Ransomware is coming for corporate back-up servers

Ransomware is coming for corporate back-up servers

Compromised back-up servers can thwart efforts to restore damage done by ransomware and give attackers the chance to extort payments in exchange for keeping sensitive stolen data secret.

Credit: Dreamstime

Back-up and recovery systems are at risk for two types of ransomware attacks: encryption and exfiltration – and most on-premises back-up servers are wide open to both. This makes back-up systems themselves the primary target of some ransomware groups, and warrants special attention.

Hackers understand that back-up servers are often under-protected and administered by junior personnel that are less well versed in information security.

And it seems no one wants to do something about it lest they become the new back-up expert responsible for the server. This is an age-old problem that can allow back-up systems to pass under the radar of sound processes that protect most servers.

It should be just the opposite. Back-up server should be the most updated and secure systems in the data centre. They should be the hardest to login to as Administrator or root.  And they should require jumping through the most hoops to login remotely.

An important role back-up servers play is providing the means to recover from a ransomware attack without paying the ransom.

They contain the data needed to rebuild the machines that have been encrypted by the ransomware, so ransomware groups try to encrypt the back-ups, too. The saddest line in any ransomware story is, “and the back-ups were also encrypted.” They are your last line of defence, and you must hold the line.

That’s the traditional ransomware attack, but data exfiltration is fast becoming a primary motivation for ransomware attackers who target back-up servers. If bad actors can exfiltrate and decrypt your company’s secrets via the back-up server, they can extort you in a way that you cannot defend against: “Pay up or your company’s most important (or worst) secrets will become public knowledge.”

Then they give you access to a web page where you can see the data they have, and your organisation has little choice but to pay the ransom and hope they keep their promise.

This strategy makes sense for ransomware groups. It’s easier to go after the one server that definitely holds all of an organisation’s sensitive data than to successfully attack many servers that may hold some sensitive data.

Following this logic, once a piece of malware gets into your data centre, it immediately contacts its command-and-control server to find out what it should do next. Increasingly, the next step is to identify what type of back-up system is being used and once they figure that out, to begin directly attacking that system.

The attackers might try to directly access your back-up data over the network via NFS or SMB, and if they can — and it's unencrypted — their job is done. If they can’t, they go directly at the operating system of the back-up server using a system exploit or compromised credentials to gain Administrator/root access.

Gaining access to the machine key used for basic encryption gives them the keys to the back-up kingdom, and all bets are off. 

The best way to defend against this scenario is to keep ransomware organisations from compromising your back-up servers. Here’s how:

  • Keep OS and application patches up to date
  • Shut off all inbound ports except those required by back-up software
  • Enable necessary management ports (e.g. SSH, RDP) via a private VPN
  • Use a local host file to prevent malware from contacting command-and-control servers
  • Maintain a separate password-management system for back-up and application servers (i.e. no LDAP)
  • Enforce the use of multi-factor authentication
  • Limit the use of root/Administrator; set off alarms when you do
  • Use SaaS back-up as an alternative to managing your own back-up server
  • Use least privilege wherever possible, giving each person privileges they need to do their job and nothing more

To protect the back-up data itself from extortion or encryption, you should configure your back-up system like this:

  • Encrypt all back-up data wherever it is stored
  • Use third parties to manage encryption keys
  • Do not store back-ups as files via DAS or NAS. Ask your vendor for more secure methods.
  • Store back-ups on a different operating system than your back-up server.
  • Use on-premises storage with immutable features (e.g. Linux)
  • Create a copy on tape/RDX and send it offsite
  • Create a copy on immutable cloud storage.

This will be a lot of work for most environments but worth it if you recognise how much danger your back-up server is in.

Tags cyber securityData Centre


Brand Post

Show Comments