How to lock down backup infrastructure

Ransomware has come a long way since the days of simplistic “encrypt and pay me” attacks. As much as I wish we could go back to fighting those unsophisticated criminals, ransomware has unfortunately matured in recent years. Attackers have realized that while encryption can be an annoyance, extortion is where the real money is made.

Modern ransomware combines data encryption with brazen data theft and threats to expose your organization’s crown jewels. This “extortionware 2.0,” as I’ve taken to calling it, is ransomware, plus a heaping helping of outright extortion. Just restoring encrypted data is no longer enough when your sensitive trade secrets or reputation-ruining data is already in the hands of cyber criminals.

The sad truth is that for many victims, paying the ransom is the less damaging option compared to having confidential data see the light of day. But make no mistake: giving in to extortion only fuels further crime while giving you no guarantee your data is safe. And it’s also possibly a violation of federal laws to send money to overseas criminals. It’s a losing game either way. Let’s take a look at one of the biggest ransomware trends that impacts backup and recovery operations, and what you can do to stop it.

Ransonware targets backup infrastructure

Extortionware gangs have wised up to the fact that robust backups take away their leverage. That’s why in a disturbing trend, we’re seeing ransomware directly target backup infrastructure to either delete backup repositories or steal data copies en masse.

It’s the worst nightmare for those of us advocating backups as a ransomware recovery tool. If the last line of defense is taken out of the game, it defeats the whole reason we built the system in the first place. If hackers are able to delete or encrypt backups, or the backup server operating system itself, you will find yourself in an unenviable position.

Modern day hackers understand ROI, and they’re essentially turning your defense into a weakness.

Extorting sensitive data brings far bigger rewards than randomly encrypting desktops, and they’ve figured out that the backup server is a gold mine of data. Your organization’s confidential business plans, intellectual property, personnel files, customer data and emails contain immense value in the wrong hands. The potential damage from exposure can surpass even exorbitant ransom demands. And all of this data is (hopefully) stored inside your backup system. Like I said: a gold mine.

That’s why any security strategy is wholly inadequate if it doesn’t include extra precautions around safeguarding these crown jewels stored in your backup system, because trying to find the right path after an extortionware attack makes choosing between pestilence and cholera seem nice. There are no good options once your data is stolen. That’s why getting back to basics with preventing threats in the first place is so crucial.

Batten down the hatches

The security measures I’m about to advocate may require investments in technologies, added staff and cost. I get that. But let me ask you this – how much is your organization’s future viability, relevancy and reputation worth? How much of a setback is having your new billion-dollar product design leaked to competitors? And I promise you that no court will accept encryption or data theft as a valid excuse for violating disclosure laws.

Block attacks via privileged accounts

The first thing to do is to protect the privileged accounts in your backup system. First, separate these accounts from any centralized login system you use, such as Active Directory, because these systems are sometimes compromised. Create as much of a firewall between that production system and the backup system as possible. And, of course, use a safe password, and do not use any passwords for these accounts that are used anywhere else. (Personally I would use a password manager to support having a different password everywhere.) Finally, make sure that any such logins are protected by multi-factor authentication, and use the best option available. Avoid the use of email or SMS-based MFA, as it is easily foiled by an experienced hacker. Try to use an OTP-based system of some kind, such as Google Authenticator, Symantec VIP, or Yubikey.

Also investigate if your backup system has enhanced authentication for dangerous actions, such as deletion of backups before their scheduled expiration, or restoration of any data to anywhere other than where it was originally created. The first is used to easy delete backups from your backup system, without setting off any alarms, and the second is used to exfiltrate data by restoring it to a system the hacker controls. A common control here is to use multi-person authentication, which requires multiple people to authenticate such actions. While this may slow down some normal operations, it’s a really good protection against a hacker using your backup system against you. Similar to MFA, please do not use SMS or email as the vehicle for such things, as the hacker may have compromised both systems. (A hacker of a former client did just that. They took control of the email system, and used that control to intercept MFA requests and authenticate themselves as many times as they needed to.)

Block attacks via the filesystem

Hopefully everyone knows to have at least one copy of their backups on storage that is immutable, and that is a good start. An offsite cloud copy is the best, as there is no way for the hacker to delete or encrypt these backups without compromising the entire (well vetted) infrastructure of the cloud vendor. This will ensure you will have the backups when you need them to restore after a ransomware attack.

However, you must also protect these backups from being stolen and used for exfiltration. Have you enabled encryption on all backups? If not, please do so immediately. This will protect them from being directly extracted and used for exfiltration. Another thing you should do is ask your backup vendor if there is a way to store your backups in such a way that they are not visible to the filesystem. If hackers cannot crawl these backups and copy them, they cannot use them for exfiltration.

Stay safe out there, folks. Guard your data like the precious commodity it is. And please, please lock down those backups before the bad guys get to them.