As IT professionals look to shore up their defenses against ransomware, they must understand ransomware’s backdoor. Ransomware’s frontal attack is well known. A compromised system or clicking the wrong email link can deposit a ransomware trigger file. That trigger file replicates itself and, then as quickly as possible, starts encrypting production data. At that point, most IT professionals turn to their backup software and start recovering data. The problem is that while this attack is going on, or increasingly before the frontal assault begins, ransomware is using the back door which your backup storage vendors have left open, making recovery much more difficult. Ransomware uses the Backdoor to:
• Encrypt Backup Data
• Encrypt Backup Metadata
• Slow down attempts to recover data
If the Ransomware attack is successful at any of these three backdoor entry points, you may be forced to pay the ransom even though you have a solid backup strategy. It is time to close the back door! In our upcoming webinar, “Three NEW Ransomware Exploits – How to Close the Backdoor,” we will detail these new exploits and provide ways that you can prepare for them and beat them.
Ransomware Backdoor # 1: Encrypting Backup Data
The first ransomware backdoor exploit is backup data, the copy of production data that the backup architecture is storing. Even unsophisticated ransomware attacks may see success in this effort by accidentally stumbling upon the backup mount point. However, ransomware is increasingly targeting the backup storage repositories first, then moving on to encrypt production data. If the attacker can encrypt your backups and production data, you will likely have to pay the ransom.
The answer is to make sure that all your backups are stored immutably. Most immutable solutions can’t perform well enough to be the first backup ingest point, and they can’t be deemed suitable for recovery. Organizations are forced to implement yet another storage system and learn another protocol. And as we discussed in our blog, “Does Immutability Beat Ransomware,” you need more than immutability to beat ransomware.
Ransomware Backdoor # 2: Encrypt Backup Metadata
Another ransomware backdoor exploits encrypting the data that the backup-server software needs to operate, its indexes, and configuration files. Without access to these files, you can’t recover data, regardless of where you store it or whichever media format you choose. The good news is you may be able to rebuild this information; the problem is that rebuilding an index requires manually rescanning every single backup job (if they are not corrupted), which can take hours, if not days.
Ransomware Exploit # 3: Slow Down the Recovery Process
The final ransomware backdoor is for the malware to slow down your recovery efforts. If it takes you days or weeks to recover, you may be tempted to pay the ransom. Encrypting backup metadata is an example of slowing down the recovery effort. Ransomware tries to replicate itself repeatedly, changing its file name to make it hard to detect. As a result, even after you have identified the attack and the source file, there may be dozens of copies of that file scattered throughout your data center’s storage environment. When you restore data into this infected environment, the ransomware works to encrypt the data a second time rapidly.
Close The Backdoor with 360° Ransomware Protection
Closing the backdoor that Bad Actors are using to exploit your environment is critical to surviving the attack and not paying the ransom. It would be best if you built a wall of protection around your data to make sure that your recovery efforts are not only successful but happen quickly. StorONE’s S1:Backup provides 360° Ransomware Protection that closes the back door and reinforces the “front door.” S1:Backup’s 360° Ransomware Protection provides
• The total value out of block-level backup technologies to backup more frequently, lowering the recovery point objective.
• The complete immutability of every backup job across any storage protocol, protecting data from a ransomware attack.
• The performance backup software vendors need to host backup metadata from storage. Once actively used on S1:Backup, all backup metadata is also stored immutably. Most customers also see improved backup application operations like searching for file versions.
• A Sterile Recovery Target that delivers production-class performance and features at backup storage prices. S1:Backup will dynamically reallocate its flash tier during recovery to deliver needed performance for these applications or data sets. IT can run S1:Backup as production for weeks while they take the time to complete the necessary forensic work to root out the ransomware trigger files.