Know your enemy. In security, it is always best to know why people are attacking you and what they want to get out of the attack. In order to protect yourself, it is worth thinking about why ransomware behaves as it does. One way to defeat ransomware after an infection is to have good backups that are off your network. Cloud backup systems may be your best option to recover from a ransomware attack.
The ransomware business
If you look at ransomware as a business, then the objective is to make paying the ransom more attractive than any other option. So what are the options, and what makes them unattractive?
- Go nuclear. Destroy the infected systems and all data, and start again from nothing. Nuclear is unattractive because it is effectively throwing away all your pre-existing data.
- Pay the ransom and get your files decrypted. Paying is undesirable as it pays the criminals, and so encourages further ransomware. Worse, there is no guarantee that your data will be decrypted after you pay.
- Restore from your backups. Restoring is usually the most attractive option, unless your backups are out of date or the ransomware has also encrypted your backups.
Backups are the enemy of the ransomware business model. If victims can quickly restore from their backups, then there is little chance that they will pay the ransom. But sometimes known backup file types will be encrypted first before data files are encrypted and before the victim realizes they have been compromised. At the same time, the backup agents will probably be terminated, so no new backups are made.
Protect your backup files
To maximize your ability to recover from ransomware without paying the ransom, you need good backups, and you need to protect your backups from ransomware. The first step is to make sure that backups are not visible to the computer that gets infected, either as a drive letter or even as a network share. Many basic backup products make backups to files, storing these files on a USB drive or network share. These are exactly the types of backup that ransomware targets and encrypts. For example, both Apple Time Machine and EaseUS Todo Backup are vulnerable to ransomware encrypting their backup files.
Protect your backup server
Many backup products use a backup server, often a Windows machine running the central part of the backup application. Other computers send their backups to the backup server. The risk here is that the backup server might get infected and all of the backups get encrypted. Keeping your backup servers patched will help, but WannaCry spread among Windows servers and a similar ransomware could encrypt all of your backups as well as your data. Using a dedicated, hardened backup appliance will help to protect your backups from ransomware.
Backup to the cloud
One of the best features of cloud backup systems is that the backups are not on your office network or inside your PCs. This makes it virtually impossible for ransomware to encrypt your backups. The backup client application on your PCs sends backups to a cloud application. The cloud application then stores the backup data outside of your network. The cloud application should only accept new backups. Once backups are stored, they should never change. Occasionally, they will be restored. Make sure that there isn't a drive letter on your PC that makes backups available from your PC.
Most cloud backup systems store backups in a deduplicated and compressed object store. Items in the store cannot be overwritten because it is deduplicated. Once the backup is made, it should always be available to restore until its retention time expires and the backup is deleted. The backup client is not involved in deleting backups; deletion is controlled by a policy on the cloud server. Ransomware that infects your PCs will not be able to set the deletion policy, so your cloud backups are safe.
Good cloud-based backup systems also choose a point in time for the restore, ideally just before the ransomware infection. Rather than just keeping a single copy of the latest backup, cloud backups will usually keep a backup history and allow restores from any previous backup. To get the best value, you also need a granular restore. It's important to say which files you want to be restored from which backup, since different files are usually encrypted at different times. Then you can restore each file from the last backup before it was encrypted, rather than restore every file to an older backup.
Making good backups and protecting them from ransomware is crucial to being able to recover from infection. Cloud backup systems can be a great way to protect your backups from every kind of attack on your network. Whichever method you use to recover your system, make sure that you also patch whatever vulnerability allowed the ransomware infection. The last thing you want is a reinfection.
Ensure the safety of your cloud backups
Cloud DR aids ransomware recovery
Offline backup data key in ransomware fight