Our lead security architect, Dominic Bland, was recently asked by MTI and Dell to speak at a joint event on ‘How to avoid common pitfalls when recovering from a Cyber Attack’. Focussing on the ‘recovery’ phase of the NIST Cyber Security Framework. That event is available to view on the MTI website here.
In this article we detail some further considerations around ransomware and backup recovery.
Ransomware and Backup Recovery
Backups are often misunderstood, especially with ransomware attacks. It is often assumed that if you have backups, you can recover from a ransomware attack. However, there’s some key points to focus on with backups, and in particular the ‘offline’ in offline backups.
Through incident response engagements we’ve discovered that this is often misunderstood. Even sometimes by professionals in the industry.
The idea of an offline backup is simple in its essence, and that is that if an attacker compromises your infrastructure and they have gained control over your administration accounts, that compromise should not give them access to your offline backup.
This is important because ransomware attackers will look for and target your backup systems. If they compromise your infrastructure, and they’ve got access to your backups, then your backup system will be at risk.
The idea of offline backups is that you have a copy of your data. Virtual machines, all of it, somewhere that those attackers cannot get to.
Traditionally that meant that the data must be offline, and that means something like tapes in a room, in a different building. Or you’ve copied everything to a hard drive, and you’ve taken that hard drive out of the system. It’s not connected to the network anymore.
But, there’s a little bit more complexity to that now and consideration should be taken with your ransomware and backup recovery strategy.
Types of Backup Systems
Cloud Backups
There are a couple of different ways you can engender what are effectively offline backups, even though they are actually online, i.e. network connected. The first mechanism and the obvious mechanism for a true offline backup is you take the data and you disconnect it from the network, either a tape or a hard drive, but it is physically not connected to the network anymore. An airgap.
The second version of an offline backup that we are starting to see, is a cloud system with its own administration, its own authority that reaches into your infrastructure and pulls data out of it.
Now, the reason the direction is so important is because if your infrastructure is pushing the data up to the cloud system, then someone who controls your infrastructure has access direct access to that cloud system – and your backups. So, it doesn’t work in that direction. It must be that a completely isolated system is reaching into your network and pulling that data out, so you can use a cloud service to create a cloud backup, but only if it’s directional in this way.
Immutable Backups
There is a new piece of technology which is just starting to come out for storage devices from a lot of the major vendors. And that is an idea that is baked into the system, there is a switch you can flick, and it is a one-way switch that says write this data into the data store, but that data cannot be overwritten and the system on this device will enforce it, even to the administrators of the system.
Once an administrator says this is a read only copy, an immutable copy. The system will not allow anything, even the administrator, to change that choice for a particular amount of time.
This means that you must have a much larger storage system because in your core backup system, your core data store, you need enough space for that immutable copy of your data. But what it does mean is you do not have to go through all the additional set up and cost and management of having a cloud service reach in.
You do not have to have a human take the tape out of the tape machine and put it in another room. You can have the data backed up to your device, then have the device create an immutable copy of it.
Importance of Testing Recovery
It is not uncommon for organisations that fall victim to ransomware attacks end up paying the ransom, because after starting the data recovery process, they have realised it would take them weeks or months to recover their data. With ransomware and backup recovery, there are some common issues that you may find when going through the recovery process:
- If you can only restore from a single point in time, how do you restore hundreds of files and directories that were modified over many weeks?
- Is your backup, disaster recovery and incident response documentation available when your primary systems are not online?
- Have you tested recovering from a newly implemented backup system?
- Is the data that you require available in the backup system, or is it older data?
- How long will it take you to download the backups?
- Do you try to recover all the data or only the files that were encrypted?
Backups as a Defence for Ransomware
In 2021 we saw a new tactic being implemented by ransomware gangs in their attacks, double extortion.
Double extortion is where the ransomware gang will steal copies of your sensitive information (company accounts, customer and employee personal information, customer credit card information, design blueprints, manufacturing process information, HR records, merger & acquisition details, legal agreements, etc…)
This is now a common tactic used by all ransomware gangs and a tactic we expect to continue.
Once they have stolen that data they will then threaten to sell or publish that data (on the internet or the darkweb). Knowing what data you have and where it resides is critical in understanding what your regulatory obligations are and how sensitive the information is that has been stolen.
Therefore it is important to implement a defence in depth strategy and not to rely solely on backup systems. It is also we why strongly advocate cyber incident response preparations and frameworks. So that systems such as centralised logging can be implemented ahead of time, so that organisations can easily identify what data has been stolen and what systems have been compromised, and so that an adequate response process can be implemented.
Ransomware groups are regularly updating and improving their malware (malicious software), and most recently we have seen the use of multithreaded processing to accelerate the encryption process. Because of the speed and scope of the encryption process, problems can occur, meaning it can compromise the data and mean that it cannot be successfully decrypted (if you decide to pay the ransom). So backups are still important, but they should be used as part of a comprehensive defence strategy.
Ransomware and Backup Recovery
Where there is a disaster recovery and incident response plan, they should be followed. For ransomware attacks, part of this process should include a forensic analysis to:
- Determine the scope of the incident
- Determine how the attackers got into the environment
- Determine what systems, services and data has been affected
Once the compromised systems have been identified the response team can then start eradicating the ransomware, remediating the vulnerabilities, and restoring the systems.
This is to ensure that the attackers cannot take the same path into your environment, and to ensure that when you start recovering from backups, you are not re-introducing the threat into your environment.
Internal Systems, Services and Processes
Another overlooked factor is the wider systems, services, processes, and functions that support an organisation. Ransomware attackers will try to cause as much damage as possible, and that means taking as many critical services and systems offline as possible.
This could include:
- Telephony/VOIP
- Cloud applications and cloud services
- File servers and file shares
- Line of Business applications
- ERP and CRM systems
- Other core IT infrastructure such as Domain Controllers and Active Directory
So, infrastructure services, software, configurations, network settings, security tools all need to be factored into the recovery process.
How We Can Help
If you have a cybersecurity incident, believe you are under attack or have been compromised, then call us immediately for assistance on 020 7193 4905 or email us as incident [at] first-response.co.uk
Other Articles of Interest