How Not to Make BackupsĀ 

data backup
data backup

The mantra about the crucial role of data backups in digital security has some solid reasoning behind it. Not only is this a way to minimize the damage in a hardware failure scenario, but it’s also a fundamental element of mitigating the impact of a ransomware attack. This issue has escalated amid today’s global healthcare emergency because cybercriminals are busier than ever orchestrating Coronavirus-themed phishing and spam campaigns that parasitize people’s fears to spread ransom Trojans on a large scale. 

Organizations are predictably the juiciest prey being hunted down in Ransomware raids. Moreover, malefactors continue to target hospitals in these hard times, as if the challenge tackling the COVID-19 outbreak weren’t arduous enough for these facilities. The dramatic increase in telework is an extra stimulus for crooks to find and exploit loopholes in VPN tools and cloud services used for remote workplace implementation. 

With that said, maintaining backups of the most valuable data assets is growingly important for individuals and businesses alike. However, it turns out that a crudely configured backup can do your company a disservice instead of strengthening its security posture. If you are curious about how this could possibly be the case, keep reading to learn the whys and wherefores. 

The wakeup call 

According to recent findings of security researchers, an incorrectly implemented data backup poses an opportunity for an adversary to amass an organization’s valuable files the easy way, no matter how counterintuitive it may sound. Before I proceed, it’s worth clarifying a few things to give you an idea of the current state of the ransomware ecosystem. 

A game-changing trend in this context is that some attackers now steal victims’ data prior to encrypting it. Several examples of the ransomware families that employ this tactic are Sodinokibi, Maze, DoppelPaymer, and Nemty. Once the criminals retrieve data, they use it as additional leverage to coerce the victim into paying the ransom. If a company refuses to cough up the specified amount of Bitcoin, ransomware operators switch to plan B and publish sensitive information for everyone to see. 

Essentially, the attack isn’t only about malicious encryption anymore – it’s also about the risk of data breaches and huge reputational damages. To top it off, some cybercriminal groups have launched special websites where they leak the data stolen from non-paying businesses. 

You might be wondering what this narrative has to do with backups – well, the ties are closer than you probably think. The threat actors behind the above-mentioned DoppelPaymer ransomware recently updated their leak site with an entry listing credentials for the Veeam backup solution used by one of the compromised organizations. 

Analysts at Bleeping Computer security outlet who looked into the incident argue that the attackers’ intention wasn’t to punish the organization for rejecting the ransom demands. Instead, it was proof of unlimited access to the victim’s digital infrastructure, including backups. This way, the felons tried to pressure the company into paying up. 

To dot the i’s and cross the t’s, the researchers tried to contact the operators of two very active ransomware strains, DoppelPaymer and Maze, and ask them about this facet of their nefarious activity. On a side note, the experts had previously communicated with these black hats who didn’t mind explaining some of their tactics, techniques, and procedures (TTP). The perpetrators’ response to this particular matter was very surprising. 

The new know-how of ransomware authors 

The cybercrooks described their common attack chain and the role of data backups in it. First, they contaminate a single machine on a network through phishing, auxiliary malware, or remote desktop protocol (RDP) exploitation. As soon as the computer is infiltrated, the offenders move laterally across the network in an attempt to get hold of admin credentials and access the domain controller. 

If the attackers succeed in gaining a foothold in the enterprise environment, they leverage a post-exploitation application such as Mimikatz to dump the entirety of authentication data from the active directory database. The consequences of this activity can be hugely disruptive because the obtained information may allow the malefactors to access backup tools used by the organization. The likelihood of this adverse effect is higher if network admins use Windows session authentication to log in to Veeam or another mainstream backup software. 

From there, ransomware operators can easily access the victimized company’s cloud backups and download all the data to a malicious server. This way, they take a shortcut because there is no need for them to traverse the whole corporate network in search of potentially valuable information – cloud backups typically contain the data that matters the most. 

An extra benefit for malicious actors who take this route is that the data theft slips below the radar of automated defenses deployed in the network. Restoring directly from the cloud doesn’t give IT teams a heads-up because the servers appear to be functioning properly and the backup software doesn’t trigger any alerts either. 

Once the attackers download all the important files, they delete the backups to prevent the victim from easily recovering from the incursion. Then, they launch the PSExec command-line utility to unleash the ransomware that will encrypt the organization’s data surreptitiously. 

At the end of the day, although backups are a critical element of incident response, they can be used against companies unless set up properly. Ransomware distributors piggyback on poor backup hygiene to steal data faster without any red flags being raised along the way. This negligence can fuel the extortionists’ novel strategy that’s increasingly capitalizing on data theft before encryption. Offline backups appear to be more effective in this regard, but they are often outdated. 

How to make backups correctly 

Luckily, there are methods that can help businesses boost their protection against this exploitation vector and make the attackers’ efforts futile. The fundamental countermeasure is the so-called 3-2-1 rule. It eliminates the risk of a single point of failure (SPOF) in case hardware crashes or a strain of ransomware poisons the enterprise network. In a nutshell, the logic of this mechanism is as follows: store at least three copies of your valuable data, keep two of them on different storage media, and be sure to store one backup copy offline. 

The types of storage media for this diversified backup approach can range from external hard disks or USB thumb drives – to SD cards or CDs/DVDs. The choice depends on the amount of data to be kept safe. Prioritizing your information is a worthwhile element of facilitating this activity because it narrows down the scope of data to the items that really matter. When it comes to offline backups, it’s important to ascertain that they hold the latest versions of your files. 

If you adhere to the 3-2-1 principle, there is little to no risk of losing your precious data over a ransomware incident, hardware malfunctions, or things like the vengeance of a disgruntled employee. Essentially, it helps your organization steer clear of the worst-case scenario, making your security posture resilient to a disaster no matter where it may come from. 

Experts additionally recommend that businesses resort to what’s called “immutable storage” to further enhance their data integrity. This technique makes it impossible to erase or modify backups for a specified period of time. 

Furthermore, the saying “prevention is the best cure” has never been as relevant as it is nowadays. To defend against ransomware attacks and data breaches proactively, organizations should deploy network monitoring tools, cloud access control instruments based on IP addresses and geolocation, and intrusion detection systems (IDS). This combo will stop criminals in their tracks and save companies the trouble of dealing with the mind-boggling aftermath of a compromise.