I just found a very interesting blog post by Jerome Wendt, President & Lead Analyst of DCIG, Inc., an independent storage analyst and consulting firm.
He started out with “The prevailing wisdom is that if you back up your data you can recover from a ransomware attack. While this premise generally holds true, simply backing up your data no longer provides an absolute guarantee that you can recover from a ransomware attack. Here are three techniques that ransomware may use to circumvent existing backups and make your “good” backups bad.” I have added number 4 at the end as a bonus.
And then he described three bad guy tactics to ruin your backups:
- Finding and encrypting backups on network file shares. Many backup products backup data to file shares accessible over corporate networks. Further, many organizations use the default directory name created by these backup products to store these backups. The default names of these directories are readily accessible in the documentation published by backup providers. Some creators of ransomware have figured this out. As part of their malware that find and encrypt data on production servers, they also probe corporate networks for these default backup directories and encrypt the backups in these directories. In so doing, they increase the possibility that companies cannot recover from backups.
- Hacking the backup software’s APIs. A number of enterprise backup software products offer their own application programming interface (API). Using these APIs, organizations can write to them to centralize backup and recovery under their broader data center management platform. However, ransomware creators can also access these published APIs for nefarious purposes and used them to corrupt and/or encrypt existing backup.
- Plant a ransomware “time bomb.” To date, when ransomware encrypts a company’s data, the encryption generally occurs as soon as or shortly after it gets onto the corporate network. However, ransomware continues to evolve and mature and, as it does so, it grows both more patient and more insidious. Rather than encrypting data as soon as it breaches the corporate firewall, it begins to infect the data but does not immediate encrypt it. Then, only after days, weeks, or months go by and this infected data has been backed up for months does it initiate the encryption of the corporate data. In many respects, this is the worst type of ransomware attack. Not only is all of a company’s production data encrypted, the company thinks it has “good” backups and when it goes to restore the data, the restored data encrypts as well because it was infected when it was backed up. This may make it almost impossible for an organization to determine when it was initially infected and which of their backed up data they can reliably and confidently restore.
- Delete your Shadow copies. You know about this one, several major strains have been doing this for a few years now, and are constantly improving this part of their malicious code.
Wendt concluded: “Ransomware arguably represents one of the most insidious and dangerous threats that organizations currently face to the health of their data. The inability to access and recover from a ransomware attack may put the very survival of a company at risk.
“To counter this risk, many look to backup software as their primary means to recover from these attacks. But as ransomware takes aim at backup software, organizations need to take a fresh look at their backup software to make sure that it has the right set of features to counter these newest forms of ransomware attacks to ensure they have a verifiable path to recovery.”
Sjouwerman.Stu. “Ransomware Can Destroy Backups in Four Ways” KnowBe4 CyberheistNews Vol7 #37 Sept 2017