There's been some buzz about various strains of ransomware evolving to selectively target backup data as well as the primary source in an effort to improve the success rate of the attack. Of course, backups are the #1 reactionary control method to not having to pay the ransom, so if they have been destroyed, you are left with little option.
With more and more organizations moving to an online disk-to-disk backup (no tapes involved), the opportunity is there in abundance for cybercriminals to encrypt the data on the server and either delete or encrypt the backup(s) as well.
Charles Carmakal, Vice President with FireEye's Mandiant forensics unit, in an interview with BankInfoSecurity.com, noted that most organizations have backups, but it's the lack of segmentation that keeps most of their clients down for extended periods of time in a ransomware attack.
I've seen this first-hand with some of my clients as well and here are some ideas to reduce this risk:
- Place your backup storage devices in a separate network segment with access only to the servers that are being backed up
- Use separate username and password for backup operations to prevent credential re-use
- Implement solutions that prevent overwrite and delete permissions - I've seen a couple backup solutions at my clients that only allow write permissions to the backup destination, this means that the backup files are protected from deletion and encryption
- Keep your offline backups - I know tapes and tape rotations are a pain, but they are totally inaccessible to a remote attacker when not in the tape drive. I'm not saying you have to go back to tapes if you've weaned yourself from them, but they should be considered if the other controls mentioned above are not feasible in your environment
As always, feel free to contact me if you'd like to discuss this topic further, or if you'd like some assistance in evaluating the security of your backup strategy.