The prevailing wisdom is that if you back up your data you can recover from a ransomware attack. While this premise generally holds true, simply backing up your data no longer provides an absolute guarantee that you can recover from a ransomware attack. Here are three techniques that ransomware may use to circumvent existing backups and make your “good” backups bad.
Ransomware hackers attack corporate data by infiltrating and/or bypassing corporate firewalls with viruses that encrypt corporate data. Once encrypted, they then charge a fee for the key or keys to decrypt it. Fail to pay and corporate data may become unrecoverable.
To recover from ransomware attacks, organizations have one of two choices. Pay the fee (or ransom) or take steps to recover from an existing backup. In circumstances where an organization does not have a reliable backup and needs to recover, it has little choice but to pay the ransom and hope that the key supplied by the attacker enables them to recover. The best case scenario is that the organization has a good backup and can recover without having to pay any ransom.
However, ransomware criminals have little desire to let a little thing like good backups stand between them and receiving a sizable ransom. They also recognize that potentially their biggest opportunities lie with organizations that have good backups of their production data. As such, they are going after backups themselves to prevent companies from recovering their data to force these companies to pay ransoms to get their data back. Here are three ways in which they may do so:
- Finding and encrypting backups on network file shares. Many backup products backup data to file shares accessible over corporate networks. Further, many organizations use the default directory name created by these backup products to store these backups. The default names of these directories are readily accessible in the documentation published by backup providers. Some creators of ransomware have figured this out. As part of their viruses that find and encrypt data on production servers, they also probe corporate networks for these default backup directories and encrypt the backups in these directories. In so doing, they increase the possibility that companies cannot recover from backups.
- Hacking the backup software’s APIs. A number of enterprise backup software products offer their own application programming interface (API). Using these APIs, organizations can write to them to centralize backup and recovery under their broader data center management platform. However, ransomware creators can also access these published APIs for nefarious purposes and used them to corrupt and/or encrypt existing backup.
- Plant a ransomware “time bomb.” To date, when ransomware encrypts a company’s data, the encryption generally occurs as soon as or shortly after it gets onto the corporate network. However, ransomware continues to evolve and mature and, as it does so, it grows both more patient and more insidious. Rather than encrypting data as soon as it breaches the corporate firewall, it begins to infect the data but does not immediate encrypt it. Then, only after days, weeks, or months go by and this infected data has been backed up for months does it initiate the encryption of the corporate data. In many respects, this is the worst type of ransomware attack. Not only is all of a company’s production data encrypted, the company thinks it has “good” backups and when it goes to restore the data, the restored data encrypts as well because it was infected when it was backed up. This may make it almost impossible for an organization to determine when it was initially infected and which of their backed up data they can reliably and confidently restore.
Ransomware arguably represents one of the most insidious and dangerous threats that organizations currently face to the health of their data. The inability to access and recover from a ransomware attack may put the very survival of a company at risk. To counter this risk, many look to backup software as their primary means to recover from these attacks. But as ransomware takes aim at backup software, organizations need to take a fresh look at their backup software to make sure that it has the right set of features to counter these newest forms of ransomware attacks to ensure they have a verifiable path to recovery.