Traditional approaches to backup and DR simply don\u2019t work against ransomware<\/em><\/h3>\nIt\u2019s been over 2 hours since ransomware hit your business and you still have no update from your techs and none of your employees can work.<\/p>\n
After what seems like an eternity, your technician emerges with a not-so-confident look and sheepishly admits\u00a0\u201cthe problem is that the ransomware has infected your backups. I\u2019m doing what I can to see how far back we can recover, but it doesn\u2019t look good. We should begin setting up a bitcoin account in case we can\u2019t recover from the backups within the next 15 hours, which is the amount of time we\u2019ve been given to pay or they\u2019ll delete the encryption key for good.\u201d<\/em><\/p>\nYou\u2019re overcome with mixed emotions. You\u2019ve been violated. You\u2019re mad as hell.\u00a0 You\u2019re unsure whether you\u2019ll get your data back even if you pay the ransom. As you go through the phases of grief, you become engrossed in the effect beyond the business to your personal life. Your head clears enough for you to start asking yourself how this came to be.<\/p>\n
You did everything you thought was going to keep you safe, didn\u2019t you?<\/p>\n
\n- You paid for a business-grade backup system<\/li>\n
- Your backups were regularly tested to make sure that they\u2019re working properly<\/li>\n
- Your backup drives were refreshed to protect against hardware failure<\/li>\n<\/ul>\n
Why then? How did ransomware beat the system that was supposed to save you?<\/strong><\/h3>\nThis is not uncommon. Global damages connected with Ransomware attack over $11 billion USD were paid in ransoms over the course of 2018 due to this very common scenario. 2019 is predicted to be worse. Much worse.<\/p>\n
Here are four reasons why your backups didn\u2019t save you:<\/strong><\/h3>\nOne. These are criminal organizations and attacks are not random.<\/strong><\/p>\nThey have purposefully designed their viruses and exploit kits to increase the success rate of collecting ransom payments. They use social media and even your own website to figure out how to best penetrate your business. Who works there? What servers and services are your users and business using?<\/p>\n
Two. Ransomware attacks are increasingly targeting your critical applications.<\/strong><\/p>\nPrevious viruses were largely covert, quietly stealing data for as long possible without being discovered. In 2015, ransomware targeted users by encrypting files on individual machines before presenting clear instructions for payment.<\/p>\n
By 2016, ransomware firms began targeting businesses by using your employees as entry points before accessing and encrypting critical applications (e.g., your Exchange server, SQL servers, Oracle database, etc.) on your network, locking you and your users out via strong encryption algorithms.<\/p>\n
Any application, service or network location with heavy traffic becomes a major target
\nbecause the impact of downtime is heightened, increasing the value of the data being held hostage and therefore, the likelihood that you\u2019ll pay the ransom.<\/p>\n
Three. Backup systems are their kryptonite, and are their top priority.<\/strong><\/p>\nThey know that a business\u2019s ability to recover data and critical systems is directly related to the chance to collect a ransom payment. Therefore, these firms target backup files as a top priority before triggering their virus to encrypt files and display a ransom notice.<\/p>\n
If backup and\/or DR files are stored on a network-accessible drive, the ransomware viruses will be able to locate them.<\/p>\n
Typical backup programs write files in a proprietary or common format. Known file-types are easy to search and discover once network access is gained.<\/p>\n
In addition to file-type searches, ransomware kits will look at Volume Shadow Service (VSS) logs as an easy way to find where backups are being written since many backup services will use VSS to create backups for databases and other open files.<\/p>\n
Once the location is discovered, only a short-time stands between the virus and your critical applications and files.<\/p>\n
Four. Backup systems typically store files on administratively accessible drives\/locations.<\/strong><\/p>\nGaining network administrative access is a primary objective because it allows ransomware variants to read\/write data on the most critical locations on the network. With this access, they can encrypt the backup files themselves, meaning there\u2019s not even an option to test recover to see if there are or are not infected files\u2014the backup file itself is completely useless. This situation leaves a single option to recover the data\u2014pay the ransom.<\/p>\n
What can you do?<\/strong><\/h3>\nGet a cloud backup\/DR system.<\/strong><\/p>\nBy moving backup\/DR files to the cloud, you can at least recover a previous version before the infection took place, since the virus will not be able to access and infect files already stored in the cloud.<\/p>\n
