An evolving threat
Ransomware now has a frightening new threat: preventing your ability to recover from backups. At Alvaka Networks, we are currently involved in some of the largest ransomware recovery projects, both insured and uninsured. The most sinister trend we have seen in the last 18 months is the deletion of system backups. It does not matter whether the backups are in the cloud, on tape, or on spinning media; the hackers have gotten quite adept at targeting and destroying backups wherever they reside. When it comes to ransomware protection, you first want to keep the bad guys out. If that doesn’t work, you want to detect their activity and stop them before they can do much damage. And if that does not work, your fail safe is to recover from backups.
Changes in cybercriminals’ goals
The goal of ransomware gangs is to inflict the maximum pain and suffering upon you…that is how they maximize their payout. The rapid growth in ransom values paid is testament to the pain they are creating. Each quarter, we see attackers get bolder and ask for more money. Six years ago, a ransom would have been a few hundred dollars, even for a large firm. The attacker of the past had no insight into who they hit; it was just a standard value whether it was your grandmother’s single PC with photos or servers for a billion-dollar company. Then, two years ago the ransom gangs starting monitoring who they hit and began asking for thousands to tens of thousands of dollars. Now, we see ransoms typically starting over $100,000—and some over $5,000,000. Without their IT systems and historical information, companies risk going out of business, which is why some decide to pay the ransom.
How it has changed
In order to get paid, ransomware attackers must be patient. First, they compromise your system quietly and undetected. Next, they carefully surf your system, learn all about it, and document it in detail. Often, they are in your system for months before they strike; when they do strike, they likely know your system better than you do. They will most often hit after hours, at the start of a weekend or a long holiday. They do this so they have maximum time to encrypt and destroy before you detect something is wrong. They will then delete or encrypt backups onsite and/or in the cloud, thwarting your ability to recover.
Unfortunately, not even tape backups are necessarily safe… One recent victim had their systems encrypted, but fortunately they had off-site backups on tape. The victim brought those tapes in and started the restore process, however, the hackers were monitoring the system activity. As the tape restore process was started, the client’s IT staff took a few hours off to get some sorely needed rest. Three hours later, they discovered the hackers had intercepted the restore process and deleted the backups. The next good set of off-site backups they victim had proved to be too old to be of any value, and the victim was forced to pay the ransom.
Options to stay safe
So what options do you have for safe backups? If you are using tapes, then having the following off-site tape archiving process in place is crucial: tapes are write protected prior to shipment to a secure offsite/out of region facility, providing you a piece of mind that the attackers cannot digitally get access to your historical data. Both the write protecting and off-site transport of the tapes satisfies the requirements needed to ‘Air Gap’ the archive data from the rest of the IT systems. So what about disk-to-disk backups? A replicated offsite copy of one spinning disk can be write protected at the SAN level (ex: NetApp SnapLock) or at the backup software level (ex: Veeam Insider Protection). Alvaka’s DRworx Backup as a Service to the cloud, with a bona fide Air Gap is one of your best options to make sure you can recover from a ransomware tragedy, should protection or detection from the event fail to keep you safe. DRworx has the added benefit of giving you business continuity, the ability to spin up servers in the cloud should your on-premise or cloud based servers fail for some reason. Click HERE for a Q&A on more specific information on the unique security benefits of DRworx backups.