Ransomware Attackers Don’t Just Want your Data, Now They are After the Backups Too
January 2023 by Rick Vanover, Senior Director of Product Strategy, Veeam
Ransomware remains a significant cybersecurity threat for government agencies as ransomware attackers evolve methods to escape detection. The ultimate goal for attackers is not simply to exfiltrate and encrypt data to force victims to pay their ransom, but to totally remove an organization’s ability to recover from such an attack.
Attackers are now taking new approaches to achieve this objective, both in making their intrusions more difficult to detect or by adding new targets, such as data backups, to completely hobble an organization.
To help guard against some of these tactics, organizations must develop robust data backup strategies that allow for fast and complete data recovery and immutable contingency plans to ensure potential ransomware attacks can be mitigated.
Encrypting smaller portions
Ransomware groups looking to infiltrate systems have a few challenges. Once they locate and exploit a vulnerability, they have to obtain and encrypt as much data as they can before either launching a ransomware attack or being detected by the system’s safeguards.
Encrypting data takes time, and the longer an attacker is in a network, the higher the chances they will be detected. A new technique, intermittent encryption, mitigates this challenge. By encrypting portions of the data small enough to evade detection, attackers can still render a file unusable by an organization without the decryption key. They do this by encrypting every 12 or 18 bytes of data, varying the times of day in which they do it and how much they encrypt, so attackers can evade automated detection tools and stay in the network longer.
Stealing the backup
Once bad actors have encrypted enough data to launch a ransomware attack, some are now looking to improve their odds of payment by also claiming an organization’s backup repositories as well.
Backups kept on an open network or one with weak password credentials and no multi-factor authentication are likely targets. For example, if backups are authorized by a primary Active Directory domain, then attackers will try to compromise that domain to gain access to both the backup and the production data. Such attacks often target financial services, health care and public sectors where a ransomware attack can impact critical infrastructure.
Securing data as ransomware evolves
Even as ransomware tactics evolve, the best cybersecurity methods continue to be some of the most traditional ones—solid software patch management and cyber hygiene education. Both strategies will help reduce an organization’s risk of ransomware exposure, especially in a remote work environment.
A strong software patch management strategy limits the software vulnerabilities attackers can exploit to launch a ransomware attack, challenging attackers before they can even get into the system. Quickly deployed software patches and updates lower the odds that attackers will be able to access a network’s data. Though the tactic seems simple, it’s often an area organizations can improve.
Additionally, cyber education needs to improve. Employees are often the weakest link that allows the attack to get started. Everyone within an organization should be able to recognize common infiltration approaches, such as phishing emails or social engineering tactics. Even with improvements in these areas, the reality is that ransomware attacks will continue to happen. As ransomware evolves, backup strategy becomes particularly crucial. A short cut approach to data backup isn’t sufficient when the backups themselves are the targets.
Organizations need to thoroughly develop and plan their backup and data protection strategies. This means putting in place a strategy that takes into account evolving tactics and practicing planned steps to take in the event of a ransomware or other cybersecurity incidents. Practice is the only way to identify potential wrinkles in the plan, familiarize stakeholders with their roles and the technology they may need to use, and ensure a high-stress cyber response scenario isn’t the first time the plan is read.
Strong data management strategies can be summarized with the numbers 3-2-1-1-0. This means maintaining three copies of important data; on at least two different types of media; with at least one of these copies being off site; including one data backup that is air-gapped, offline or immutable—hackers can’t compromise what they can’t touch. Zero errors should be present following automated backup testing and recoverability verification, organizations deploy a multi-contingency plan to ensure their data can be recovered, regardless of a ransomware attack.
As long as bad actors can find ways to profit from ransomware and other cybersecurity exploits, there’s no doubt their tactics will continue to evolve. While ransomware groups remain innovative and resilient, organizations must do the same. The combination of strong basic cyber hygiene, employee education and a well-thought-out data management and backup strategy serves as the strongest defense against dynamic cyber attacks.