How to Attack-Proof Backup Data Against Ransomware

By: Eran Farajun

Ransomware is one of the most significant malware variants impacting businesses globally—with attacks like WannaCry and NotPetya affecting more than 200,000 machines in 100 countries. The attacks by NotPetya alone resulted in a total loss of more than $1.2 billion with many other attacks driving up financial losses globally. To address this situation, individuals and organizations are investing in protective measures, including new data protection and security solutions, which have increased the ransomware protection market to new heights. In fact, forecasts show that this market will reach $33.21 billion by 2025, growing at a CAGR of 16.58 percent from 2017 to 2025, according to Trade Market Research.

Ransomware is a type of malware that encrypts all of the data on the system upon which it resides and demands a ransom for the decryption key. It then ransoms access to the data back to the system owners. The ransomware perpetrators threaten to destroy the key if they are not paid. They commonly do so in stages based on set time limits. If they are not paid the ransom, the ransomware destroys the key and, as a result, prevents access to all of the organization’s data. 

The most widely used approach used by businesses to recover from ransomware attacks has been to recover the criminally encrypted data from the backup set. This has provided a very successful workaround to paying the demanded ransom. Success in recovering ransomware encrypted data from the backup has reduced the profits of hacker revenue streams and, as a result, ransomware designers have evolved these attacks to not only target primary but also secondary (backup) data as well. One of the most aggressive strategies by ransomware developers for targeting backup data has been the attack-loop.

Cyber-criminals produce attack-loops and stealthily insert the malicious executable code within an organization’s file system. Once in place in the primary storage environment, the ransomware does not detonate. The software is timed to hold off on executing until a predetermined day and time. In the meantime, this Trojan horse ransomware undergoes repeated backups over weeks and many months. When the execution date arrives, the encryption process begins, starting with the primary data. When IT administrators realize an attack has taken place, they will most commonly turn to their backup data and begin the restoration process. However, instead of restoring clean data, the backup solution instead recovers data infected with the hidden ransomware. Once recovered, the ransomware—which has been hiding in the backup data—begins to encrypt the files all over again, making it impossible to recover clean data because the company is now caught in a continuous encryption loop.

To contend with this increasingly sophisticated and disastrous situation, backup vendors are responding to ransomware in a variety of ways. There are still backup vendors in operation that are not implementing anti-malware technologies in order to keep development costs low. This gap, however, is leaving business customers exposed to attack. Some vendors are making attempts to deal with ransomware by implementing detection in order to discover ransomware detonations once they occur and are offering reactive strategies to recover data. The unfortunate consequence to this approach, though, is that there is little confirmation that encrypted data can be recovered once it has been impacted because of the fatal attack-loop. While a reactive solution will take action once the ransomware has detonated, a preventative approach is designed to stop backup deletions and encryptions from the outset. The question is, which is the better option for your organization?

A reactive approach leverages the backup software’s incremental or changed block tracking mechanism. After the first backup, the amount of data being incrementally backed up is typically very small. When ransomware detonates and encrypts the data, the backup software sees the encrypted data as all-new and is forced to backup up all the data. When this occurs, it becomes an issue for the backup solution, resulting in backups taking considerably longer periods to complete. This action provides the backup software with an alerting mechanism and enables the user or software determined policy-based triggering thresholds to detect a likely ransomware detonation, notify the administrator, and suggest recovery responses. Some can start the recovery process immediately. 


Latest Updates

Subscribe to our YouTube Channel