Introduction
Ransomware is everywhere. It causes huge disruption by encrypting data on computer storage, so that it cannot be read, with a ransom to pay to decrypt/recover it. This criminal activity is very common, causing enormous damage to both small and large organizations, with victims paying millions of dollars (usually in Bitcoin) to undo the damage. Often, crucial data is permanently lost. Criminal organizations profit and this activity is on the rise.
Before we look at ways to protect against a ransomware infection with good backups, the main focus of this article, here’s a checklist of actions to take to ensure you avoid malware infection in the first place.
- Use Anti-Malware/Virus protection products and keep them up to date
- Use complex keywords and/or password management software
- Never open attachments and links in suspicious email
- Avoid downloading software from untrusted sources
- Update OS, browser, plugins and apps regularly
- Leave websites that use popups aggressively and force you to click to accept content
- Use a non-administrator account on your computer
- Use the tools of your OS to protect your machine (firewall, safety scanner etc.)
In the remainder of this article, we will explain how to create backups and archives of your data that are, as far as possible, impervious to attack. A combination of strategies to avoid attack and a ransomware-proof backup strategy is the best policy, in our opinion.
Remember 3-2-1
It’s worth reiterating the well-known 3-2-1 backup technique to begin with. The 3-2-1 backup rule is an industry-standard approach to ensuring your data is protected during a disaster. The rule suggests keeping at least 3 copies of your important data, on 2 different storage types, with at least one backup being stored outside of your usual production environment. It’s a simple rule, and if your current backup strategy needs expanding to comply, make that a priority.
Unreachable backups
Ransomware finds files and encrypts them. If a computer becomes infected, it likely will be successful with this encryption, because local filesystems are ‘reachable’. You can read and write files on your disks, and so can ransomware running on your computer. Not just internal drives, but attached USB drives and network drives.
If you make backups to storage that is also ‘reachable’ by the ransomware, then your backups will also become encrypted. Whether the backups consist of individual files/folders copied to another location, or you use backup software that writes ‘containers’, either backup can be attacked.
Containers are files written by backup software that store multiple source files in a single larger container file. Rather than making discrete copies of individual files, backup software will often write it’s own container files, with your files buried inside. These backup containers often have a proprietary internal structure and might be large in size. They can still be encrypted by ransomware however, they don’t provide protection.
For backups to be safe from ransomware, they have to be ‘unreachable’.
Storage attack vectors (how does ransomware cause damage)
Once a computer becomes infected by ransomware, the malicious software will attempt to access files available to it, and replace the originals with encrypted versions that you can no longer read. This is important, it’s not enough for the malicious software to simply delete your data, it has to be able to read files, encrypt them by writing new files, and then delete the originals. The business-model for ransomware requires this, it’s your money they’re after!
The malware will prioritise files deemed to be most valuable to the owner, to cause maximum harm and increase the chances of the ransom being paid. Files that comprise the operating system will likely be ignored, while documents and media files (photos/video) will be targeted. Ransomware will be able to perform this encryption across all disks connected to the computer. These disks might be physically connected (either internal or via USB or other connections) or externally ‘mounted’ using a network. In both cases, ransomware could encrypt files and therefore cause damage across all these disks. Malware will also propagate through a network, attacking other computers and the disks attached to them.
Any filesystem that malware can write to is at risk of attack. Therefore backups and archives created by copying files/folder to a filesystem are not safe, because the copies might be encrypted as well as the originals.
Ransomware-proof (unreachable) storage alternatives
Let’s look at two types of storage that are unreachable to malware.
LTO Tape – The combination of a tape drive or library/jukebox and the tapes themselves allows data to be written by software specifically designed to talk to this type of hardware, including Archiware P5 Backup and P5 Archive. The great characteristic of tape is, any file stored cannot be overwritten. Tapes, by their nature, can only be appended to (data added to the end of the tape) or erased entirely and rewritten from the start. This behaviour is baked into the physical design and cannot be circumvented. Therefore, malware cannot encrypt data on tape because:
- Original file versions cannot be replaced by encrypted versions and removed from tape
- If an entire tape is erased, no ransom is possible, the data is simply lost.
In addition to this fundamentally useful feature of tape, add that:
- Tapes removed from the drive or library cannot be modified at all in any way. They are ‘air gapped’ on a shelf or in a safe.
- Special drivers are required by an operating system to use tape hardware at all and are not included (as they are for most disk devices) by default. Unlike the standard software drivers to access hard disks and SSDs, there are many different ways to address tapes and tape drives.
- Backup software, including P5 Backup, often writes tapes in a proprietary format that will not be understood by ransomware.
Cloud Storage – This category of storage consists of servers hosted in data centers, with attached disks storage, available to rent. Vendors like Google, Amazon, BackBlaze and MicroSoft all provide such storage, sometimes referred to as ‘object storage’, on a ‘pay for what you use’ basis. Such storage is a popular choice for backups, as it’s inherently off-site (see 3-2-1 above) and has no upfront capital purchase cost to get started.
In order for ransomware running on a customers computer to gain access to this cloud storage, various access authentication credentials are required. Backup software will generally store these credentials internally. So our cloud storage isn’t open to attack in the same way that local disk storage is.
Many cloud vendors include an ‘immutable’ for stored data. Once written, such data cannot be modified or deleted.
Recovering from a ransomware attack
If backups are taken regularly and stored on tape or cloud and are therefore unreachable to ransomware, you’ll be in a position to restore data back to affected computers.
While a compromised machine may have a bootable operating system with encrypted data, do not assume that you’ve been successfully able to remove the ransomware from the OS. Re-install the operating system, or recover from a known clean OS image before proceeding to recover data from the backup. There’s really no way of being 100% sure that you’ve removed ransomware from a computer. The only safe way to proceed is to reinstall the OS and application stack from a source known to be safe.
Conclusions
Take sensible precautions to avoid infection by ransomware. Within an organisation, this should cover all servers and workstations. Employ the 3-2-1 technique to have redundancy across your backups. Ensure that one of your backups resides on storage that is effectively unreachable to ransomware running on an infected machine. This way, in the unfortunate event of an infection, you’ll have at least one backup that can be recovered.
Finally, do not assume that any infected machine can be ‘cleaned’ effectively. Assume the worst and rebuild operating systems from trusted sources.