I just read an article that is full of great information on protecting your backups from a ransomware attack. The article states what I have long said, you must practice security in layers. No one tool or solution is going to protect you. You need multiple layers to thwart the bad actors and their every step. Backups are essential for ransomware recovery, but that better not be your only strategy. After reading this article you will want to protect your backups differently.
Here are some of the juiciest and most compact quotes from the article on BleepingComputer, BTW this site is great, too:
• During ransomware attacks, attackers will compromise an individual host through phishing, malware, or exposed remote desktop services. Once they gain access to a machine, they spread laterally throughout the network until they gain access to administrator credentials and the domain controller. Using tools such as Mimikatz they proceed to dump credentials from the active directory.
• The Maze Ransomware operators told BleepingComputer that cloud backups that have been configured are very useful to steal data once they gain access. When Maze finds backups stored in the cloud, they attempt to obtain the cloud storage credentials and then use them to restore the victim’s data to servers under the attacker’s control.
• As the attackers are restoring directly from the cloud to their servers, it won’t raise any red flags for the victim as their servers appear to be operating normally with no logs being created in their backup software.
• With a victim’s data now stolen and their backups deleted, the attackers deploy their ransomware throughout the compromised network using PSExec or PowerShell Empire typically during off-hours. This usually leads to a company opening the next day to an encrypted network.
The summary on protecting your backups from ransomware:
• In emails with Rick Vanover, Senior Director, Product Strategy at Veeam Software, we were told that it does not matter what software you use, once an attacker gains privileged access to the network, everything is at risk.
• I recommend Veeam installations to use non-domain accounts for components as well as to add more account-based layers of resiliency. Additionally, Veeam has recommended that the Veeam deployment not have Internet access or otherwise be on an isolated management network,” Vanover told BleepingComputer.
• To prevent ransomware attackers from gaining complete leverage over a victim, Veeam recommends that companies follow a 3-2-1 Rule when configuring backups.
• As for protecting a network from data exfiltration, the best solution is to prevent the attackers from gaining access to your network in the first place and to monitor for suspicious activity. This would include utilizing network monitoring software, intrusion detection systems, and geographic and IP access control for cloud storage providers if available.