It is reasonable to surmise that ransomware attacks show no signs of declining. Indeed, Omdia believes the number of attacks will continue to rise through 2023 and 2024. Omdia’s Cybersecurity Decision-Maker Survey, 2022, asked what the most challenging issues were for security functions within organizations, and ransomware was up there in joint-second place, with 47% of survey respondents citing ransomware attacks as a significant challenge.
Organizations everywhere, even those that think they are protected or have a plan in place to respond to an attack, need to think seriously about the security of their defenses against this ever-evolving threat.
Backup Is Defense
Undeniably, a robust backup strategy is a vital defense against ransomware and good discipline around data backups can reduce ransomware effectiveness. The ability to restore stolen or encrypted files does certainly reduce the need to pay to reclaim data, but it may not be as straightforward as it seems to avoid the pointed end of a ransomware attack.
Conventional wisdom suggests best practice as the 3-2-1 rule:
All versions should be subject to regular backups (for business-critical data, this might even be as much as once per hour). However, many backup strategies are simply not that robust — data is backed up on-site, to a connected or networked device, infrequently replicated, access to a remote backup site can be left open, and so on.
This then is the crucial aspect of backing up data. Can a business be 100% confident that the backup data is safe and clean?
There may be confidence that ransom demands can be spurned, organizations secure in the knowledge there is a good set of data accessible from a backup location, but who has the last laugh if the attacker has managed to infiltrate this data as well? For this very reason, a part of a ransomware attack can be focused on seeking out and disabling backup data to remove an organization’s ability to combat the attack.
Backup data, therefore, needs equivalent focus and protection to that of operational data. It is very dangerous to assume anything else and failure to extend cybersecurity strategy in this way exposes a vital defense.
But how does a hacker find the backed-up files in the first place? Surely a robust backup process should at least see the files duplicated in an entirely safe, entirely disconnected, anonymous location, well removed from the operational processes? Organizations can easily view the remote locating of backup data as a step too far, and an alternative strategy would be cheaper, more practical, and less cumbersome to manage. Often what emerges is a backup process not fit for purpose. If it is easy to manage for a business, so it will be for the hacker.
It is therefore somewhat dangerous to assume that just because data is held off-site, that it is clean and, if some form of disaster recovery is required, that it will in any way be suitable to help restore business operations or nullify the ransom demands.
Practice Holistic Protection
Cybersecurity strategy needs to ensure measures are taken to protect holistically. Strategies and processes need to ensure all versions of the backup data are clean and that a 100% reliable import process exists as and when it is required. Naturally, the restore process should only occur once a thorough screening and cleaning process has been carried out and there is total confidence the backup and the devices connecting to it are not compromised. Even then, it may be debated how complete removal can be achieved given decryptors do not yet exist for every known ransomware.
Ransomware is ultimately entirely the same as other forms of fraud and cybercrime, in that security awareness and good overall cybersecurity hygiene are essential parts of the necessary defense-in-depth strategy. Thoroughly protecting operational data to avoid a ransomware attack in the first place should always remain the first priority, but a close second is the need to protect backup files. The fact that backups should be off-site to a large degree does not mean they are any less important or can be ignored.