RST: Backup Methodologies

At Tetra Defense, the ransomware cases we respond to and investigate daily share a recurring theme: there are simple, and oftentimes inexpensive preventative measures that can be taken before disaster strikes. As part of our series on our Ransomware Stress Test™, learn how your unique cybersecurity environment can benefit from a secure backup methodology.

It’s happened countless times: a slip of the finger leads to an important document disappearing. Hours’ worth of work was recorded on an external drive, but then dropped, never to be accessed again. Just when all hope seems lost, system and data backups are there. If there is a hardware failure or someone accidentally deletes something important, backups are what can recover important function or data. For these everyday uses, backups are important. In the case of ransomware, backups are vital. When all data is compromised, they are the first possible remedy, which is why they are also a prime target of attackers.

Are You Sure You Want to Save?

The incident response cases that we tackle daily shed light on typical threat actor behavior. We’ve noticed a significant amount of cases where a threat actor infiltrates an organization in some way (vulnerable service, phishing email, malicious website, etc.) and will spend some time searching for important data — usually starting with the backups. Backups are the way that an organization can quickly recover from malicious encryption by ransomware, leaving far less incentive to reward the threat actor with a payday. Without the backups, an organization faces significant downtime, inconvenience, and enough potential business loss that they cannot continue operations without paying the ransom.

Backups are a huge obstacle for threat actors, and when they are securely configured, they can provide protection and ongoing leverage to organizations in the fight against ransomware.

How To Create Effective Backups

After a ransomware attack, restoring from backups is going to be the best and surest way to recover data. When backups are taken consistently, stored in secure locations, and have redundancy, they ensure that data can be safely and quickly restored, regardless of the type of disaster. Here’s what we recommend:

  1. Take regularly scheduled backups that are appropriately self-cleaning to avoid running out of space while keeping a robust history of restore points.
  2. Store backups in multiple locations, with at least one of these being offsite.
  3. All access to all backup locations should be password-protected with each location having its own unique credentials, and all locations using multi-factor authentication (MFA) if possible.

It is best practice to have your initial backups going to an on-site location. While it is best for this initial backup to go to a Backup and Disaster Recovery appliance (BDR, a device dedicated to hosting backups and acting as a failover appliance in a disaster) other options like a Network Attached Storage (NAS) or direct attached storage can work. When possible, these locations should all be off the domain and using unique credentials with MFA. By having a local copy of the backups, you are able to restore from disaster as quickly as possible.

Where to Store Backups

All backups should be going to a remote, offsite location. Depending on the backup provider, this may be an MSP’s (Managed Service Provider’s) datacenter, a cloud offering native to the backup product, or a replication method to a third-party cloud. It is critical that the replication and management credentials to these offsite locations are also protected with unique usernames and passwords, with MFA when possible.

Our final consideration is to have data replicated to a tertiary location — something that is truly third-party. For organizations that rely on MSPs, this means also having data in a separate cloud as well (provided by Amazon, Google, Azure, etc.), all while following the above guidelines. This will best protect against loss of any kind — either from an internal threat, a localized natural disaster, or even ransomware attacks.

It is important to have more in place than drive or tape rotation. While these solutions are cheap and offer an easy way to get offsite copies of your data (simply move the tape/rotation drive to another location), they are prone to failure because of their lack of automation. For example, if this responsibility is given to one employee, that employee taking time off or leaving the company can mean this duty goes forgotten, and your data is now extremely vulnerable.

Tale from the Trenches

Any time Tetra receives a case for a ransomware attack, and the ransom doesn’t need to be paid, it’s cause for a small celebration. While many factors influence whether or not a client has this option (the ransomer failed to remove shadows, the encryption software failed to encrypt critical data, etc.), we often see a ransom payment made unnecessary thanks to proper backup procedures.

Tetra Defense had a case where a client had a very nasty, recurring infection of Emotet and Trickbot, bringing in the Ryuk ransomware, and encrypting all production data. Luckily, the client regularly restored data from protected, offsite backups each time, and returned to business within a day. After the Ryuk ransomware hit them for the fourth time, they contacted Tetra Defense and asked for assistance. Had proper procedures been ignored, it’s very likely that in one of these attacks the ransomer would have also encrypted or destroyed all backups, resulting in a required ransom payment as high as $400,000 for their industry.

Services to Consider

Our team crosses paths with numerous tools and services through our work. When it comes to backup methodology, here are some of our fan favorites: 

Veeam
Backup & Intelligent Recovery, DR Orchestration, Cloud Mobility, Copy Data Management, Monitoring & Analytics

Datto

Acronis
Safeguards your data from recent ransomware like Petya, WannaCry and Osiris

Synology
Protect Yourself against Encryption-Based Ransomware

Check out some related content on our blog: