Traditional backup strategies no longer work
Historically, backup infrastructures were designed to address one or more of the following scenarios:
- Restoration of a file, server or database in response to an isolated incident (corruption, hardware failure, involuntary destruction of a document).
- Recovery after a disaster that affects a site or server room (fire, natural disaster)
- Long-term data archiving according to regulatory requirements (financial, quality or qualitiy management information).
Backups for these purposes are usually based on the 3-2-1 rule: three copies of the data (production + two backups), stored on two different types of media and one copy at another location.
The problem is that this approach assumes that any data destruction or corruption event will be geographically limited. With ransomware attacks, this assumption no longer holds. It’s time to modernize your backup strategies in the face of new threats.
The problems of backups in the face of modern threats
1. Your backups are not properly protected
Ransomware can infect workstations and servers in any geographical area as long as they are connected to the same network. Cybercriminals primarily target backup systems to destroy them before deploying encryption routines. They use your administration tools and management consoles to conduct their attack. In an unprepared organization, it is easy for attackers to delete backups before launching a ransomware attack. Victims then find themselves without a solution to recover their data and are more likely to pay the ransom.
Example: After an initial intrusion into the network of an accounting firm, attackers made significant efforts to destroy backups. They know that in case of success, the potential of a ransomware attack is very high. They are sure that the company will pay the ransom to restore their data.
2. You are not prepared to perform a massive systems and data restore
Until recently, it was unthinkable that an organization could lose all of its data across all sites all at once. Today, even if the backups are intact, companies do not know how to restore their systems in the correct order, without causing major operational impacts.
Example: A hospital suffers a cyber attack and is unable to restore its radiology systems. Indeed, the radiology servers do not function properly without the patient record database. However, restoring patient records requires that some medical imaging databases be functional first.
3. Your backups don’t cover all of your systems
Your critical systems are successfully backed up, but the secondary systems on which they depend have been neglected. In many cases, access to the backup system relies on the availability of the Active Directory domain. Unfortunately, domain controllers can only be restored from (you guessed it!) the backup systems in question.
Example: A manufacturing company backs up and rigorously tests the recovery of the production planning system (ERP). However, the Active Directory server, which is essential to the infrastructure, has never been subjected to a full-scale restoration test. When the day comes, the IT team is unable to restore this essential system. They must then go through a long and complex reconstruction stage.
4. You are unable to access or restore your backups
Many organizations realize that passwords and encryption keys to access backups have been destroyed by the ransomware. Sometimes it happens that the catalog or indexing of backup media is not included in the backups themselves.
Example: A medical practice protects its tape backups with encryption keys. However, following a ransomware attack, the encryption keys that are saved by the backup solution were destroyed by the attacker. Although the backups are intact, the company can no longer access them.
5. Your systems restored from backups are compromised or vulnerable
Attackers exploit vulnerabilities and sometimes persist in your environment for months. It is then possible that systems restored from recent backups may be compromised. By restoring these systems, you also restore the persistent vulnerabilities and malicious elements that were used by the attacker. Any system restoration should go through a decontamination and threat eradication step in a quarantine network zone.
Example: Following a ransomware attack, a university quickly restored all of its systems and data from the latest backups. As the operation was successful, the school refused to pay the ransom. A few weeks later, the cybercriminals managed to reintroduce themselves into the IT environment. They used a backdoor that had been placed during the first attack. This ended up being included in the backed up systems and then restored to production.