Published on January 27, 2020 | By Infrascale

How Ransomware is Beating your Backup

Traditional approaches to backup and DR simply don’t work against ransomware

It’s been over 2 hours since ransomware hit your business and you still have no update from your techs and none of your employees can work.

After what seems like an eternity, your technician emerges with a not-so-confident look and sheepishly admits “the problem is that the ransomware has infected your backups. I’m doing what I can to see how far back we can recover, but it doesn’t look good. We should begin setting up a bitcoin account in case we can’t recover from the backups within the next 15 hours, which is the amount of time we’ve been given to pay or they’ll delete the encryption key for good.”

You’re overcome with mixed emotions. You’ve been violated. You’re mad as hell.  You’re unsure whether you’ll get your data back even if you pay the ransom. As you go through the phases of grief, you become engrossed in the effect beyond the business to your personal life. Your head clears enough for you to start asking yourself how this came to be.

You did everything you thought was going to keep you safe, didn’t you?

  • You paid for a business-grade backup system
  • Your backups were regularly tested to make sure that they’re working properly
  • Your backup drives were refreshed to protect against hardware failure

Why then? How did ransomware beat the system that was supposed to save you?

This is not uncommon. Global damages connected with Ransomware attack over $11 billion USD were paid in ransoms over the course of 2018 due to this very common scenario. 2019 is predicted to be worse. Much worse.

Here are four reasons why your backups didn’t save you:

One. These are criminal organizations and attacks are not random.

They have purposefully designed their viruses and exploit kits to increase the success rate of collecting ransom payments. They use social media and even your own website to figure out how to best penetrate your business. Who works there? What servers and services are your users and business using?

Two. Ransomware attacks are increasingly targeting your critical applications.

Previous viruses were largely covert, quietly stealing data for as long possible without being discovered. In 2015, ransomware targeted users by encrypting files on individual machines before presenting clear instructions for payment.

By 2016, ransomware firms began targeting businesses by using your employees as entry points before accessing and encrypting critical applications (e.g., your Exchange server, SQL servers, Oracle database, etc.) on your network, locking you and your users out via strong encryption algorithms.

Any application, service or network location with heavy traffic becomes a major target
because the impact of downtime is heightened, increasing the value of the data being held hostage and therefore, the likelihood that you’ll pay the ransom.

Three. Backup systems are their kryptonite, and are their top priority.

They know that a business’s ability to recover data and critical systems is directly related to the chance to collect a ransom payment. Therefore, these firms target backup files as a top priority before triggering their virus to encrypt files and display a ransom notice.

If backup and/or DR files are stored on a network-accessible drive, the ransomware viruses will be able to locate them.

Typical backup programs write files in a proprietary or common format. Known file-types are easy to search and discover once network access is gained.

In addition to file-type searches, ransomware kits will look at Volume Shadow Service (VSS) logs as an easy way to find where backups are being written since many backup services will use VSS to create backups for databases and other open files.

Once the location is discovered, only a short-time stands between the virus and your critical applications and files.

Four. Backup systems typically store files on administratively accessible drives/locations.

Gaining network administrative access is a primary objective because it allows ransomware variants to read/write data on the most critical locations on the network. With this access, they can encrypt the backup files themselves, meaning there’s not even an option to test recover to see if there are or are not infected files—the backup file itself is completely useless. This situation leaves a single option to recover the data—pay the ransom.

What can you do?

Get a cloud backup/DR system.

By moving backup/DR files to the cloud, you can at least recover a previous version before the infection took place, since the virus will not be able to access and infect files already stored in the cloud.

You still have to download and recover the files to a safe location and test recoveries for individual file infections before moving to a production environment. This can take time, but at least you haven’t lost valuable information.

Get an enterprise grade Disaster Recovery as a Service (DRaaS) solution.

A proper DRaaS solution will lock administrators and intruders out of the storage used for the backups and DR files while still being stored on the network. Management access to these files is only granted through the software/portal given to you by the solution provider and no level of network administrative access will allow viruses like ransomware to infect the actual backup files.

A cloud-DRaaS solution wherein all backups are replicated offsite will allow a much faster recovery via cloud-based recovery of entire machines from which your users can continue work while a production environment is prepared for final recovery.