Unfortunately, ransomware is impacting businesses of all sizes across the globe. This means that critical systems and applications are encrypted by malicious actors and will only be decrypted if a ransom is paid. This will effect all but the most prepared enterprises, and as recent reports show, even prepared businesses can suffer. Offline backups of business critical information can be make or break when it comes to mitigating a ransomware attack. However unfortunately, some backups are still vulnerable to encryption. In order to provide an education for companies, the UK‘s National Cyber Security Centre (NCSC) has issued updated guidelines on how to deal with ransomware.
With this in mind, several cybersecurity experts have used their experience in order to help businesses and consumers protect their most precious information:
Chris Clements, Vice President, Solutions Architecture, Cerberus Sentinel
While offline backups are certainly an important part of any business continuity strategy, they provide limited protection to sophisticated ransomware attacks, as many actors delay activation until their code has been deployed in an environment for an extended period of time (often months), allowing for their code to infect even offline backups. Restoring from an offline copy simply re-installs that software into the environment, only to be re-activated.
Martin Jartelius, CSO, Outpost24
This has been something stressed for a long time by security organizations, a backup should be protected against getting overwritten, and offline- offsite backups are a strong recommendation, both to ensure a capability to restore and the integrity of the information.
Similarly, ensuring that the backup system is not granted write-rights to the systems it backs up is equally critical, as otherwise we are back to all eggs in one basket, just having shifted the role from this being the production system to this being the backup system.
Baan Alsinawi, Managing Director, Cerberus Sentinel
Adding one suggested point: Encryption! use encryption for your data backups. use a separate key for your backup data than the primary storage data. especially when using cloud backup solutions. less likely that two passwords/encryption methods be compromised at the same time,reduces your risk for recovery of your data after a ransomware incident. this is a best practice recommendation.
Dave Jemmett, CEO, Cerberus Sentinel
While offline backups are certainly an important part of any business continuity strategy, they provide limited protection to sophisticated ransomware attacks, as many actors delay activation until their code has been deployed in an environment for an extended period of time (often months), allowing for their code to infect even offline backups. Restoring from an offline copy simply re-installs that software into the environment, only to be re-activated.
Good business practice dictates having several backups. Keeping one from 6 months prior, 3 months prior and the monthly. The monthly backup should be daily snapshots.
The scanning of the servers for threats daily, then back up to multiple locations. Today’s cloud back up storage is a inexpensive and can be done in several offsite locations. These backups should be verified and restored periodically for validation. Encrypted backups are also a way to prevent the malware from infecting it if it’s connected to the network.
Javvad Malik, Security Awareness Advocate, KnowBe4
Offsite backups are important to prepare for any sort of incident, but are even more important in the case of ransomware. However, even backups alone may not be sufficient. We’re seeing ransomware evolve to the point that the criminals steal critical information from organisations when they infect them with ransomware. They then try to extort the company, its customers, and partners for money in order to not release the stolen information. Therefore, it’s essential that organisation do all they can to prevent ransomware to begin with. This requires a layered approach to make it difficult for criminals to get in such as patching external-facing systems, implementing MFA, encrypting data, and providing security awareness and training to all users.
