Why Backups Alone Don’t Protect Against Ransomware Attacks

Why Backups Alone Don’t Protect Against Ransomware Attacks

Data backups are often believed to be a key component of a successful ransomware mitigation plan but it does not always protect against it. Even if a bad actor infects a PC or a corporate network file-encrypting a strain, the victim can quickly retrieve files provided an up-to-date backup is available. There’s no need to pay the attacker a fortune to get those documents back, and the entire recovery process boils down to removing the malicious application – it’s that easy.

This strategy makes great sense, but there’s a catch. It used to work, and still works in most situations, but the consequences can often be more serious than illicit data encryption. The latest ransomware trick is to take victim’s data before encrypting it and making it unusable. The cybercriminals may then demand a ransom from a strong position, threatening to expose the files if the target refuses to cooperate.

The Value of Backups is Diminishing

If the following situation occurs, backups are essentially useless in terms of recovering from a ransomware attack. Furthermore, they may potentially cause harm to the sufferer — here’s how. Malicious actors employ a post-exploitation tool (e.g., Mimikatz) to discover and exfiltrate access credentials from a compromised database after infiltrating a computer network via phishing or poor implementation of the remote desktop protocol (RDP).

Malefactors can obtain access to the backup solution implemented in the company or gain a foothold in cloud storage hosting backups if this foul play succeeds. This exploitation is a quick way to get access to the victim’s most essential data, which are generally prioritized and backed up before they are lost.

Worse, after transferring these backups to their sever, attackers can delete them. The act of downloading data from a victim’s cloud backup does not appear to be an anomaly to traditional network security, which is an added benefit for ransomware authors. This distinguishes the breach and allows it to go unnoticed until things get out of hand.

Companies should reconsider their incident response strategies to match the current security setting in light of the facts. They should not only save their data properly these days, but they should also encrypt it to prevent it from being exploited against them.

A Ransomware Attack Now Equals Data Theft Plus Encryption

More than at least a dozen popular ransomware lineages steal their victim’s files in addition to encrypting them, as of late 2020. Ako, Cl0p, Conti, CryLock, DoppelPaymer, Nemty, Nephilim, Netwalker, ProLock, Pysa, Ragnar Locker, Maze, Sodinokibi (REvil), Sekhmet, Snake, and Snatch are known to utilize this method. Some hacking groups have created “public shaming” web pages where they post data obtained from uncooperative companies.

In November 2019, the Maze ransomware, one of the most well-known threats on the threat map, made headlines for being the first to use a two-layered extortion scheme. Allied Universal, a US facility services organization; Southwire, a cable maker located in Georgia; the city of Pensacola (Florida); Andrew Agencies, an insurance company based in Manitoba Canada; and most recently, Canon USA have all been victims of the damaging menace.

Maze ransomware perpetrators have been developing a cartel-style network of connected extortion schemes since June 2020. They’re already partnered with cybercriminal gangs behind the Ragnar Locker, LockBit, and SunCrypt ransomware attacks. The gangs are now sharing a data leak site and exchanging knowledge in order to push their joint operations to the next level.

In this way, the DoppelPaymer ransomware follows in the footsteps of Maze. To top things off, as part of their strategy, its distributors mishandle backups. The felons included a targeted organization’s login and password for Veeam, a famous backup tool, in one of their latest data dumps published on their leak site dubbed “Dopple Leaks”. It indicates that the attackers had complete access to a non-paying company’s reserve copies of files.

Sodinokibi, commonly known as REvil, is another ransomware family that steals data from businesses before encrypting it. Among its high-profile victims are the New Jersey-based staffing and technology firm Artech Information Systems and the Kenneth Cole Productions fashion businesses, to mention a few. Sodinokibi operations have apparently been stealing stolen data on hacker forums, in addition to spilling it to annoy their most obstinate target.

Encryption of Data as a Game-Changing Defense

With ransomware attacks increasingly focusing on backups, encrypting this information might be an effective way to frustrate attackers. Without a secret decryption key or public-private key combination, even if files are taken, they are useless to hackers. It’s crucial to distinguish between data rest and data in transit when choosing this path.

Data at rest. This phrase refers to static data saved or archived on physical media such as a hard disk or flash drive. It isn’t actively being transmitted across devices or networks.

Data in transit. This term, often known as data in motion, encompasses files that are actively “traveling” across the Internet or within a private network. This data includes records in real-time databases, emails, and items modified y an application, to name a few examples.

At first glance, it appears that data at rest is the only type that needs to be secured from ransomware assaults. In today’s hybrid cybercrime environment, however, attackers may also attempt to intercept data in transit as it is synchronized to the cloud or transmitted over email and instant messaging apps. However, in a typical ransomware outbreak, the latter is considerably less likely.

That being said, encrypting data at rest is every company’s first responsibility. The following are the most popular techniques for safeguarding sensitive data:

• Encryption of Transparent Data (TDE). This method is used to encrypt files sorted in Microsoft’s major managed database systems like SQL Server, Azure SQL Database, and Azure Synapse Analytics (formerly known as SQL Data Warehouse). TDE uses a certificate to safeguard secret encryption keys, making it difficult for malicious actors to decrypt illegally obtained data.
• Symmetric and Asymmetric Encryption Combo. A single key is used to encrypt and decode data when a symmetric cipher, such as the Advanced Encryption Standard (AES), is employed at the database column level. To make it more difficult for black hats, encrypt this key using an asymmetric key that has a higher size by definition. This increases entropy and prevents the encryption from being broken.

End-to-end encryption, which renders information unreadable during transmission while disclosing it to a receiving party, should be used to safeguard data in transit. In most situations, symmetric encryption with a predefined session key or a certificate should be sufficient to protect sensitive communications against man-in-the-middle (MITM) attacks and other types of unauthorized manipulation.

Furthermore, the Transport Layer Security (TLS) cryptographic protocol ensures the security of critical interactions between a client and a server. It produces a one-of-a-kind key for each connection, thereby halting eavesdroppers in their tracks.

Need assistance with encrypting your business and its files? Contact CompuOne today to learn how we can help.