Recent ransomware victims thought their data stored in cloud applications such as Dropbox, OneDrive, SharePoint and Google Drive was secure – but unfortunately they were wrong.
After a series of recent attacks in which several firms were hit by ransomware, the UK National Cyber Security Centre (NCSC) has been forced to update its guidance for businesses on how to deal with the fallout from an attack and backup data effectively.
In this article, we look at the nature of the attacks, the role of the cloud and networks, the pros and cons of relying only on cloud applications for backups, and how your business can secure its critical data.
What happened?
In the recent wave of ransomware attacks, the affected organisations were not only hit with the ransomware attacks themselves, but were also faced with the hackers taking control of their backups through encryption as they had been left exposed on networks. This created a double whammy situation in which even the backup data was encrypted and therefore unusable by the companies – and all because it was still connected to the network when the attack happened.
Learning from this mistake
Backups of critical data is an essential ingredient for mitigating the potential damage of any ransomware attack even before it happens.
The NSCS’s updated guidance includes an increased emphasis on the importance of offline backups. As proven with the latest ransomware attacks, even when essential data is fully backed up in the cloud or on a network, it can still have vulnerability and as a result it can still be held to ransom in exactly the same way as if it hadn’t been backed up at all.
Don’t forget offline
While offline backups have always formed an important part of a backup strategy, the recent round of ransomware incidents such as the Trickbot banking trojan malware have served a harsh reminder that either they should not be overlooked, or a higher emphasis was needed on them.
Hacks are becoming more and more sophisticated
The best way of securing business data against ransomware attacks is clearly to prevent the attack from happening in the first place. But with cyber criminals and attack methods becoming more and more sophisticated, it’s also crucial to have regular and fit-for-purpose backups of important data and files.
As evidenced by the recent attacks, businesses should ensure that offline backups are kept separate from online networks, or in a cloud designed specifically for these backups.
Don’t have your head in the cloud(s)
Well, not all of it. Cloud clearly has many benefits, and with more and more data being added every second, it’s the present and the future.
But in its latest guidance, the NCSC urged caution in relying on cloud-syncing platforms such as Dropbox, OneDrive, SharePoint and Google Drive as the only home of backed-up data. The main risk with this backup strategy is that the data synchronises straight after the event of a ransomware attack, which would mean that synchronised copies are lost to the hackers as well and rendering the backup useless.
What’s the solution?
Building resilient and robust backups is the key to avoiding significant damage to your business during and in the aftermath of a ransomware attack. The NCSC recommends the 3-2-1 rule of at least three copies, on two devices, and one offsite.
One of the key offerings of ORIIUM’s data protection services is the protection of data against such attacks. Being a cloud-based solution, our service offers protection against both ransomware and malware. In relation to the recent attacks, an on-premise infestation of this type of software cannot affect our cloud-based data or systems as there is no way for it to be transmitted regardless of whether an onsite cache (appliance) is used or not.
How secure is it?
Our system uses a proprietary port to communicate with onsite backup agents and appliances. The software communicating over this port uses proprietary Commvault code, meaning that there is no way for a malicious file to be transmitted via this port and for it to infect our cloud-based systems.
For the communication of data itself, we use industry standard SSL encryption and outward port initiation (one-way firewall rules to a proxy in our DMZ), and as such all communication is completely secure. This then provides our customers with the reassurance that if their business data is infected by ransomware or malware, their cloud-based recovery points cannot be infected. The same cannot be said for production data in cloud based applications using native data protection capabilities, which are typically stored within the same cloud platform. Using an ORIIUM data protection service provides secure recovery points for both your on-premise and cloud based data.
Rapidly diagnose the extent of the problem
Alerts as to which data may have been infected by ransomware or malware is provided by a data integrity check as the data is being processed. This provides real-time detection of potentially infected files and is intended to complement traditional server based Anti-Virus protection tools.
For on-premise elements, we take steps to minimise the risk exposure. These steps include:
- Locking the appliance system down to ORIIUM held credentials only.
- Not joining the appliance to the customer’s domain, which is not a requirement for our backup system to function effectively.
- Access from other systems on the network is thus restricted.
What’s the fallback plan?
We do not advertise shares from the appliance, and all backup activity is performed over proprietary protocols, meaning that there is minimal chance of a virus being able to move to the appliance.
If for any reason the appliance were compromised, having a cloud-based copy of the data means that there is always a reliable backup to restore from. When the copy takes place, the data undergoes an additional integrity check, and ORIIUM would be notified if the data had been infected. Even if infected data were transmitted, there would be no way for it to infect other cloud-based data as the backup data is saved in a proprietary format and there is no way for it to be ‘run’ within an operating system.
From a user access perspective, both of our consoles are secured with SSL and are audited. We do not allow standard users to delete backup data and so if compromised, a user’s session cannot be used to perform a malicious attack.
References
https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/
https://www.bbc.com/news/uk-england-tees-51651405
https://www.ncsc.gov.uk/blog-post/updating-malware-ransomware-guidance
https://www.ncsc.gov.uk/blog-post/offline-backups-in-an-online-world
