By David Fox
In this article, we’ll explore the risks posed by ransomware and how to mitigate them by planning and implementing a thorough backup strategy that is resistant to the threats posed by malicious software. Large-scale ransomware attacks are frequently reported in the news and organizations are reported to be investing in insurance policies to pay criminals the ransoms in order to recover data.
We’ll show that, with a carefully planned backup strategy, using tried and trusted techniques, it’s possible to mitigate the risk posed by many of the types of ransomware currently in use.
Nature of a Ransomware attack
The US ‘Cybersecurity and Infrastructure Security Agency‘ (CISA) defines ransomware as follows:
“..a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Ransomware can be devastating to an individual or an organization.”
A ransomware attack will typically result in the identification of ‘valuable’ files on all disks and network shares attached to a compromised host computer. These ‘valuable’ files are usually identified by known file types, e.g. .DOC, .JPEG etc. The files are then encrypted using an encryption key known only to the attacker and unique to the computer. The ransomware leaves behind instructions to the victim, providing a bitcoin wallet address or similar and a ransom amount. Payment results in the key needed to decrypt the files, being made available.
It is not usually the intention of ransomware to modify files comprising the system software / operating system / application stack. The criminals behind the attack need the computer to remain operational and bootable so that the incentive to pay and have everything decrypted is effective.
Disaster recovery (DR) strategies and their effectiveness
Broadly speaking there are two types of DR techniques in use:
- Cloning/Replication– individual files/folders are copied to another location/disk on a repeating schedule. Could also use cloud storage as the target. Previous versions of files might also be retained to provide possibility to access previously deleted/overwritten files.
- Backups– where files/folders are written into ‘containers’ on disk/tape/cloud storage. A database or index of what is stored within the containers is used to identify files/folders and make selections for restoring. This index also needs to be protected from ransomware, ideally by being included in the backup itself. See bare-metal-restore.
The litmus test for determining if a DR strategy will protect against ransomware is to look at the target storage where your backed up data resides, and determine if ransomware could also encrypt the precious backup copy.
The term ‘air gap’ below refers to target storage that can by physically disconnected from the host computer – surrounded by air, rather than attached to the computer and accessible. (An alternate use for the same term describes a computer that has no internet connection.)
- Cloning/Replication to disk– Typically a network share or additional hard disk drive/array is used. Since this technique creates duplicates of the original data, it is entirely possible that the backup copies can also be encrypted by the ransomware. In addition, previous version of files and folders containing point-in-time-snapshots might also be in the scope of the ransomware and also be encrypted.
- Cloning/Replication to cloud storage– Depending upon the software used to write the backups, the files residing on cloud storage may or may not be mounted as a filesystem on the host computer. While mounted, the backup data is potentially at risk from ransomware.
- Backups to disk – storage containers on disk are also at risk of attack. As noted previously, ransomware typically avoids encrypting files types that it doesn’t understand, and such files might fall into this category, but the risk is large and there is no guarantee that such data might also fall foul of the attack. Cartridge-style disk systems, like RDX, can be physically detached from a computer, introducing an ‘air gap’ that the ransomware cannot pass. WORM (write once read many) disk products are available where data can be added but not removed – such devices should be immune from attack.
- Backups to tape– Using physical tapes as storage containers is a far safer technique since tapes are not typically mounted as filesystems that the ransomware software can see and make changes to. With the exception of LTFS (more on that below), tapes require special software to be written, and thus are impervious from ransomware attack. Tapes that are on a shelf rather than inserted into hardware have the benefit of an ‘air gap’ and cannot be attacked.
- Backups to cloud– where containers are written within cloud storage, there is some risk of attack because it’s difficult to introduce a real ‘air gap’ without having physical access to the storage.
There are nuances in the various scenarios outlined above that might result in confusion regarding what is safe and what is not. Therefore, it’s important and recommended to reduce the list of possible strategies down to those that can be genuinely considered safe.
Cloning/replication should not be considered safe from ransomware attacks. That isn’t to say that such a method doesn’t have many advantages, it just should never be the only form of backup that an organization employs. Many companies use a clone to keep an on-site (and quickly accessible) backup, but then also use a tape backup in addition. As a rule of thumb, a single backup is never enough to truly protect data anyway – have at least 3 copies, on 2 separate types of media, for each 1 file you want to protect. 3-2-1. For example cloning disk to disk + tape backup + cloud backup.
Backups to storage containers are safe from ransomware attack providing the containers cannot be written by the ransomware.In the case of disk storage, it should not be left permanently attached to the host computer. If the container is left attached, there is some risk.
LTO LTFS: Generally, LTO tape storage, because it is not mounted as a filesystem, is safe from ransomware attack. A possible exception is LTFS (Linear Tape File System) which partially replicates the functionality of a hard disk, using LTO tape. LTFS tapes can be mounted into a computer’s operating system, like a hard disk, there is a risk that ransomware might gain access to backup data replicated to LTFS and begin writing an encrypted version of the original contents. In reality however, this is more of a cosmetic problem, since the original ‘good’ versions of files on the tape would still exist and could be recovered.
Our recommendations here are simple. Make at least one of your backups to LTO tape, ideally using Archiware P5 Backup. P5 Backup writes backup data to tape and indexes the contents on disk, the index is also saved back to the tape. So even if the disk-based index files are attacked, they can always be recovered back from the tape.
Use other techniques, perhaps P5 Synchronize, to perform disk-based replication, but don’t rely on a single backup technique. Remember 3-2-1. Have a least 3 copies, on 2 separate types of media, for each 1 file you want to protect.