Categories
Computer & Network Security

Ransomware Resilient Backups

Every day we see evidence of bad actors attacking various sized companies with ransomware. A commonly agreed upon defense mechanism that offers a good chance to recover your data without paying the ransom is a robust backup strategy. With federal entities considering the idea that victims paying the attackers ransom a crime, now is a great chance to get ahead of any possible criminal action to getting your firm back online. The strategy we outline here will help your organization build a resilient backup strategy for protection from ransomware or any other incident.

Attackers Are Going After Your Backups

We know without a doubt that attackers are going after primary datastores and servers to encrypt companies’ data, and as the business of ransomware evolves, these attack strategies continue to become more successful. According to Revil, targeting backups has become a key element in an attacker’s strategy, and they are focusing efforts on encrypting or neutralizing backups. If a company has tested backups that are resilient to attacks, there is a lower chance they will be forced to make ransomware payments.

Snapshots Are Not Backups

Snapshots are great, no way around it, for IT services and operations this may be one of the greatest tools since sliced bread. However, snapshots should not be considered a replacement of a solid backup strategy. Now, that is not to say that snapshots don’t have a place in a solid backup strategy. Snapshots are great if you need to restore from the past few hours; however, in some cases, we need to know our backups are safe and clean from previous days or even weeks. While snapshots can do this, it is not the most effect mechanism. Especially as we consider replication to multiple locations and offline, air-gapped backups.

It’s not just me saying this checkout what VMWare has to say on why snapshots are not backups.

3-2-1- Strategy

Backups are as simple as 3-2-1, right? This sounds very simplistic, and in reality, it is a simple plan; however, it can be hard to execute. The idea is simple. Create 3 copies of your backups, across 2 different media types, and at least one offsite backup. Let’s break this down to a real-world example to contextual this for practicality.

3 Backups might look like this at a high level. With backups to Disk, which could be a SAN, you have backups that are quickly accessible for most recovery needs. Backups to cloud gets the data offsite to another location. Backups to tape satisfies our two media types strategy. Of course, you can mix and match other medias, locations and methods but the idea to have a diverse strategy so you have options when you lose confidence or access to other backups.

Backup to Disk > Backup to Cloud > Backup to Tape

Test, Test, and Retest

Backups are only great when they work and are ready. Develop a strategy to regularly test your backups AND your process! Restoring a file, application, or server for a ticket or service issue, while technically is a test, for those of us with compliance requirements this generally does not satisfy our requirements. Testing regularly has a few advantages to help you when you need them.

1. You know your backups are available.

2. Your team knows how to restore from backups.

3. Your team knows where to find your backups.

4. You know how long it takes to recover.

If you have a large environment consider a sample testing method where you test your high risk systems every time, with a set of lower risk systems to go along.

Separately, you should test your disaster recovery plan either with a table top or actual execution of the plan including failover to recovery location or backups.

Feel free to contact us if you’d like to review and reinforce your backup strategy.

Sources:
https://blog.cyble.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/
https://www.vmwareblog.org/snapshots-checkpoints-alone-arent-backups/
https://www.veeam.com/blog/321-backup-rule.html