Backups have been a recommended part of your organization's ransomware response strategy for a number of years now. The pivotal question of whether you pay the ransom or not has long been based on the presence of viable backups -- have the backup, skip the ransom.
In recent years, we've begun to see new tactics from ransomware developers, including the search for and destruction of backups, making it necessary for organizations to protect backup from ransomware. But there's an even more sinister tactic being used today -- one that makes recovery difficult.
It's referred to as a ransomware attack loop. The strategy behind the attack is to infect the environment with ransomware in a way that, should backups be used to recover, the ransomware is still present.
Here's an example of how the attack works:
- An endpoint or server is infected with ransomware through traditional methods.
- The ransomware does not detonate for three to six months.
- Backups of the infected system now include data and the ransomware.
- The ransomware detonates, asking for the ransom.
- You recover the system -- rather than paying the ransom -- to an earlier thought-to-be-clean backup, only to recover the system to a still-infected state.
- The ransomware redetonates. Herein lies the loop, as you are back to step four in the attack.
You can, in theory, repeat step six using earlier and earlier backups, but because you don't know exactly when the system was infected, this process may be more work than it's worth.
Strengthening your backup defense against ransomware
So, how do you protect backup from ransomware and put yourself in a situation where backups are still useful in this kind of attack model?
The answer lies in looking at your backup platform and how it addresses malware in backups. New backup products tend to do one of two things when it comes to malware on systems being backed up:
- They prevent. Some products protect backup from ransomware by filtering out malware from getting into backups, preventing it from being recovered back into the environment.
- They notify. Other products only tell you when they see abnormal data in the backup stream, and it's up to you to attempt to remove it and back up again.
The trick here is to use one of these two types of backup defense methodologies as part of your backup plan. The products preventing ransomware from being included in a backup are obviously the best choice, but you may not have that as an option. The notification is less automated in its response to finding ransomware -- in that you need to do the work of removing the malware yourself, as opposed to it simply not being included in the backup set -- but is still a viable option.
Should you have neither feature set in your current product, my recommendation for how to protect backup from ransomware involves two parts. First, focus on your layered defense strategy to keep as much malware from getting in as possible. This should include domain name system protection, email and web scanning, endpoint protection and antivirus. Second, for critical systems that absolutely need to be recoverable, I'd suggest identifying the file locations where malware attempts to install itself -- typically, temp and user-type folder locations -- and exclude those folders from your backup definitions. That way, your backups will provide recoverability of a working system but without the malware.
Ransomware attack loops are pretty dastardly. It's an evolutionary step that requires you to take an equally evolutionary step with your backup strategy to ensure you prevail.