Ransomware is becoming the number one threat to data, which makes it essential to ensure that bad actors don’t encrypt back-up data along with primary data when they execute ransomware attacks. If they succeed at that, businesses will have no choice but to pay the ransom, and that will encourage them to try it again.
The key to not having to pay ransom is having the back-ups to restore systems that ransomware has encrypted. And the key to protecting those back-ups from ransomware is to put as many barriers as possible between production systems and back-up systems.
Whatever CIOs do, make sure that the only copy of back-ups is not simply sitting in a directory on a Windows server in the same data centre the business is trying to protect. Let’s take a closer look at a few key elements of that sentence: “Windows”, “same data centre”, and “sitting in a directory”.
The majority of ransomware attacks are against Windows hosts, and they spread to other Windows hosts in a computing environment once a single host is infected. Once the ransomware has spread to enough hosts, the attacker activates the encryption program and suddenly the entire world is shut down. Therefore, the most obvious thing to do would be to use something other than Windows as a back-up server.
Unfortunately, many popular back-up products run primarily on Windows. The good news is that many of them also offer a Linux alternative. Even if the main back-up software must run on Windows, it might also have a Linux media-server option.
The media servers are the key because that is where the data is that businesses are trying to protect. If back-ups are only accessible via Linux-based media servers, ransomware attacks against Windows-based servers will not be able to attack them.
In addition to storing regular back-ups behind a Linux-based media server, make sure the back-ups of the main back-up server are stored there as well. It doesn’t do any good to have back-ups unencrypted if the database needed to access those back-ups is encrypted by the ransomware.
CIOs should also harden Windows-based back-up servers as much as possible. Learn the services ransomware uses to attack servers (such as RDP) and turn off as many of them as possible. Remember this server is the last line of defence, so think security, not convenience.
Get back-ups out of the data centre
Whatever back-up solution CIOs choose, copies of back-ups should be stored in a different location. This means more than simply putting a back-up server in a virtual machine in the cloud. If the VM is just as accessible from an electronic perspective as it would be if it were in the data centre, it’s just as easy to attack.
CIOs need to configure things in such a way that attacks on systems in the data centre cannot propagate to back-up systems in the cloud. This can be done in a variety of ways, including firewall rules, changing operating systems and storage protocols.
For example, most cloud vendors offer object storage and most back-up software products and services are capable of writing to it. Ransomware attackers may be sophisticated, but so far have not figured out how to attack back-ups stored on object-based storage. In addition, such providers often offer a write-once, read-many option, meaning that users can specify a period during which back-ups cannot be modified or deleted, even by authorised personnel.
There are also back-up services that can write data to their storage that isn’t accessible except via their user interface. If users can’t directly see back-ups, then neither can the ransomware.
The idea is to get back-ups—or at least one copy of the back-ups—as many hops away from an infected Windows system as they can be. Put them in a provider’s cloud protected by firewall rules, use a different operating system for back-up servers, and write back-ups to a different kind of storage.
Remove file-system access to back-ups
If the back-up system is writing back-ups to disk, make sure they are not accessible via a standard file-system directory. For example, the worst possible place to put back-up data is E:\backups. Ransomware products specifically target directories with names like that and will encrypt back-ups.
This means that CIOs need to figure out a way to store those back-ups on disk in such a way that the operating system doesn’t see those back-ups as files. For example, one of the most common back-up configurations is a back-up server writing its back-up data to a target deduplication array that is mounted to the back-up server via server message block (SMB) or network file system (NFS).
If a ransomware product infects that server, it will be able to encrypt those back-ups on that target deduplication system because those back-ups are accessible via a directory. Users need to investigate ways to allow back-up products to write to the target deduplication array without using SMB or NFS. All popular back-up products have such options.
What about tape?
Of course, there is always our old friend tape. One thing tape is really good at is copying last night’s or last week’s back-up to another medium that can then be sent off-site for safekeeping against ransomware attacks.
Even the best ransomware product would be completely unable to infect back-ups if CIOs take them out of the tape library and hand them to an Iron Mountain driver. Sometimes the old ways are the best ways.
Put in some roadblocks
Don’t make it easy for ransomware to see and encrypt back-ups. Don’t store them on a Windows server if possible and have at least one copy stored somewhere that is not electronically accessible from the data centre. Finally, configure the back-up system in such a way that back-ups can’t be seen as files on the back-up server.