You still have to download and recover the files to a safe location and test recoveries for individual file infections before moving to a production environment. This can take time, but at least you haven\u2019t lost valuable information.<\/p>\n
You\u2019re overcome with mixed emotions. You\u2019ve been violated. You\u2019re mad as hell.\u00a0 You\u2019re unsure whether you\u2019ll get your data back even if you pay the ransom. As you go through the phases of grief, you become engrossed in the effect beyond the business to your personal life. Your head clears enough for you to start asking yourself how this came to be.<\/p>\n
You did everything you thought was going to keep you safe, didn\u2019t you?<\/p>\n
- \n
- You paid for a business-grade backup system<\/li>\n
- Your backups were regularly tested to make sure that they\u2019re working properly<\/li>\n
- Your backup drives were refreshed to protect against hardware failure<\/li>\n<\/ul>\n
Why then? How did ransomware beat the system that was supposed to save you?<\/strong><\/h3>\n
This is not uncommon. Global damages connected with Ransomware attack over $11 billion USD were paid in ransoms over the course of 2018 due to this very common scenario. 2019 is predicted to be worse. Much worse.<\/p>\n
Here are four reasons why your backups didn\u2019t save you:<\/strong><\/h3>\n
One. These are criminal organizations and attacks are not random.<\/strong><\/p>\n
They have purposefully designed their viruses and exploit kits to increase the success rate of collecting ransom payments. They use social media and even your own website to figure out how to best penetrate your business. Who works there? What servers and services are your users and business using?<\/p>\n
Two. Ransomware attacks are increasingly targeting your critical applications.<\/strong><\/p>\n
Previous viruses were largely covert, quietly stealing data for as long possible without being discovered. In 2015, ransomware targeted users by encrypting files on individual machines before presenting clear instructions for payment.<\/p>\n
By 2016, ransomware firms began targeting businesses by using your employees as entry points before accessing and encrypting critical applications (e.g., your Exchange server, SQL servers, Oracle database, etc.) on your network, locking you and your users out via strong encryption algorithms.<\/p>\n
Any application, service or network location with heavy traffic becomes a major target
\nbecause the impact of downtime is heightened, increasing the value of the data being held hostage and therefore, the likelihood that you\u2019ll pay the ransom.<\/p>\nThree. Backup systems are their kryptonite, and are their top priority.<\/strong><\/p>\n
They know that a business\u2019s ability to recover data and critical systems is directly related to the chance to collect a ransom payment. Therefore, these firms target backup files as a top priority before triggering their virus to encrypt files and display a ransom notice.<\/p>\n
If backup and\/or DR files are stored on a network-accessible drive, the ransomware viruses will be able to locate them.<\/p>\n
Typical backup programs write files in a proprietary or common format. Known file-types are easy to search and discover once network access is gained.<\/p>\n
In addition to file-type searches, ransomware kits will look at Volume Shadow Service (VSS) logs as an easy way to find where backups are being written since many backup services will use VSS to create backups for databases and other open files.<\/p>\n
Once the location is discovered, only a short-time stands between the virus and your critical applications and files.<\/p>\n
Four. Backup systems typically store files on administratively accessible drives\/locations.<\/strong><\/p>\n
Gaining network administrative access is a primary objective because it allows ransomware variants to read\/write data on the most critical locations on the network. With this access, they can encrypt the backup files themselves, meaning there\u2019s not even an option to test recover to see if there are or are not infected files\u2014the backup file itself is completely useless. This situation leaves a single option to recover the data\u2014pay the ransom.<\/p>\n
What can you do?<\/strong><\/h3>\n
Get a cloud backup\/DR system.<\/strong><\/p>\n
By moving backup\/DR files to the cloud, you can at least recover a previous version before the infection took place, since the virus will not be able to access and infect files already stored in the cloud.<\/p>\n
You still have to download and recover the files to a safe location and test recoveries for individual file infections before moving to a production environment. This can take time, but at least you haven\u2019t lost valuable information.<\/p>\n