Backups are the most important defense against ransomware. However, ransomware attackers are using misconfigured backups to steal victims’ data. The UK’s National Cyber Security Centre (NCSC) updated its backup guidelines last week to help organizations mitigate ransomware attacks.
Attackers Use Backups to Steal Data
Usually as part of a ransomware attack, before malicious actors encrypt the victim’s systems, they steal business sensitive data. The stolen data is then used to blackmail the victim into paying the ransom or risk having the data exposed online.
In the past, ransomware attackers would trawl the victim’s network devices in search of sensitive data to steal. As this is time consuming and leaves attackers open to detection, they have now turned to using the victim’s own backups instead. Once a victim’s systems are breached, attackers locate the victim’s backups. If these are stored either in the cloud or on the victim’s network, attackers use the backups to restore victims’ data to servers under their control.
In an email sent to BleepingComputer, an attacker explains: “Yes, we download them. It is very useful. No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to data breach detection software.” Since attackers are just restoring from the victim’s own backups, the backup software does not create any logs. Consequently, the victim remains unaware of the attack.
Backups Compromised as Part of Ransomware Attack
As part of a ransomware attack, malicious actors normally encrypt backups along with the rest of the victim’s network. For backups stored in the cloud, attackers use the victim’s own backup software to access the backup files and delete them.
Attackers either delete or encrypt backups so that victims cannot use their backups to restore their encrypted files. This would allow businesses to restore systems without having to pay the attacker’s ransom to have their systems decrypted.
How to Protect Backups from Ransomware Attacks?
Regardless of the backup software businesses use, once an attacker compromises a network, backups are at risk. Most at risk of ransomware attacks are backups stored on the network. Also at high risk are backups stored on devices still connected to the network when an attack takes place.
With these facts in mind, the UK’s National Cyber Security Centre (NCSC) last week updated its guidelines for mitigating ransomware attacks. The NCSC’s new guidelines now emphasis offline backups as the best defense against ransomware attacks. The NCSC also warns that cloud-syncing services like Dropbox or OneDrive, should not be used as the sole backup source. This is because if synchronization occurs immediately after local files have been encrypted by ransomware, then the files on the cloud would also become encrypted.
According to the NCSC, the best method for creating ransomware resilient backups is to follow the “3-2-1” rule. This rule advocates that organizations have at least 3 copies of a backup, copied onto 2 separate devices, with 1 of the devices being kept offsite.