Will your backups protect you against ransomware?

The headlines are full of reports about institutions such as hospitals and police departments, organizations that should have business continuity plans in place with solid backup strategies

 Will your backups protect you against ransomware?
Credit: Keith Hall

In theory, nobody should be paying any money to the ransomware extortionists. Doesn't everyone have backups these days? Even consumer has access to a wide variety of free or low-cost backup services.

But the headlines are full of reports about institutions such as hospitals and police departments, organizations that should have business continuity plans in place with solid backup strategies.

Still, according to the FBI, more than $209 million in ransomware payments have been paid in the United States in the first three months of 2016 -- up from just $25 million for all of 2015.

What's going on? Why aren't backups working?

To save money, some organizations don't include all their important files in their backups, or don't run their backups often enough. Others don't test their backups and find out that the systems don't work only when it's too late. Finally, some companies put their backups on network drives that ransomware can easily find and jump to and encrypt.

How many backups are enough?

There's always a trade-off between price and security, and most organizations have to prioritize their spending.

"Generally, what we've seen in the client market historically for backing up client data, when IT departments look at the cost of storage to store all the data, they're a little reluctant to put in the investment," said David Konetski, fellow and executive director in the client solutions office of the CTO at Dell. "But that's before the cost of storage has come down exponentially in the last five to 10 years. Now we're in a world with really inexpensive storage and cloud storage."

In addition, it might not be enough just to back up the important data and documents. Entire machines may need to be backed up, if they are critical to the business.

For example, at Hollywood Presbyterian Medical Center, which recently paid the equivalent of $17,000 to cybercriminals, the ransomware didn't just encrypt files but severely affected operations for about 10 days, forcing staff to go back to paper records and fax machines. Local news organizations reported that some emergency patients were diverted to other hospitals.

"The malware locked access to certain computer systems and prevented us from sharing communications electronically," said CEO Allen Stefanek in a letter to the public.

For the hospital, the quickest way to restore the systems was to pay the ransomware.

This doesn't always solve the problem. There have been reports of hospitals paying the ransom and not getting the keys, or being hit up for a larger amount.

If clean images of the infected machines were readily available, the hospital could have completely wiped the infected hardware and restored it to the last good version. And organizations don't have to store multiple complete copies of every system -- incremental backup systems save just the latest changes, making them very efficient.

"If the entire system has been compromised, you could roll back to the bare metal," said Stephen Spellicy, senior director, product management, enterprise data protection, mobile information management, at HPE.

Putting backups to the test

Creating a comprehensive backup strategy is an involved process, especially for large enterprises with multiple types of data, files, and systems to protect.

That complexity is one reason that backups aren't working, said Stephen Cobb, senior security researcher at ESET. Another reason is that the backups might not be taking, or the recovery process might be too difficult.

"The biggest gotcha that companies are encountering when they get hit with ransomware is that they haven't had a recent test of their recovery process," he said. "They've been doing backups, but they haven't been drilled in how to recover -- and there's anecdotal evidence that some administrators ask, 'How much pain would it be to restore from a backup versus pay the ransom?'"

Many companies are failing to properly test their backups, confirmed HP's Spellicy.

"One of the main reasons we find customers is because they've gone off and tried to do recovery from another vendor, and they're looking for a new solution because it failed on them," he said. "When you need it, it needs to work. That is very critical -- if you can't get back to it, then it's useless."

Hiding backups from the bad guys

Cyber extortionists know that backups are their number one enemy and are adapting their ransomware to look for them.

"Several ransomware families destroy all Shadow Copy and restore point data on Windows systems," said Noah Dunker, director of security labs at RiskAnalytics "Many ransomware families target all attached drives, and happen to encrypt the backups as well, though not likely by design."

Any file system that's attached to an infected machine is potentially vulnerable, as well as attached external hard drives and plugged-in USB sticks.

"To make your backups ransomware proof, you should use a drive not mounted to a particular workstation," said Sam McLane, head of security engineering at ArcticWolf Networks. "For example, stream the data over the network to another workstation or storage device using a backup application. Make sure to keep this storage device or drive protected and not accessible to user workstations, especially if they have Internet access."

Security controls need to be in place to segregate users from backups, said Todd Feinman, CEO at data classification firm Identity Finder. Off-site backups, well-secured and encrypted, are also a good practice.

"You don't need to have access on a daily basis -- those backups are there only for an emergency, when everything else falls apart," he said.

For day-to-day use, such as when employees accidentally delete important files and need to restore them, there are many file synching services available, he added.

These systems will constantly monitor for changes in files. But if malware gets into the computer and encrypts all the files, the encryption will be mirrored by the backup system as well.

Fortunately, the previous versions of the files will usually be kept.

"Once the current files are encrypted, the backups will be encrypted and the business will have to roll back to an earlier backup that was not encrypted," said Craig Astrich, director at Deloitte Cyber Risk Services.

However, the ransomware itself may hide in the encrypted files when they are backed up.

"If an encrypted file is backed up as part of the backup process it could re-encrypt the environment once the files are restored," said Scott Petry, co-founder and CEO at Authentic8. "This could get a user in a loop of continual backup-restore-encrypt. Any backup process should be implemented alongside malware scanning in order to identify these exploits before backing up or restoring."

It's not just about the data

If losing files and getting locked out of mission-critical systems wasn't bad enough, ransomware might be doing even more damage.

It might be covering up other attacks.

"Advanced hackers are using ransomware as a secondary infection or to counter incident response," said Tom Kellermann, CEO at Strategic Cyber Ventures.

And they may even hijack a company's communications or website to spread the ransomware further.

This story, "Will your backups protect you against ransomware?" was originally published by CSO.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO October 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.