Ransomware is today’s fastest-growing cyber crime threat. According to security supplier Trustwave, ransomware attacks outstripped payment card information theft last year.
Meanwhile, Research by Sophos has found that half of organisations were attacked by ransomware in 2019 and in almost 75% of cases, the attackers were able to encrypt data. Most organisations did retrieve their data, but twice as many did so from backup than by paying the ransom, and the cost to them was less than half what it was to those who paid up.
So, the key to being able to avoid ransomware demands is to have robust and well-tested backups. That means ensuring that good, clean backups are made regularly and that they are thorough and comprehensive, quite possibly “air gapped” too. It also means backup policies and practice should be regularly reviewed and tested.
In this article, we run through the top five key things to get right with backup so that your organisation is best protected from ransomware.
Over the last few years, ransomware attacks have become more focused and potentially more damaging. Cyber security organisations are seeing slightly fewer attacks but, according to Sophos, what they do see is a shift from “mass market ‘spray and pray’ desktop ransomware” to targeted attacks aimed at businesses.
Whatever the target, ransomware has three main parts: the initial attack, or delivery of the malware payload; encryption of the victim’s data; and communications back to the attacker.
Malware uses different routes to attack organisations, and social engineering plays a key part: About one-third of ransomware attacks come from users downloading malicious files or emails with malicious links. But ransomware also spreads via direct attacks on servers, malware attachments to email, and via cloud resources.
Security tools, including mail filtering, malware scanning, firewalls and network monitoring can help, as will patching and limiting network users’ access privileges.
But the most effective protection is a robust backup regime to protect data.
Using backup to protect against ransomware: Top five steps
1. Review and update backup policies
The best defence against malware is being able to restore data from clean backups. Even when an organisation pays a ransom, there is no guarantee that the attackers will hand over the decryption key. Restoring from backups is more reliable, cheaper, and does not involve handing money to criminals.
However, backups will only work if they are robust and comprehensive. CIOs should order a thorough audit of all business data locations. It is all too easy to miss critical data off a backup plan, whether they are held on local systems or in the cloud.
This is especially important now, given the move towards remote working during the Covid-19 pandemic.
Questions to ask include:
- Are end-user systems being backed up?
- Does the backup plan cover temporary or consumer-focused cloud data stores? Cloud storage should be resilient against physical failure, but this will not protect against ransomware that infects files.
Best practice for backup remains the 3-2-1 rule: make three copies of data, store across two different forms of media and keep one copy off-site. To protect against ransomware, the offsite backup should be isolated from the business network.
2. Air gap business data
Cloud storage is an attractive technology to store long-term data backups, and in some quarters it has replaced physical backup media such as optical disks, portable hard drives and tape.
Cloud storage protects data from physical disruption, such as hardware or power failures, or fire and flood, but it will not automatically protect against ransomware. Cloud storage is vulnerable on two fronts: through connections to customer networks, and because it is shared infrastructure.
Cloud providers themselves are at risk of ransomware attacks, warns analyst Fred Moore of Horison Information Strategies.
“Attackers now specifically target cloud services as they no longer need a password to get access to cloud data,” he says. “They simply steal the credentials and delete or encrypt an organisation’s cloud backups using a man-in-the-middle-attack.”
The solution is for CISOs to supplement cloud backups with tape or other mechanical backup media. Cloud can be the offsite copy, but keeping another dataset on tape, and keeping those tapes strictly offline, is the most reliable way to “air gap” data from a ransomware attack.
3. Make regular backups and review retention policies
It should go without saying that organisations should back up their data regularly.
Again, CIOs should review policies for frequency of backups, especially how often data is backed up to off-site locations (including the cloud) and mechanically separated media, such as tape. It might be that more frequent backups are needed.
IT teams should also review how long they keep backups, especially their air-gapped media. Ransomware often uses time delays to avoid detection, or “attack loops” to target apparently clean systems.
Organisations might need to go back through several generations of backups to find clean copies, requiring longer retention and, possibly, more copies. Keeping separate backups for critical business systems should also make recovery easier.
4. Ensure backups are clean and robust
Ensuring backups are free of malware is hard, but organisations should do as much as they can to make sure their backups are not infected.
As well as strict air-gap policies – such as taking media offline as quickly as possible – up-to-date malware detection tools are essential, as is system patching.
For extra protection, companies should consider write once read many (WORM) media such as optical disks, or tape configured as WORM. Some suppliers now market WORM-format cloud storage.
Data access controls are a further safeguard. Using tools such as Windows 10 Controlled Folder Access and limiting user access to critical data stores can stop the spread of ransomware in the first place, and add security to backups.
5. Test and plan
All backup and recovery plans need to be tested. This is critical to calculate recovery times – and establishing whether data can be recovered at all.
Using air-gapped, off-site media is best practice, but how long will it take to restore systems? Which systems are the priority for recovery? And will firms need separated, clean networks for recovery purposes?
CIOs should test all phases of the recovery plan, ideally using duplicate media. The worst scenario would be for a recovery exercise to contaminate existing, clean backups.