Ransomware And Your Backups: Protect The Protectors

By Matt Tyrer

Ransomware is a trending topic these days. One needs only peruse a tech vendor site to find several articles and whitepapers, or webinars, about how they can help you defend or recover from an attack. However, as the fine line between primary and secondary storage copies continue to fade, many are ignoring the fact that backups are just another target (and a juicy one too!) for ransomware. If your backup data is compromised, then what?

Looking at a recent Twitter poll, we can see that a healthy portion of the populace is starting to think about that problem. Yes, as you may have noticed, this is still a viable argument that tape is not quite dead yet and it’s refreshing to see the embracing of cloud storage as well, but….

It’s the 29 percent of folks going on vacation who are updating their resumes or hitting the road somewhere with no cell reception that frightens me. In speaking with IT staff and CISOs across a spectrum of industry, I’ve come across more than a couple of instances where ransomware made the jump to their backup infrastructure and left them scrambling to recover.   

So, how can you protect your backup (back up your backup)? Regardless of your solution, there are a number of basic strategies you could and should employ:

  1. Keep your systems up to date: Seriously people! An outdated OS or application is an open invitation for malware.
  2. Secure Access: Another obvious one! Make sure you have layered (2-factor) levels of security to ensure a compromise to one does not expose your entire environment. Many of the more advanced ransomware options track and capture account information and passwords to leapfrog into more elevated authority and do more damage.
  3. Have a separate copy of the backup offsite: Replication does not count! Replicating compromised data just means now you have multiple copies of the bad data. This is also a topic of debate among many appliance-centric backup vendors who promote (boast?) that their storage is immutable and thus you don’t need that second, isolated/separated copy. Well that’s all fine and dandy until the malware gains access to the appliance admin account and changes the password or deletes the backup set. Congratulations, now you have an immutable, inaccessible backup set!
  4. Have a means of detection:  So, you can recover, but how do you even know you have been hit? Few, if any, other backup vendors have turned the security lens on themselves to see what they can to do help uncover and warn administrators about possible compromises. I know that Commvault has a number of built-in mechanisms to help detect and alert to potential ransomware incidents, not only on our own systems, but on any client system we touch. We’re not just protecting ourselves, we’re working hard to help you know if there’s a problem so you can recover fast and mitigate the damage. I can’t say I know of any of our competitors who have gone to these lengths with their solutions.

If you feel your organization is in that 29 percent, you need to start having these discussions regarding backup and ensuring its security. Malware and ransomware is coming for your backups.

Will you be prepared?