Encrypted Data: How to Reduce the Damage Caused by a Ransomware Attack
Table of contents
The latest data protection platforms have functionality for backup protection. This is the response by manufacturers to the growing number of ransomware attacks and the new methods used by cybercriminals.
Backup under special supervision
Americans had barely got over the SolarWinds incident when they suffered another blow in the form of a ransomware attack targeted at Colonial Pipeline. This oil pipeline, the biggest in the United States at over 9000 kilometres long, was shut down for several days. As a result, some states had serious problems with supplies of fuel, with North Carolina declaring a state of emergency.
The attack on Colonial Pipeline sparked a huge national debate on cyber security, which even Joe Biden joined. The US president signed an executive order that supported the government’s efforts in terms of IT protection and encouraged the private sector to improve digital security standards. Meanwhile, IT systems manufacturers began putting forward better and worse ideas for combatting the ransomware gangs. One of these is the ‘zero trust’ concept, but all indications are that suppliers of backup tools play a key role in the struggle against this group of cyber criminals.
Where does this idea come from? It’s worth paying attention to two issues that somehow have recently remained ignored by the majority of the media. It is widely known that Colonial Pipeline recently became a victim of blackmailers and paid a ransom of 4.4 million dollars. The incident was all the more interesting in that the tool provided by the ransomware gang worked very slowly, and the company had to use its own backup. This was reported by Bloomberg, but somewhat predictably Colonial Pipeline refused to comment on it. Not long afterwards, an interesting article on the topic of ransomware attacks was posted on the ‘Wired’ internet service. Learn more about how to protect your business from ransomware.
The article ‘Ransomware’s Dangerous New Trick Is Double-Encrypting Your Data’ describes the perfidious strategy of the new attacks that has severe consequences for the victims. The attacker makes use of two types of malicious software, so the company attacked in theory unencrypts its data, only to discover that in fact they still cannot access the data. The introduction of double encryption and the Colonial Pipeline case described earlier both show that the possibility to restore data from backup is more important than ever before.
Restoring a system from backup is a long, complex process, but the use of double encryption by attackers does not complicate it further. If you decide to rebuild using backup, you are starting afresh, so it is unimportant how many times the old data was encrypted – explains Brett Callow, an analyst from Emsisoft.
Even better and more effective backup
For ransomware victims who do not have sufficient backup or who do not want to dedicate time to rebuilding their systems from zero, attacks using double encryption are an additional threat. However, if the fear of a double encryption attack makes victims less likely to pay, attackers may abandon this new strategy. It is not without reason that experts encourage organisations to take preventive action such as implementing solutions that make it hard to locate specific types of backup data. Analysts from Gartner are of the opinion that backup system providers should support organisations by implementing additional functionality in three areas:
- attack detection, including identifying ransomware
- backup protection
- data recovery after an attack
This time we’ll take a closer look at issues related to backup protection.
Backup protection according to Gartner
For some time now, ransomware gangs have shown interest in data backup. This is for two reasons. Firstly, compromising backup means that the victim will not recover their data, and will become more desperate and willing to pay the ransom. Secondly, the backup system itself indicates the place where critical data is stored in the network. Acquiring such information allows attackers to direct their attacks more effectively. Without this knowledge, the attackers must comb through the network looking for applications and data storage. For this reason, manufacturers of data protection solutions are introducing additional functionality designed to protect backups.
Storware backup solutions serve three main areas that contribute to maintaining business continuity in the event of a disaster or attack. Advanced integration capabilities with various types of backup destinations and reporting systems can play a key role in building a bulletproof IT infrastructure. Storware Backup and Recovery protects:
– virtual machines, containers, applications running on-prem and in the cloud, storage providers
– Microsoft 365 applications and services.
– Windows-based desktops and laptops.
Analysts from Gartner indicate several key solutions that limit the risk of backup encryption by attackers to a minimum. These are:
- integration of backup storage matrices and backup software
- unchanging file storage
- elimination of network sharing protocols
- multi-factor authentication (MFA) for administrator accounts
- division of administrative roles
- multiple authorisation workflows
- creation of multiple data backup copies
Integration of mass storage and backup software
Building a safe backup system using a separate mass storage subsystem is not a mistake. However, it is important to understand that the wrong selection of components opens the door to hackers. Experts therefore recommend integrating the mass storage system containing backups with the devices or clusters of devices that support the backup software. Thanks to this solution, the data backup storage is hidden and can only be attacked by compromising the administrative console or by acquiring access to the base operating system at the level of administrator.
Unchanging file storage
Standard file systems such as Microsoft Windows NTFS or LINUX EFS work well for general use. However, data stored in them can be removed or overwritten using any account with access rights. This is a serious drawback from the point of view of people responsible for backup security. For this reason, manufacturers are looking for alternative solutions such as unchanging file storage.
Unchanging file storage can be implemented in several ways, but the key issue is that data is impossible to remove, apart from in exceptional circumstances. Unchangeability usually goes hand in hand with the period of storage. For example, every set of backups can be stored for 30 days. During this time, the backup sets cannot be removed, modified or overwritten, even by an administrator with the most privileged account.
Elimination of network sharing protocols
Protocols such as Network File System (NFS) and Common Internet File System (CIFS) are designed for sharing general use files. However, fully protecting them can be fraught with certain difficulties. Slight errors in read / write permissions can lead to data being revealed. What’s more, using such protocols for general file sharing means that almost every server or computer in the network can detect the place where backup is stored using tools and protocols built in to the operating system. Eliminating the use of network sharing protocols requires the use of object storage API interfaces compatible with either Amazon S3 or a data storage platform with its own interfaces for moving data, such as Data Domain.
MFA for administrator accounts
If backup console security is compromised, the attacker can change the rules and tasks for making backup, or remove backup data from the system. The first line of defence should be MFA authentication for everyone logging on to the console, which makes phishing attacks to try to obtain administrator passwords less effective.
Separate administrative roles
Some systems provide accounts with full access rights to all parts of the backup systems. This is not the best solution because if one account is compromised, it can trigger a whole avalanche. This is why some providers separate up users, and encourage use of account based on roles. How does this work in practice? Users can view backup logs, but they are unable to make any modifications. If they notice any irregularities, they should report these to the appropriate people rather than fixing the bugs themselves.
The user should understand how roles can be modified and what types of security are used. One key issue is that backup software must support the division of roles so that if one administrative account is compromised, the attacker is unable to change backup creation tasks, storage rules and other critical attributes.
The four-eyes principle
Some backup platforms have security features which, even if an attacker compromises one administrator account, make it impossible for them to change backup creation task and storage definitions. Let’s imagine that an attacker gains access to accounts with which they can modify backup creation task definitions. If these changes require logging out of another account, it will be more difficult for the attacker to damage the backup system after compromising just one administrator account.
Multiple backup copies
For many years, organisations have applied the 3-2-1 principle for protecting backup (three backup copies on two different types of mass storage, with one copy kept in isolation outside the company offices). In the past, this would have meant manually copying tapes or other methods for creating additional isolated copies. Currently, the majority of backup applications have the option of creating additional data copies at the restore point after an outage, or in public cloud provider infrastructure.
Conclusion
The above examples show that suppliers of backup tools have a relatively wide range of solutions that can disrupt ransomware gangs’ plans. That’s why it’s worth asking not only about RTO or RPO indicators when choosing a backup platform, but also about its capabilities in terms of backup protection.
In the next article, we will explore backup platform properties with regard to their capabilities for system start-up after a ransomware attack.