Ransomware Requires the Right Backup and Recovery Strategy
This guest post was first published in Informatik-Aktuell on January 19, 2022 in German. The following article is a translation with some editorial changes.
Companies face a constant threat from cyber attacks. Undiscovered security vulnerabilities and new types of attacks are constantly opening up new attack vectors that make notches in your own IT security. Breakthroughs are only a matter of time and can hardly be prevented in the long term. Ransomware attacks stand out in particular due to their damage potential and can paralyze entire supply chains as well as individual organizations. Companies must anticipate this and put strategies and procedures in place in advance to ensure that IT operations can be restored promptly. With forward-looking backup and disaster recovery strategies, the necessary tools can be put in place to minimize damage.
The constant threat of cyber attacks is already causing considerable damage to the German economy. In a survey conducted by Bitkom, 9 out of 10 companies stated that they had already been victims of cyber attacks. Bitkom estimates the damage caused to the German economy at over 220 billion euros for 2021 - more than twice as much as in the previous years 2018/2019.
Ransomware attacks have proven to be particularly lucrative for criminals. In its Federal Cybersecurity Situation Report, the German Federal Criminal Police Office (BKA) states that this type of attack has the greatest potential for damage. This attack pattern has already established itself as a new business area for criminals, in which hackers can obtain ransomware-as-a-service as a cloud service in the dark net.
Ransomware attacks are trending and are constantly evolving. In its status report on IT security in Germany, the German Federal Office for Information Security (BSI) expresses concern about this trend and observes a significant increase in extortion 3. In surveys conducted independently by Bitkom and Hornetsecurity, one in five companies stated that they had already been the victim of a ransomware attack. It can be assumed that this proportion will increase significantly in the future. The damage caused by ransomware is diverse in nature: from loss of image and loss of revenue to complete operational standstill. They can also extend beyond the boundaries of your own organization. In this way, attackers try to create a good starting position for extorting ransom money. It is extremely important to be well prepared for such attacks in order to minimize your vulnerability to blackmail.
Why a backup alone does not protect against ransomware
Regular backups are definitely one of the basic building blocks for restoring compromised IT. However, this is not enough if attackers are able to steal sensitive data or even compromise the backup itself. In connection with ransomware, the European Union Agency for Cybersecurity (ENISA) has observed a clear trend towards double extortion and even multiple extortion. These are extortions of silence that occur in combination with ransom demands.
In double extortion, criminals aim to obtain hush money payments by threatening to publish captured data. This allows attackers to generate additional income in addition to the sole ransom payment for decrypting data. Mediamarkt-Saturn recently fell victim to a ransomware attack despite the detection and initiation of containment and recovery measures which lead to hackers being able to extract potentially sensitive data. According to media reports, the attackers threatened to publish this data and demanded a hush money of 240 million US dollars.
CheckPoint has observed further extensions of extortion to the victim’s customers and partners as a next evolutionary stage (triple extortion). This means that attacks on business partners of a company can have direct impact on this very company even if it was not targeted in the first place. For example, the supermarket chain Coop and other customers were indirect victims of a ransomware attack because the joint supplier of remote maintenance solutions, Kaseya, was paralyzed by attackers. Similar incidents also known to appear in other sectors as healthcare.
These examples make clear that recovering from backups alone does not protect against ransomware - with potentially fatal consequences. Accordingly, companies need to adjust strategies for restoring their infrastructure in the event of a ransomware disaster.
The right backup strategy for recovery
There is no need to reinvent the wheel when it comes to protecting against ransomware attacks. Several well-known concepts and procedures have proven to be helpful in protecting against ransomware attacks.
The tried and tested 3-2-1 rule
The 3-2-1 rule is considered best practice in the field of data backup. The rule states that three copies must be kept on at least two different media and at least one other location at all times. The three copies should be stored independently of each other on three different systems such as NAS, SAN, tape or in the cloud. To prevent corruption, there should be no constant synchronization between the copies, which should be written or read independently of each other.
The use of different media types can create additional hurdles for ransomware attacks. WORM devices such as tape libraries, which write backups to tapes and store them offline, can offer real protection. However, audit-proof storage systems, Virtual Tape Libraries (VLT) or object storage in the cloud can also be easily integrated into modern backup solutions nowadays.
Storing data at an additional location is also an important measure. This is illustrated by the case of the French cloud service provider OVH, whose customers lost all their data when several data centers at one location caught fire. The BSI recommends a minimum distance of at least 200 kilometers to minimize the impact on geo-redundant data centers in the event of local incidents.
When implemented correctly, this rule proves to be extremely effective. Also for recovering from ransomware attacks. Accordingly, various leading manufacturers of backup software promote this rule. In practice, this rule is often dismissed as an ideal and full implementation of the rule is dismissed as a Rolls-Royce solution. This assessment can have fatal consequences, so a differentiated view is definitely necessary.
Targeted separation of responsibilities
User accounts with extensive authorizations can have an incredible potential for damage if they are compromised. Concepts for separating and limiting authorizations, i.e. restricting the ability of a rogue user to act, have proven their worth in practice.
Responsibilities for the backup should be separated from production as far as possible. Different media should be managed by different groups of people or at least by means of different access information so that one user ID cannot compromise several or all media at the same time. For example, this could be individual CHAP access for each exported iSCSI volume on a storage system.
