Ransomware has become one of the most feared cyber threats out there—and for a good reason.
According to Cybersecurity Ventures, global ransomware damage costs reached $20 billion in 2021, up from only $325 million in 2015. In response to prominent ransomware attacks like the one on the Colonial Pipeline or the one that paralyzed IT solutions provider Kaseya, organizations are strengthening their defenses by reviewing and improving the implementation of cybersecurity best practices.
In particular, data backups receive a lot of attention because they function as the ultimate failsafe mechanism in the event of a ransomware attack, allowing organizations to wipe infected devices clean and restore them to a working state. What some organizations don’t realize is that backups themselves are not always safe from ransomware.
6 Critical Cybersecurity Policies Every Organization Must Have
Can Ransomware Infect Backups?
Ransomware is a type of malware that’s designed to encrypt the content of a device in order to extort money from the owner. The recent explosion of ransomware attacks goes hand in hand with the proliferation of cryptocurrencies like Monero and Bitcoin, which enable cybercriminals to anonymously or pseudonymously collect ransom from victims located on the other side of the world.
Just like other forms of malware, ransomware can be distributed via email as malicious EXE, PDF, DOC, ZIP, RAR, and other files, but more and more ransomware creators are embracing the so-called fileless techniques.
These techniques make it possible for them to distribute ransomware without relying on malicious files, often by including links to infected websites in phishing emails.
Once a device is infected with ransomware, a clock starts ticking. Some strains are designed to lie dormant for a while (sometimes a long while) before they start causing serious damage by encrypting important files. They do this because it increases the likelihood of a backup process being triggered, and the ransomware being backed up along with legitimate files, infecting and corrupting the newly created backups.
The most sophisticated strains of ransomware can even identify network-attached storage devices (commonly used as local backup servers in small organizations) and infect them directly. Even cloud backups are not as secure as they may seem. For example, one recent proof-of-concept exploit showed that ransomware could target OneDrive and SharePoint files by abusing versioning configurations.
So, yes, ransomware can certainly infect backups, and that’s why all organizations need to implement a multi-layered backup strategy to ensure recoverability even when the worst-case scenario becomes reality.
How Do I Protect Backups from Ransomware Attacks?
Knowing that backups are the only thing that can save your organization after a ransomware attack has already occurred, you need to take extra steps to ensure they won’t become infected along with your other data.
1. Keep At Least One Air-Gapped Backup
Even the most sophisticated strains of ransomware can infect only backups that can be reached from the same network. That’s one reason why popular backup strategies like the 3-2-1 backup rule stress the importance of keeping one backup copy offsite. Another reason is that an offsite backup copy that’s totally air-gapped—both logically and physically—can prevent the possibility of data loss due to a site-specific incident, such as fire.
2. Take Advantage of Immutable Storage
Immutable storage is designed to prevent stored data from ever being tampered with, modified, or removed by storing it in a WORM (Write Once, Read Many) state, making it perfect for storing long-term backups. Microsoft has been offering immutable storage for Azure Storage Blobs since 2018 through configurable policies, and many other cloud storage providers offer similar data integrity protection mechanisms.
3. Optimize Your Backup Cycles
There’s no such thing as the ideal backup cycle. Instead, each organization needs a custom backup strategy that reflects the data processes and stores, as well as its size and pace of activity. Generally, you want to back up data as often as possible while taking up as little storage space as you can. To achieve this goal, you can mix full weekly backups with daily incremental backups, stored both in the cloud and offline.
4. Test the Recoverability of Your Backups
Just like a fire extinguisher with no pressure is useless regardless of how large it is, your backups are nothing but a waste of storage space unless they are recoverable. To ensure they are, you need to test them, as well as your entire recovery process, on a regular basis. You might be surprised to discover that the backup process that’s been running automatically on your network for years isn’t nearly as comprehensive as you would like it to be.
5. Invest in Proactive Threat Detection and Mitigation
For ransomware to infect your backups, it must first get into your network, and your employees’ devices are the most likely entry points. By investing in proactive threat detection and mitigation capabilities, you can stop ransomware attacks before they have a chance to spread across your network and infect your backups. The same capabilities can, of course, keep other threats at bay as well, making them well worth the cost.
Conclusion on Backups for Ransomware
Ransomware has emerged as the number one threat to data, and even backups are not safe from it unless they’re created and stored in adherence with ransomware the protection best practices described in this article.
If your backup strategy leaves something to be desired—or if you don’t have any comprehensive strategy at all—contact us at OSIbeyond, and we’ll ensure that you can always get back on your feet.