How Backup can be an Effective Defense Against Ransomware
Security tools, including mail filtering, malware scanning, firewalls, and network monitoring, can help to patch and to restrict access rights for network users. But the most efficient defense is a robust data protection backup regime.
Fremont, CA: Ransomware is the fastest-growing cyber-crime problem today. The trick to avoiding ransomware demands is to provide robust and well-tested backups. This means ensuring that good clean backups are made regularly and that they are detailed and comprehensive, probably "air gaped" too. It also ensures that backup procedures and activities should be checked and evaluated on a regular basis.
Ransomware has three essential parts: the initial attack or the distribution of the payload of the malware, the victim's data encryption, and communications back
to the attacker. Malware uses various routes to target organizations, and social engineering plays a key role: about one-third of ransomware attacks come from users uploading malicious files or emails with malicious links. But ransomware also spreads through direct server attacks, email malware attachments, and cloud resources.
Review and Update Backup Policies
The strongest defense against ransomware is to be able to recover data from clean backups. And if a company pays a ransom, there is no assurance that the perpetrators will hand over the decryption key. Restoring backups is more effective, cheaper, and does not require handing money to offenders.
Backups, however, can only work if they are useful and detailed. CIOs should order a comprehensive audit of all locations of business data. It's all too easy to lose vital data from a backup plan, whether it's stored on local systems or in the cloud.
Air Gap Business Data
The solution is for CISOs to complement cloud backups with tape or other mechanical backup media. Cloud may be an off-site copy, but keeping another dataset on tape, and keeping those tapes strictly offline, is the most secure way to "air gap" data from ransomware attacks.
Make Regular Backups, and Review Retention Policies
CIOs should review policies on the extent of backups, mainly how much data is backed up to off-site locations (including cloud) and mechanically different media, such as tape. It may be that more regular backups are required. IT teams should also evaluate how long they have been holding backups, particularly their airborne media. Ransomware also uses time delays to avoid detection or "attack loops" to threaten seemingly clean systems.
Organizations can need to go back through multiple generations of backups to locate clean copies, causing longer preservation and probably more copies. Maintaining separate backups for sensitive business systems can also make a recovery easier.
Ensure Backups are Clean and Robust
Organizations can do as best as they can to ensure that their backups are not infected. Companies should consider writing several (WORM) files for extra security, such as optical disks or tape configured as WORM, once read. Some of the suppliers are now selling cloud-format WORM storage.
Controls of data access are further protections. Using tools such as Windows 10 Managed Folder Access and restricting user access to sensitive data stores will avoid ransomware spread in the first place and add protection to backups.
Test and Plan
Both backup and recovery plans must be reviewed. This is important for estimating recovery times – and for deciding if data can be retrieved at all. CIOs should test all stages of the recovery plan, preferably using duplicate media. The worst case will be a recovery exercise to contaminate current clean backups.