Despite a recent decline in attacks, ransomware still poses significant threats to enterprises, as the attacks against healthcare organisations demonstrated this month. It is also becoming more capable.
In particular, ransomware writers are aware that back-ups are an effective defence and are modifying their malware to track down and eliminate the back-ups.
Ransomware targeting back-ups
Ransomware will now delete any back-ups it happens to come across along the way, says Adam Kujawa, head of malware intelligence at Malwarebytes. For example, a common tactic for ransomware is to delete automatic copies of files that Windows creates.
"So, if you go to system restore, you can't revert back," he said. "We've also seen them reach out to shared network drives."
Two well-known examples of ransomware that has back-ups in its sights are SamSam and Ryuk. In November, the US Department of Justice indicted two Iranians for using the SamSam malware to extort more than $30 million from over 200 victims, including hospitals. Attackers maximised the damage, by launching attacks outside regular business hours and by "by encrypting back-ups of the victims’ computers," said the indictment.
Ryuk hit several high-profile targets, including the Los Angeles Times and cloud hosting provider Data Resolution. According to security researchers at Check Point, Ryuk includes a script that deletes shadow volumes and back-up files.
“While this particular variant of malware does not specifically target back-ups it does put more simplistic back-up solutions – ones that result in data residing on file shares – at risk," says Brian Downey, senior director of product management at Continuum, a Boston-based technology company that offers back-up and recovery services.
The most common way of doing this is through a Microsoft Windows feature called Previous Versions, says Mounir Hahad, head of threat research at Juniper Networks. It allows users to restore earlier versions of files. "Most ransomware variants delete shadow copy snapshots," he says, adding that most ransomware attacks will also attack back-ups on mapped network drivers.
Ransomware attacks on back-ups opportunistic, not targeted
When ransomware goes after back-ups, it's usually opportunistic, not deliberate, says David Lavinder, chief technologist at Booz Allen Hamilton. Depending on the ransomware, it typically operates by crawling a system looking for particular filetypes. "If it encounters a back-up file extension, it will most certainly encrypt it," he says.
Ransomware also tries to spread, to infect as many other systems as possible, he says. This kind of worming capability, as with WannaCry, is where he expects to see more activity in the future. "We do not expect to see any deliberate targeting of back-ups, but we do expect to see a more focused effort on lateral movement," he says.
You can protect your back-ups and systems from these new ransomware tactics by taking a few basic precautions.
Supplement Windows back-ups with additional copies and third-party tools
To defend against ransomware that deletes or encrypts local back-ups of files, Kujawa suggests using additional back-ups or third-party utilities or other tools that aren't part of the default Windows configuration. "If it doesn't do things the same way, the malware won't know where to delete the back-ups," he says. "If your employees get infected with something, they can wipe it and [restore from that back-up]."
Isolate the back-ups
The more barriers there are between an infected system and its back-ups, the harder it will be for the ransomware to get to it. One common mistake is when users have the same authentication method for their back-ups as they use elsewhere, says Landon Lewis, CEO at Pondurance, an Indianapolis-based cyber security services firm.
"If your user’s account is compromised, the first thing the attacker wants to do is escalate their privileges," he said. "If the back-up system uses the same authentication, they can just take over everything."
A separate authentication system, with different passwords, makes this step much more difficult.
Keep multiple back-up copies at multiple locations
Lewis recommends that companies keep three different copies of their important files, using at least two different back-up methods, and at least one of them needs to be at a different location. Cloud-based back-ups provide an easy-to-use, off-site back-up option, he says.
"Block storage on the internet is very inexpensive. It's hard to argue why someone would not use it as an additional back-up method. If you use a different authentication system, it's even better."
Many back-up vendors also offer the option of rollbacks, or multiple versions of the same file. If a ransomware attacks and encrypts files, then the back-up utility automatically makes back-ups of the encrypted versions and overwrites the good ones, then the ransomware doesn't even have to go out of its way to get to the back-ups. As a result, rollbacks are becoming a standard feature, and companies should check before settling on a back-up strategy. "I would add that to my criteria for sure," says Lewis.
Test, test, test back-ups
Many companies only find out that their back-ups didn't take, or are too cumbersome to get back, after they've fallen victim to an attack.
"If you haven't done some type of restoration exercise and it's not documented and nobody is familiar with it, we still see a lot of clients consider paying, and in some cases actually doing so, because paying the attacker is actually operationally cheaper," Lewis says.
Bob Antia, CSO at Kaseya, a technology company that provides back-up solutions as part of its offerings, also recommends checking whether back-up vendors can detect a ransomware attack, especially the newer, stealthier varieties. Some ransomware deliberately moves slowly, or lies dormant before encrypting, he says.
"These two techniques mean that it's difficult to know what point in time to recover to from your back-ups," he says. "I expect that ransomware will continue to find trickier ways to hide themselves to make recovery more difficult."
"We haven't seen many major global attacks like WannaCry and Petya recently," says Antia. But when it does happen, it can be extremely damaging, he says. "We've seen individual organisations hit with millions of dollars in losses as a result of recent attacks."
Editor's note: This article, originally published on January 14, 2019, has been updated to more accurately reflect recent trends.