While there has been an increase in ransomware attacks as of late, one thing is essential to know: ransomware is getting smarter. What exactly does that mean? Essentially, ransomware developers are attacking computer backups to prevent recovery in the event of a ransomware attack.
How does ransomware target backups?
When ransomware comes in contact with backups, it either automatically deletes or encrypts the data. One such example is the “Previous Versions” feature in Microsoft Windows–ransomware will automatically delete this data. Please note, if you’re relying on Previous Versions as your only backup solution, you are doing it wrong.
There are two popular strains of ransomware: SamSam and Ryuk. Ryuk does not explicitly target backups; it puts more simplistic backup solutions at risk (i.e., ones that backup to file shares). SamSam deliberately seeks out backups and either deletes or encrypts them.
Through this method, Ryuk has recently hit two heavy targets: the Los Angeles Times and Data Resolution, a cloud hosting provider.
Where and why is ransomware targeting backups?
In general, ransomware attacks are opportunistic, not deliberate. When ransomware targets backups, it is merely scanning a system looking for specific file types and encrypting them. When it comes across data it can edit, it encrypts it. It’s essentially a random process that takes advantage of lazy IT people who store backups in a discoverable location with read & write access.
Here’s what you can do to prevent ransomware on your backups:
- Keep multiple backup copies at various locations SAFELY.
Since these attacks are random in a sense, keeping multiple backup copies at different locations will diversify your backups and lower your chance of being unable to recover from a ransomware event. Work with a competent IT Company to coordinate this, don’t copy and paste your entire companies shared drive to your computer. You’re likely creating more security problems and data spawl issues. Also, do not copy and paste your company’s data to Dropbox or Google Drive without your IT Company involved.
- Use third-party tools to create additional backup copies to supplement traditional Windows backups.
Using third-party tools that aren’t associated with Windows will again diversify your backup vulnerability. Third-party tools will operate differently than Windows backups and will make it much harder for the ransomware to locate these additional copies since this type of ransomware most often targets Windows backups.
- Isolate your backups.
Ensure your backups are protected by unique authentication and passwords (i.e. don’t use the same authentication for backups as you do for other systems on your computer). Remember: this type of ransomware is always looking to expand into other systems once it’s on your computer. Isolating your backups with unique authentication protects the rest of your data if your backups are compromised.
- Test and confirm your backups regularly
Don’t wait until you’re the victim of a ransomware attack to confirm that your backups have been operating adequately. It’s essential to verify your backups are working–and that you know where they’re going–regularly. We recommend manually verifying backups weekly.
If you have questions about your organization’s strategy for system backups, or if you are concerned your backups may have been encrypted, don’t hesitate to reach out to PK Tech.