Ask any casual computer user about their biggest security concern, and they’ll probably tell you they’re worried about ransomware attacks. These attacks occur when a cybercriminal takes your data or files and demands a ransom.
Ransomware is a pervasive threat to anyone who uses a computer or mobile device. Worse still, attacks seem to be growing more sophisticated and dangerous each year.
However, one of the worst things about modern ransomware is its ability to attack backups. Now isn’t that a terrifying thought?
In this article, I’ll discuss how and why some ransomware target backups and what you can do about it.
Why Does Ransomware Attack Backups?
Ransomware attacks backups for a really simple reason: money.
Consider the nature of even the most basic ransomware. The ransomware covertly installs itself onto a target device and begins encrypting the victim’s files. Once the encryption process ends, the ransomware displays a notification telling you that your files got encrypted. Consequently, paying for a decryption key is the only way to get their data back.
With that in mind, imagine you’ve just lost all your data to a ransomware attack. At this point, you have two options to retrieve your data. One option is to pay the ransom and hope you receive a decryption key.
Of course, you have no guarantees since you’re dealing with a criminal. You might never receive the decryption key, or the ransomware author might try to extort additional funds from you.
Your other option is to restore a backup (assuming you have one). This is the best option since the process doesn’t cost you anything (as opposed to paying the ransom). In addition, you don’t depend on a criminal to give you access to your data.
The problem with this is that cybercriminals want to get paid and know your backup is the only thing standing between them and a hefty payment. As such, it’s clearly in the ransomware author’s best interest to disable or destroy your backup. At that point, you may have no option but to pay the ransom.
So how exactly do these attacks target your backups? Let’s explore this further.
How Do Ransomware Attacks Target Backups?
Before answering how ransomware attacks against backups work, I need to explain that ransomware falls into 2 general categories: automated and human-operated attacks. Let’s discuss each one in more detail.
1. Automated Ransomware
Automated ransomware is purely opportunistic. It occurs when you click on a bad link. This ransomware type has certain built-in capabilities, and it can’t do anything that exceeds those capabilities.
Most automated ransomware isn’t designed to attack backups. The reason for this is that every company’s backups perform differently. One attack that might succeed against one company might not work against another.
Even so, automated ransomware attacks that target backups exist. Even ransomware that doesn’t specifically target a backup might take other steps, such as disabling the Windows File History.
2. Human-Operated Ransomware
Human-operated ransomware, on the other hand, tends to be much more focused. Usually, an attacker will break into a network and research the victim’s business while exfiltrating their data. The attacker will plant and execute ransomware on the compromised network when the time is right. A human controls this attack, meaning the attacker’s skills are the only limitations.
Human-operated ransomware is far more dangerous for backups because the attack isn’t limited to pre-programmed logic. A human can physically disable or destroy backups at will.
One noteworthy example includes the attacks by the Black Basta gang. In addition to deleting virtual machines and other destructive activities, these attacks target backup agents.
With these attacks becoming increasingly destructive, ensuring that you’re defending your backups against attack has become even more important.
How to Protect Your Backups against Ransomware Attacks
A ransomware attack can happen anytime, and you should prepare yourself and your backups. You have several things you can do to make your backups less prone to attack.
Adhere to Backup Best Practices
The most important thing you can do to protect your backups is to adhere to established backup best practices. More specifically, this means keeping your backup software and agents updated. You should also use dedicated service accounts when possible.
Use Immutable Backup Targets
Another best practice is to store your backups on immutable storage. You can’t modify immutable storage. In other words, if you stored your backup is on immutable storage, an attacker can’t delete or encrypt those backups.
However, the caveat is that such backups are often protected with a digital certificate or encryption key. If the attacker deletes these mechanisms, you could lose access to your backups (assuming you’re using a certificate in the first place). As such, it’s important to ensure you keep copies of any keys or certificates in a secure location.
Use Air-Gapped Backups
Air-gapped backups are backups that are completely disconnected from the system once created (think tape backups or backups written to removable hard drives).
An attacker can’t compromise a backup that isn’t mounted. Of course, such backups have a longer recovery point objective (RPO) than standard backups. This means they’re usually used as secondary protection rather than serving as your firm’s primary backup.
Those are some best practices you can implement to protect yourself against a cybercriminal looking to infiltrate your backups. Let’s wrap up!
The Bottom Line
Ransomware can and sometimes does attack backups. As such, it’s super important to ensure you’re taking steps to harden your backups so that they won’t get compromised or disabled during an attack.
Remember not to underestimate a cybercriminal’s skills. It’s easy to think that your systems, networks, and backups are safe. This is a mistake. Take the necessary steps and precautions to ensure you’re in the clear. Solutions such as keeping your backup software up to date and using air-gapped backups are important enough for you to consider implementing.
Do you have more questions about ransomware attacks? Check out the FAQ and Resources sections below!
What is Windows File History?
Windows File History is a Windows operating system feature that retains previous document file versions. Even though the File History feature isn’t a true backup, it allows you to revert to an earlier file version.
Why do some ransomware attacks target Windows File History?
When ransomware encrypts a file, the File History feature interprets that activity as a file modification; essentially, a new file version. However, the File History feature allows the file to roll back to its previous non-encrypted state. Ransomware authors want to prevent victims from using File History or other means to get their data back in the first place.
Do all ransomware attacks target backups?
No, you have many ransomware variants that don’t attempt to harm backups. Even so, the practice is becoming increasingly common. It’s important to assume your backups are subject to attack and plan accordingly.
Are there any dangers associated with air-gapped backups?
If you need to restore an air-gapped backup, you must ensure that the system is clean before you begin the restoration. Otherwise, your air-gapped backup could get infected when you mount it.
Are there any other important best practices to consider?
Make sure that whatever backup solution you’re using gives you the ability to restore only those items affected by ransomware. Backups are usually slightly older than you company’s live data, so you never want to restore anything you don’t have to. Otherwise, you might lose some of your data.
TechGenix: Article on Ransomware as a Service
Learn how ransomware as a service works.
TechGenix: Article on Ransomware and Microsoft 365
Read more on how ransomware could attack data stored in Microsoft 365.
TechGenix: Article on Ransomware
Find tips for negotiating with ransomware gangs.
CISA: Resources on Ransomware Prevention
Discover CISA’s ransomware prevention resources.
Check Point Software: Article on Ransomware Attacks
Read more on how ransomware attacks work.
FBI: Guide on Avoiding Ransomware
Discover the FBI’s tips for avoiding ransomware.