point in time to recover to from your backups,” he says. “I expect that ransomware will continue to find trickier ways to hide themselves to make recovery more difficult.”
“We haven’t seen many major global attacks like WannaCry and Petya recently,” says Antia. But when it does happen, it can be extremely damaging, he says. “We’ve seen individual organizations hit with millions of dollars in losses as a result of recent attacks.”
Editor’s note: This article, originally published on January 14, 2019, has been updated to more accurately reflect recent trends.
More on ransomware:
Copyright © 2020 IDG Communications, Inc.