Continuity Centers

Protect Your Backups from Ransomware

Protect your backups from ransomware attacks


Hackers have taken advantage of the disruption caused by COVID-19 to sow chaos and extract ransom from unwitting companies and municipalities. A study by security software Check Point points to ransomware attacks increased by 50 percent worldwide and doubling in the United States since the beginning of the pandemic. Ransomware is claiming a new victim every 10 seconds. Ransomware has targeted schools, municipalities, and healthcare concerns where data is currency. But even non-essential businesses, a watch-maker and a potato chip factory, for example, have been targeted successfully by hackers this year.

While nothing is foolproof, enlisting a workplace recovery partner with proper protocols and best practices can tilt the odds heavily in your favor in the ongoing battle against ransomware.

First, though, let’s look at the attackers. Bored college kids aren’t unleashing ransomware. Ransomware is increasingly carried out by organized criminals driven by one thing: money. Data is secondary. Cash is the top goal, and that has caused tactics to shift recently. Consider this report by Cybercube:

Organized criminals and hackers are moving away from high volume, low-value methods of attack against private individuals. Instead, they target senior managers with access to bank accounts and who can authorize payments.

Ransomware attacks are not generally launched by teenagers with too much time on their hands; this is a battle against seasoned criminals.

Anatomy of an attack

Insider Threat Protection

The “professional hackers” are different from the more amateurish ones of yesteryear who replied to someone to click a link. The software would run and do as much damage as possible, but it wouldn’t get everything. Today’s hackers will get onto your network by brute force or phishing and stay logged into your network and monitor it for weeks before launching the attack.  

This phase is known as the “Reconnaissance Phase.” This is where the criminals analyze your network, learn about your backups and as much about your network as required to customize the attack, and then pick a launch day. The criminals will log into the backup device, delete your backups, and do everything to ensure you can’t get data back and launch the attack. These are human hackers, not just software, but sophisticated focused attacks on your company specifically. They pick their targets based on revenue. They want companies that can pay for the ransomware. 

Finding a Disaster Recovery as a Service (DRaaS) partner that is well-versed in the world of ransomware is your best defense. A ransomware attack isn’t just costly from paying the ransom; the resulting poor publicity and potential legal jeopardy can be downright crippling.

Insider Threat Protection: DRaaS partner should offer this because it protects against both hackers and disgruntled employees. If one of their employees or hackers gained access to the server, they could delete the backups, which would be a nightmare. Insider threat protection keeps your data in a recycle bin even after the malicious actor “deletes all your backups. Customers should then be able to call their DRaaS partner and undelete backups instead of it just being gone. Think of it as a recycle bin for backups. 

This is something you should demand in DRaaS and is only available on S3 compatible storage. This will make your data non-deletable for whatever period selected, whether six months or six years. Not every DRaaS provider invests in building out in S3 compatible storage, but the price is worth the peace of mind.

DRaaS partner that uses an air-gap as a protective measure makes data literally physical impenetrable. After the customer sends the data,  a tape drive is utilized and the tape is taken out of the drive and stored securely, disconnected from the Ethernet. 

Proper Tools:  DRaaS partner will use the best ransomware weapons available. Veeam is one of the most powerful backup and recovery tools on the market.  For instance, here is a review on Gartner: “Veeam was brought in to replace a backup solution that was plagued with issues and has met or exceeded our expectations. The setup was relatively straight forward and it has worked without major issues for the past year.”  A high-end DRaaS provider will employ best-in-breed tools like Veeam to protect your business. 

Separation: You want your data stored on logically and physically separate network from your production network, and a DRaaSprovider who takes security seriously can provide that.  This ensures that when a hacker launches an attack on your network, they cannot get into the MSP that provides the DRaaS; they are physically separate. Many businesses do their own backups and don’t use a service provider, which can cause problems.

To adequately protect your data, you need your data in a completely separate entity so that the same credentials used to hack you will not give them access to where you store offsite backups.

Many MSPs and DRaaS providers sell only the backup hardware/software and leave you to manage its effectiveness throughout the year. But human error or malicious intent can enter in, and if there is a setting error or some other glitch, your backups are useless. And when disaster strikes, you will be completely on your own, as their services usually do not offer you help you with the recovery processThe best partner will provide a service that ensures that backup mistakes will never happen because they monitor backups 24/7 and resolve any issues, as they occur. 

Another service you want to look for in a vendor or partner is if there is a disaster, you want to pick up the phone and call a familiar hand that knows your environment.  Your DRaaS partner will know your business model, rebuild your operations at either your data center or theirs and give your employees remote access. Look for a provider who bundles that into their service and offers the ability to run through regular business continuity exercises of getting you back in business. 

Comments are closed.