Ransomware attacks will not only encrypt your data and documents, but the attackers will also attempt to locate your backups and encrypt them. If you can prevent this, you can recover from an attack without giving in to blackmail.
Ransomware has been a red-hot problem for some time now. Backing up your data is a key part of the defence against ransomware and other malware. However, if your backups are wiped out by ransomware, this defence is rendered useless.
Ransomware attackers often try to find and delete or encrypt backups, many of which are accessible through compromised accounts. The loss of backups, even just recent backups, makes an attack a much more costly event and limits your ability to resist the attacker. What are practical ways to ensure that this does not happen?
As with most security precautions, there is no 100% guaranteed way to protect your backups. But by following best practices, you can significantly increase your chances of being able to use backups for recovery from the attack with minimal losses of time and business.
Follow the 3-2-1 rule of backup
The 3-2-1 rule of backups:
- Three copies of the data being backed up are made
- Two different storage media are used for the backup
- One copy (at least) of the data is kept off site.
The goal of the 3-2-1 rule is to increase the chances that a backup will be available. Keeping a copy remote protects you even in case of a fire or natural disaster. Plus, a remote copy, properly done can also be significantly harder for the attackers to access – and thus more likely to be preserved in the event of an attack.
One of the most effective ways to implement offline backups is to use removable media and physically “rotate” the backup media regularly. If this simple practice is done regularly and consistently then there will always be a relatively up-to-date copy of the backup media which is not connected to the network at any point in time. And if the backup media is not connected to the network then it is safe in the event of an attack.
However rotating backup media regularly has its own challenges. As it requires discipline to swap the media regularly day-after-day, week-after-week, month-after-month. The media needs to be rotated all year-round to be effective – no exceptions. As a result, many organisations will instead look to rely on an automated process – where the computer does the work – using cloud backups.
One of the critical characteristics of the off-site backup in the 3-2-1 rule above is that it should be offline. This makes it inaccessible to the attacker. But the benefits of being offline mean that “standard” cloud storage isn’t necessarily appropriate for the off-site copy. If the attacker, through stolen credentials, can obtain enough privileges to delete cloud storage, the whole point of off-site storage is lost.
The key with the off-site backup, is that even if the attacker completely compromises your local network; that your cloud backups should remain protected.
One possible barrier you could place in the way of attackers attempting to reach your cloud-based backup is to use unique credentials, not from your company network, along with a separate second authentication factor to access and manage the backups. Even if the attacker completely compromises your network, the cloud backups should remain protected. Another approach is to use a “private” cloud storage solution where custom arrangements can be made to maintain an additional copy of the off-site backup which is not directly accessible via remote access.
What to do next?
When evaluating a backup system, ask the vendor how their backup system protects your backups from encryption in the event that an attacker obtains admin access to your network. “Off-the-shelf” backup solutions are unlikely to apply the 3-2-1 rule of backups.
If implementing a backup solution that meets the above criteria sounds too difficult; rest assured that ZEN can provide a backup system that complies with the 3-2-1 rule automatically. Contact us for further details.