Ransomware by the Numbers and 7 Practical Tips to Prevent Attacks on Backup Storage

Guest Written By: Rick Vanover, Director of Technical Product Marketing at Veeam Software

If one thing has the attention of IT decision makers worldwide, it is the risk of ransomware. We frequently see headlines on outages caused by ransomware and the reality is that this is a big problem for organizations of all shapes and sizes.

Ransomware is not just a PC problem. It can be a data center problem as well. To get some insight into the scope of ransomware today, we commissioned a survey for nearly 1000 organizations (approximately 84% were Veeam customers) to share some insight on their ransomware experiences. Here are some of the findings from the survey:

• Nearly 46% of the respondents have had some form of ransomware incident in the last two years.
• Of those who had a ransomware incident, 91% had data encrypted.
• Only 2% of the respondents admitted to paying the ransom for recovering their data.
• Of that small sample who paid the ransom, all but one of them paid less than USD $10,000.
• 84% of the respondents were able to recover their data without paying the ransom.

These are just a few numbers, but shocking in terms of the quantity of incidents. A few things also need to be said here to clarify these numbers. First of all, the ransomware incidents took place on a variety of platforms – they include PCs, data center workloads and more. Many other factors went into these responses.

One important part of being resilient to ransomware is being able to recover from backups. That’s the Availability you want when things don’t go as planned, should ransomware become an issue in your data center. Here are a number of tips I’ve prepared to incorporate into your designs for backup storage:

1. Use different credentials for backup storage
This is a generic best practice and in the ransomware era it’s more important than ever. The username context that is used to access the backup storage should be very closely kept and used exclusively for that purpose. Additionally, other security contexts shouldn’t be able to access the backup storage other than the account(s) needed for the actual backup operations. Whatever you do, please don’t use DOMAIN\Administrator for everything!

2. Have offline storage as part of the Availability strategy
One of the best defenses against propagation of ransomware encryption to the backup storage is to have offline storage.

3. Leverage different file systems for backup storage
Having different protocols involved can be another way to prevent ransomware propagation. Put some backups on storage that uses different authentication. The best examples here are backups of critical things like a domain controller. In the unlikely event that a domain controller would need to be fully restored, there can be an issue if the storage containing the backups is an Active Directory authenticated storage resource.

4. Take storage snapshots on backup storage if possible
Storage snapshots were mentioned above as what I call a “semi-offline” technique for primary storage, but if the storage device holding backups supports this capability it may be worth leveraging to prevent ransomware attacks.

5. Start using the 3-2-1-1 Rule
The 3-2-1 rule states to have three different copies of your media, on two different media, one of which is off-site. This is great because it can address nearly any failure scenario and doesn’t require any specific technology. In the ransomware era, it’s a good idea to add another “1” to the rule where one of the media is offline. The offline storage options listed above highlighted a number of options where you can implement an offline or semi-offline copy of the data. You may not need to completely reconfigure an installation to implement an offline element. However, consider these options as additional steps to existing designs.

6. Have visibility into suspicious behaviour
One of the biggest fears of ransomware is that it may propagate to other systems. Having visibility into potential ransomware activity is a big deal. It is good to have an availability solutions that provides a pre-defined ‘Ransomware activity alarm’ that will trigger if there are a lot of writes on disk and high CPU utilization.

7. Let the Backup Copy do the work for you
Backup Copy is a great mechanism to have restore points created on different storage and with different retention rules than the regular backup job. When the previous points above are incorporated, the backup copy job can be a valuable mechanism in a ransomware situation because there are different restore points in use with Backup Copy.

Design for resiliency and plan for vigilance
There many ways to prevent ransomware from encrypting your backups as well and hopefully one or more of these tips listed above can be leveraged in your environment.