Attack the Backups

Malware in the form of holding data for ransom has been a threat to organizations for years. Ransomware attacks are getting more sophisticated and are targeting a new class of data – backups! In this BlogBytes we will examine how cyber-criminals are attacking data backups, review an incident of a mass-scale ransomware attack and discuss how organizations can defend against malware with the help of LTO technology.

Ransomware Targets Data Backup Copies

A recent CSOonline.com article discusses how ransomware is getting smarter and is attacking backups to prevent recovery., Adam Kujawa, head of intelligence at Malwarebytes says, “ransomware will now delete any backups it happens to come across along the way. For example, a common tactic for ransomware is to delete automatic copies of files that Windows creates.” The article also points out that the cyber-attacks can, “reach out to shared network drives… [and can] launch attacks outside regular business hours.”

 

Ransomware Attackers Prosecuted

Case in point: as reported in a justice.gov article, ransomware attackers were, “indicted for deploying SamSam ransomware to extort hospitals, municipalities, and public institutions, causing over $30 million [USD] in losses.” The 200 victims included municipalities and healthcare related entities ranging from New Jersey to California and Canada. According to the prosecution, the attackers, “would extort victim entities by demanding a ransom paid in the virtual currency Bitcoin in exchange for decryption keys for the encrypted data.” The attackers maximized the damage caused to their victims, “by launching attacks outside regular business hours, when a victim would find it more difficult to mitigate the attack, and by encrypting backups of the victims’ computers.  This was intended to, and often did, cripple the regular business operations of the victims.”

How to Defend Against Ransomware

Ransomware is a type of malware that is installed on a computer and encrypts the files making them unusable until a ransom is paid. As described in an FBI public service announcement (PSA), “Ransomware is typically installed when a user clicks on a malicious link, opens a file in an e-mail that installs the malware or through drive-by downloads (which does not require user-initiation) from a compromised website.” The PSA recommends implementing a number of measures to help defend against ransomware attacks including:

  • Focus on awareness and training. Because end-users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered and trained on information security principles and techniques.
  • Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
  • Only download software – especially free software – from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.
  • Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
  • Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
  • Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline.

Offline Security

Securing backups by creating offline copies is an essential step in a data security plan to reduce the risk of a successful malware attack. LTO technology is inherently offline which creates an air gap between the tape data and the system, helping to prevent access to backed-up data by cyber-attackers. Learn more about the benefits of LTO tape for protection against ransomware here.