Ransomware still poses significant threats to businesses and home pc users, as the attacks against healthcare organizations demonstrated this month. It is also becoming more capable. In particular, ransomware writers are aware that backups are an effective defense and are modifying their malware to track down and eliminate the backups.
Ransomware targeting backups
Ransomware will now delete any backups it happens to come across along the way, says Adam Kujawa, head of malware intelligence at Malwarebytes. For example, a common tactic for ransomware is to delete automatic copies of files that Windows creates. "So, if you go to system restore, you can't revert back," he said. "We've also seen them reach out to shared network drives."
Two well-known examples of ransomware that has backups in its sights are SamSam and Ryuk. In November, the US Department of Justice indicted two Iranians for using the SamSam malware to extort more than $30 million from over 200 victims, including hospitals. Attackers maximized the damage, by launching attacks outside regular business hours and by "by encrypting backups of the victims’ computers," said the indictment.
Ryuk hit several high-profile targets, including the Los Angeles Times and cloud hosting provider Data Resolution. According to security researchers at Check Point, Ryuk includes a script that deletes shadow volumes and backup files. “While this particular variant of malware does not specifically target backups it does put more simplistic backup solutions – ones that result in data residing on file shares – at risk," says Brian Downey, senior director of product management at Continuum, a Boston-based technology company that offers backup and recovery services.
The most common way of doing this is through a Microsoft Windows feature called Previous Versions, says Mounir Hahad, head of threat research at Juniper Networks. It allows users to restore earlier versions of files. "Most ransomware variants delete shadow copy snapshots," he says, adding that most ransomware attacks will also attack backups on mapped network drivers.
Ransomware attacks on backups opportunistic, not targeted
When ransomware goes after backups, it's usually opportunistic, not deliberate, says David Lavinder, chief technologist at Booz Allen Hamilton. Depending on the ransomware, it typically operates by crawling a system looking for particular filetypes. "If it encounters a backup file extension, it will most certainly encrypt it," he says.
Ransomware also tries to spread, to infect as many other systems as possible, he says. This kind of worming capability, as with WannaCry, is where he expects to see more activity in the future. "We do not expect to see any deliberate targeting of backups, but we do expect to see a more focused effort on lateral movement," he says.
Isolate the backups
The more barriers there are between an infected system and its backups, the harder it will be for the ransomware to get to it. One common mistake is when users have the same authentication method for their backups as they use elsewhere, says Landon Lewis, CEO at Pondurance, an Indianapolis-based cybersecurity services firm. "If your user’s account is compromised, the first thing the attacker wants to do is escalate their privileges," he said. "If the backup system uses the same authentication, they can just take over everything."
A separate authentication system, with different passwords, makes this step much more difficult.
Keep multiple backup copies at multiple locations
Lewis recommends that companies keep three different copies of their important files, using at least two different backup methods, and at least one of them needs to be at a different location. Cloud-based backups provide an easy-to-use, off-site backup option, he says. "Block storage on the internet is very inexpensive. It's hard to argue why someone would not use it as an additional backup method. If you use a different authentication system, it's even better."
Many backup vendors also offer the option of rollbacks or multiple versions of the same file. If ransomware attacks and encrypts files, then the backup utility automatically makes backups of the encrypted versions and overwrites the good ones, then the ransomware doesn't even have to go out of its way to get to the backups. As a result, rollbacks are becoming a standard feature, and companies should check before settling on a backup strategy. "I would add that to my criteria for sure," says Lewis.
Test your backups
Many companies only find out that their backups didn't take, or are too cumbersome to get back after they've fallen victim to an attack. "If you haven't done some type of restoration exercise and it's not documented and nobody is familiar with it, we still see a lot of clients consider paying, and in some cases actually doing so, because paying the attacker is actually operationally cheaper," Lewis says.
With Vortexshield you can rest assured that we will try to keep ransomware you from your computer as best as we can with our live protection and multiple shields that are monitored by our technicians and with a remote response if needed.
Learn more at https://vortexshield.com