Effective authorization management
In principle, personalized accounts should be used for individuals and the assignment of authorizations should be logged. It should always be possible to trace who holds and exercises which authorizations. Directory services, such as Active Directory, can be used to centrally manage accounts, groups and policies and deactivate them in an emergency. This can make it more difficult for hackers to gain access to critical authorizations.
Critical authorizations that go beyond regular activities should be protected with additional procedures. Separate administrator accounts or systems for managing privileged authorizations can be used to secure authorizations using additional factors.
When using special backup software, access to file systems for individuals should only be possible indirectly. Modern solutions can use their own technical user IDs to read and write backups in the background while users perform operations in the front end.
Securing root accounts
Non-personalized root accounts should only be used in exceptional cases and should be specially secured. Use should always be linked to a reason and the login should be monitored. In the cloud environment, it has always been best practice not to use the root account operationally after the initial creation of the company account and to secure it with MFA, alarms and other precautions. This makes unauthorized access more difficult and easier to detect from the outset.
Passwords should only be known to selected groups of people and should be rotated regularly, especially if responsibilities change. To this end, passwords can be stored in encrypted form and managed for teams in centralized password management systems. Offline copies on paper and USB can also be useful. These are available even if digital originals are lost and can be stored securely in a safe.
Encapsulation of the backup infrastructure
To avoid uncontrolled access, companies can use common concepts to encapsulate the backup infrastructure. A first starting point is to use their own physical systems that are dedicated to backup. These can be servers, storage, switches or cables. However, cloud services that are managed via separate accounts can also be considered.
Another starting point is the logical separation of the backup infrastructure through the use of separate network segments, for example separate V(x)LANs, IP subnets and DNS zones. To secure the segments, companies can secure access with MFA procedures. They can also use firewalls to filter network traffic. Modern firewalls offer a wide range of options for this, such as the use of identity-based or group-based filters or classic filter rules specifying sources, destinations, ports and protocols. Appropriate encapsulation procedures should also be used to isolate different storage media from each other.
The right disaster recovery plan
The backup strategy alone is not enough to effectively and efficiently counteract and recover from a widespread ransomware attack. Due to the potential damage and the associated scope, it is an overarching organizational task to identify attacks and initiate measures in an organized manner. Accordingly, it is advisable to include ransomware attacks as additional potential damage events in overarching business continuity management and to provide specific disaster recovery plans.
Defining a disaster recovery plan is a proven approach to improve a company’s ability to respond to any emergency situations. The aim is to restore a company’s IT as quickly as possible after the occurrence of an “emergency”, such as a ransomware attack. To this end, targets are specified, schedules defined and disaster scenarios rehearsed.
Specification of targets
By specifying key figures such as the recovery time objective (RTO) and recovery point objective (RPO), binding targets can be established and the performance of a plan made measurable. The recovery targets should be based on the business requirements of an organization in order to minimize potential damage to business operations.
The RTO specifies an acceptable time frame for the organization within which data and systems must be restored. Short RTOs are often chosen for critical systems, which can range from minutes to a few hours. For test and development systems, RTOs usually range between several hours or even days.
The RPO indicates the acceptable data loss for the organization. This refers to the period between a loss event and the last backup. In the case of critical transactional databases in which data sets change frequently, RPOs can be just a few minutes. For data that rarely changes, RPOs for recovery often range from several hours to months.
It is also common to use the RPO to specify the number of backups for having multiple points in time at hand for recovery. Especially if damage is detected late, it can be useful to have older backups available for recovery which might be yet untouched by malicious software. Sophisticated RTOs and RPOs have a direct impact on the required backup and recovery infrastructure and can be very costly. The costs and benefits must be weighed up accordingly.
Definition of process plans
In the event of a disaster - such as a ransomware attack - it is crucial to initiate countermeasures as effectively and efficiently as possible. It is crucial that every action is taken correctly and in the right order. Delays can lead to greater damage as a result of the attack itself or to additional effort in the recovery process.
This can be achieved by using flow charts that show who carries out which action and when. This can be in the form of table documents, flow charts or even notices. It is crucial that a potential delegate is able to clearly understand and implement the instructions. Especially in the case of ransomware attacks, it makes sense to have corresponding plans literally ready in the drawer.
Procedures for automating processes can be particularly useful in this context. There is no need to interpret written or pictorial instructions, which reduces the susceptibility to errors. At the same time, processes can be accelerated and processed consistently, even in multiple runs. Corresponding recovery products are available for on-premise deployments as well as cloud environments.
Regular training sessions
Exercises should take place to ensure that the specified RTOs and RPOs can be achieved and that the process plans actually work. The employees responsible in the event of an emergency should be trained repeatedly at regular intervals. This allows companies to ensure that their employees are aware of current plans and storage locations.
In addition, regular disaster recovery simulations should take place in which real disasters are simulated and dealt with. This allows the quality of the defined plans to be checked with regard to the fulfillment of targets and - if necessary - readjusted. At the same time, routines can be rehearsed and trust can be established among executing employees, managers and other stakeholders.
Having all the tools at hand
Cyber attacks, especially ransomware, are on the rise. The next attack is a matter of time and requires companies to have all the necessary tools in place today to avoid jumping from the frying pan into the fire in an emergency. Known concepts and approaches can provide assistance and help to minimize the damage after an attack. However, companies must not hope that the chalice will pass them by, but must set the right course for their future security now.