Ransomware and the Importance of Immutable Backups

The rise of ransomware attacks is one of the biggest concerns that organisations face today. With the exceptional growth in ransomware over recent years, organisations are forced to consider whether they could recover if they are breached. Unfortunately, organizations tend to realize their unpreparedness once an attack has already hit, when it’s too late.

First, let us look at ransomware from the hacker’s perspective.  A hacker’s goal is to eliminate an organisation’s access to all the copies of their data, so the only resort is to pay a ransom.  In the event of a cyber-attack, the attacker’s goal isn’t to control the primary data but to eliminate all possibilities of an organisation’s recovery.

This makes standard backups vulnerable to ransomware attacks, with attacked organisations finding that both their primary data stores and their backup files have all been encrypted, and all copies of their data have been rendered unusable.

More frequently than not, the backup systems are not segregated from the production systems. In many cases, the attackers can easily infiltrate a company’s on-premise backup system, and ransomware will encrypt the backups along with everything else on the network. There is also the added threat of “sleeper attacks”, whereby ransomware has been deployed but goes undetected for some time, lying seemingly dormant while infecting the files in the background. When a sleeper attack goes undetected, it will be backed up repeatedly along with the company’s files and data, until the encryption kicks in and everything is locked, and your backups become compromised.

Therefore, organisations need to have a way to ensure that, no matter what, they can sufficiently recover and continue operating after an attack. The only way to ensure that your organisation has an uncompromised copy of your data is to have a backup file that can’t be altered in any way– which is called an immutable backup.

What is an Immutable Backup?

An immutable backup is a backup object – a file or a data set that is fixed and is not alterable or tamperable, meaning that it cannot be encrypted or deleted in a ransomware attack. This essentially means that immutable backups act as an impenetrable wall against cyber-attacks for your stored data if changes are attempted after the backup was created. Having an immutable backup supports direct recovery from ransomware, as you will have a clean copy to restore from. Immutable backups are also safe from non-malicious data loss threats such as accidental overwriting or deletion and help you to meet regulatory data-compliance requirements, ensuring that you have accurate data copies retained.

Immutable backups, both onsite and in the cloud, must be frozen for read-only. This can be achieved by different features in various storage systems, but in general, it is based on snapshots.

What is a Snapshot and How Does it Work?

Snapshots provide customers with the ability to roll back to uncorrupted copies of their data made before the execution of code introduced by the attacker. The customers can then ignore ransom demands, purge their systems of the effects of intrusion and continue business as normal.

Snapshots are not backups; they are not just copies of data. They are a record of the state and location of files, and the blocks that makeup files, at a specific time to which a customer can roll back to. Such a record may comprise of more than just a record of the state, including metadata, deleted data, parent copies, and so on, which all need to be retained.

Snapshots are immutable anyway, as they are write-once-read-many (WORM). Storage and backup suppliers have added features such as encryption, and snapshot-locking mechanisms, which prevent the snapshot data from being moved or mounted externally, with multifactor authentication (MFA) required to manage them.

With no one – not even administrators, but certainly not ransomware software – having the ability to access snapshots or move or delete them, customers should always have access to clean copies of their data following a breach.

What is Required for Reliable Restoration from Backups?

The minimum requirements are extended principles of the backup/restore rules:

  • Keep management of your Backup IT Infrastructure segregated from your production environment
  • Network segmentation
  • Different management domain
  • Strictly controlled access via jumping point and MFA
  • Keeping data backups on three different media, two different locations, and one offline (3-2-1). Nowadays, the offline medium can be substituted by immutable storage. However, we recommend implementing immutability in all locations
  • Strict and regular monitoring – via at least two independent mechanisms
  • Regular test restores – preferably automated

Vivid Adapt works with a wide range of business organisations to assess and improve their ability to recover from attacks and become fully protected from ransomware requests by designing and managing immutable backups, allowing fast recovery if your organisation has experienced a cyber-attack.

Vivid Adapt

Vivid Adapt ’s team of industry-experienced professionals supports a range of backup solutions and assessment services that can help you to understand your current state of vulnerability, identify gaps and strengthen your overall backup strategy, services include:

  • Current state
  • GAP analysis
  • Risk register
  • Project Pipeline

Vivid Adapt  is a European Managed Security Services provider with offices across Europe. If you are interested in improving your Security Systems please contact us using the form found at the bottom of the page or email us at info@vividadapt.com

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.