How to protect your company’s backups from ransomware - harlan4096 - 24 September 19
Quote:
Backups are an essential part of any ransomware disaster recovery plan. In the event that an organization is hit with ransomware, it can simply use its backups to recover the system without paying a cent to the bad guys.
There’s just one problem: backups are not immune to ransomware. Increasingly advanced ransomware strains contain mechanisms that are designed to seek out and encrypt backups that are stored both locally and in the cloud. And, if a company’s backups get encrypted, it may have no other choice but to pay the ransom.
In this article, we’ll show you how ransomware can affect a company’s backups and what you can do to keep your backups safe.
How does ransomware encrypt backups?
There are many ways ransomware can infect a system, including email attachments, malicious links, drive-by downloads, RDP attacks, MSP tools and other third-party software. Once it has infected an endpoint, it can potentially spread to any backups held on devices that are write-accessible via standard protocols, such as NAS devices, locally installed cloud services and USB-connected devices.
There are a few ways it can do this:
Spreading through the network
Many small business owners understand the value of backups, yet may not have the resources or expertise to create and maintain a fully-fledged continuity strategy. Instead, they may take an ad-hoc approach, which might involve manually copying critical files to an external hard drive, or automating regular backups to a network-connected file-server.
Local backups are important, but they are not an effective solution when used alone. Many ransomware variants are capable of spreading laterally to other computers on the network and mapped network drives. If the system gets infected, there’s a good chance the ransomware will propagate across the network and encrypt the drive that holds the organization’s backups.
Syncing to cloud storage
Cloud storage is a convenient way to store files, but it’s not an effective way of maintaining backups – particularly when it comes to ransomware.
Many cloud storage services such as Dropbox, OneDrive and Google Drive automatically synchronize local files with files stored in the cloud. If your business gets hit with ransomware and the files on your network are encrypted, the files will also be encrypted in the cloud.
Some cloud storage service providers offer file versioning, which means it keeps multiple versions of files. If your company’s files are encrypted, you can simply roll back the files to a previous, unencrypted version. However, this feature is not supported by all cloud storage providers and may not be enabled by default.
Deleting System Restore points
System Restore, Windows’ built-in recovery tool, allows an administrator to reverse recent changes to the operating system, and can be useful for rolling back drivers and system files to previous versions. Unfortunately, System Restore does not save copies of personal files, including documents, photos and videos, which means it can’t be used to reverse encryption.
Even if System Restore could help restore personal files, many ransomware strains – including WannaCry, Cryptolocker and Locky – are designed to deliberately sniff out and delete volume shadow copies (the snapshots System Restore uses for recovery) using command-line commands.
Ransomware-proof your backups
A multilayered approach is the best way to protect backups against ransomware.
Local backups are fast, efficient and can be easily accessed whenever required. However, as mentioned above, local backups are vulnerable to ransomware, which can potentially spread across the network.
While offsite storage solutions are generally slower and less convenient, they are more isolated from the company network, and are therefore considered more reliable. Using a blend of local and offsite backups provides the best of both worlds.
...
Continue Reading
|