When ransomware first appeared in data centers, it had a simple attack pattern. Once it landed inside the data center, the malware tried to encrypt every file as fast as possible. If IT didn’t have good backups, the organization was forced to pay the ransom to gain access to their data. Ransomware forced the organization to improve their data protection capability but the ransomware “business model” proved profitable. The bad actors are continuously improving their capabilities, and IT needs to make sure their backup solution is ready.
All backup software creates data, which is a copy of the data that it is protecting. Most backup software solutions store this data in a directory with a name that is universal across that vendor’s customers. The next generation of ransomware looks for these universal directories and deletes the data within the directory before triggering and encrypting the organization’s data. As a result, IT finds that it has no backup data from which to recover from the ransomware attack.
Backup software solutions need to randomize the directory names of the places it stores backup data, or at least allow the user to create their own directories. Ideally, the backup software should move the directory location on occasion to make sure that data is harder for the ransomware attack to find.
The 3-2-1 Rule Fails
The 3-2-1 Rule states that an organization should have three copies of data on two different types of media with one of the copies placed off-site and off-line. The off-line copy is “air-gapped.” The 3-2-1 rule, in theory, protects the organization from an attack on its backup data. Even if the malware deletes the primary backup repository, the organization can recover from one of the other copies.
To circumvent the 3-2-1 rule malware developers implement a timed release strategy. Instead of automatically triggering when the malware gains access inside the organization, the software sits idle. This results in multiple backups of the malware by the backup software. The malware may also copy itself throughout the network.
At some pre-determined point in the future, the malware activates, encrypting all the data in the organization. IT resorts to its backup, maybe even one of its disconnected copies, and starts restoring data. Along with restoring the data, it also restores the malware, which reactivates and starts encrypting data again, placing the organization in an endless attack loop.
Breaking the attack loop requires a time consuming and arduous process of finding the offending malware file and manually removing it from all backups. In most cases, the organization gives in and pays the ransom.
Backup software applications need to implement malware scanning both as the backup is in progress and as a restore occurs. Scanning inbound data removes the file before it ever becomes a problem and allows IT to remove it from the environment before it ever triggers. Scanning data during restoration ensures that if a malware file was unknown at the time of backup, it is removable during the recovery.
Ransomware is a profitable business for the bad actors. They are taking steps to make sure their attacks are more successful against IT’s increased attention to the backup process. Since backup software is the primary defense mechanism, IT needs to look for data protection solutions ready to defend against new ransomware capabilities. Today, key capabilities include randomizing backup data directory names and moving that data as well as scanning for malware as part of the backup process.
To learn more about the evolution of Ransomware and what IT should look for in its backup solution, watch our Lightboard Video, “Ransomware Attacks Backup.”