In case of attack - encryption! How safe is your backup from ransomware attacks?

Backing up necessary data is a central component of any IT security strategy. A company without a backup concept is acting grossly negligent and is at risk of data loss at any time. However, even if a data backup is in place, this does not automatically mean complete security. Time and again, a ransomware attack results in the encryption of backup files. This article discusses why data backup plays a central role in cyber attacks and how data security can be improved.

Why is backup the focus of hackers during a cyberattack?

For organizations under attack, backup is the last line of defense. If the hackers succeed in encrypting files, organizations have only the latest backup available to prevent information loss.

Hackers are aware of this as well. In the event of a ransomware attack, they often look for the servers for the data backup in advance and try to compromise them. If they also succeed in encrypting the backup copy files, the company faces a digital super-GAU.

In a ransomware attack, the hackers' goal is to blackmail the victim. This only succeeds if the encryption of the files, including the backup copy, is thriving. Then the chances increase that the company will respond to the extortion demand. For this reason, data backup is one of the critical targets of hackers during a cyber attack.

How do hackers get hold of the data backup?

In ransomware attacks, hackers proceed carefully and with a plan. Standard methods attackers use to penetrate networks are via phishing. The attackers get access to data via infected file attachments that they send to employees in companies. If the recipient opens such an attachment, often a Word document, the computer is infected.

The attackers then have access to the first computer in a company's network. The dangerous thing about this attack pattern is that traditional defense mechanisms are defenseless. Neither the firewall nor a virus scanner can detect such access. The same applies to zero-day attacks. These are vulnerabilities in software that have not yet been closed and for which no patch exists. If hackers find such vulnerabilities in the Microsoft Windows operating system, it is even easier for skilled attackers to penetrate a network.

Once initial access to the network has been established, the attackers spy on the network structures as inconspicuously as possible. This can be done, for example, by analyzing the access rights of the hijacked user. From this, a topography of the network can be created. This reveals servers for data storage, application servers, and the infrastructure for backups. In many cases, the attackers also try to gain further access by increasing the account's access permissions. In this way, the attackers penetrate even deeper into the network. Due to the complex and sophisticated approach, these ransomware attacks belong to the dangerous advanced persistent threats (APT).

The hackers launch the actual ransomware attack only after they have identified all the desired targets. Then, the encryption of the files and, if possible, the backup copies begin. At this moment, the attack becomes apparent, but the damage can usually no longer be prevented; at most, containment is possible.

Which data backup methods offer protection against ransomware attacks?

In practice, different methods are used to back up data. Smaller companies often use their solutions onsite. Here, a NAS (Network Attached System) or removable media based on RDX technology are used. Dedicated servers with regular hardware are also widely used, with software creating and managing the backups. Recently, backups in the cloud have also become established, as faster Internet connections also allow the transfer of large amounts of data in a short time. Another solution, whose technical zenith has long since passed, is becoming popular again. This involves tape drives, which back up data on magnetic tapes. In the 1990s and early 2000s, these drives were the standard for backups.

Individual backup solutions are very different in terms of security in the face of cyberattacks. Backup systems that are permanently connected to the network are particularly vulnerable. These include backup servers and likewise network-attached storage such as NAS or NDAS. In some cases, the solutions promise greater network security because proprietary protocols are used for data exchange, as with NDAS, for example.

On the other hand, Automatically more secure are backup solutions that are not permanently connected to the network. These include RDX and tape backups. With these, a backup is made in each case on a separate storage medium, which is removed from the system after the operation. Cloud storage solutions also have the potential to deliver this level of security. However, this requires physical separation between the networks and data centers. Data backup in the company's private cloud is, therefore, less protected than a third-party solution as a service.

What measures can be taken to prevent ransomware attacks on the backup?

When defending backups against ransomware attacks, it comes down to a healthy thought-out strategy. The primary goal is to prevent the encryption of the backup files. There are various methods available for this purpose. As a rule, it makes sense to use a combination of the different techniques. Relying on one solution often turns out to be a failed strategy in case of an emergency.

First of all, it is crucial to ensure that as few people as possible have access rights, mainly write rights, to the backup system. With Linux operating systems, permissions can be set to assign the backup solution to a specific user or program. Then write access and, accordingly, encryption of the files are only possible via this one path. It is also important not to rely on backup alone. Here, the implementation of the 3-2-1 rule is an excellent way to establish a high-security standard. This rule states that there are three backup copies on two media at any given time. One copy is stored offsite and one offline. Offsite means that the backup copy is physically separated from the company. On the other hand, offline indicates separation from the network so that the copy is outside the hackers' access range. A practical solution, for example, is to combine cloud backup with a service provider and local RDX backup controlled by the company's own IT department.

Other general measures can be used to increase security for the backup system and the corporate network simultaneously. One of these methods is the use of virtual desktops. Virtual desktops are workspaces that run through a virtual machine in a protected, enclosed area. Suppose a hacker takes control of a virtual desktop, for example, through a phishing attack. In that case, he cannot reach other machines from there because he has no access to the underlying network layer outside the virtual desktop.

Sandbox environments are an additional precaution. Similar to virtual machines, these are separate areas on a VPS from the corporate network. Here, file attachments can be safely opened and behavior observed. If such files contain malicious code, the compromise does not pose a threat.

Preventing attacks on the data backup as well as a cyber attack preventively

Your IT security must immediately detect and ward off abnormal processes to protect the data backup from a cyber attack. As described, during a ransomware attack, hackers first spy on the network before the actual encryption of files occurs. From the analysis of cyberattacks, it is evident that in most cases, the criminals are active in the target's network undetected for many days, sometimes even weeks.

Once the attackers have overcome passive security mechanisms such as the firewall and virus software, there are no defenses left in many networks to detect the attackers. However, proactive techniques exist specifically for this purpose. These scan all activities in the network and evaluate them. Intelligent algorithms are used in this process. These detect unusual activity, such as an unknown IP address logging into an employee's account. The system then sends a warning message to IT security, checking the action as quickly as possible. In this way, it is possible to identify individual accesses by unauthorized persons even in complex networks. IT security then has the opportunity to nip cyberattacks in the bud, preventing files from being encrypted.

In particular, small and medium-sized enterprises often have not implemented such proactive defenses because they lack the resources for a Security Operations Center (SOC). However, with an external service provider taking over this service, real-time monitoring around the clock is possible. This saves the expensive and time-consuming establishment of an in-house SOC. The German Federal Office for Information Security (BSI) will require companies in the CRITIS sector to use such a system for the active detection of cyberattacks from May 2023. With an external service provider for the active detection of strange events in the network, data backup can also be protected against a cyber attack.