I’ve heard a few people in different organisations mention that they weren’t worried about ransomware because they could just restore from backup. If only it were that easy!
CERT NZ and the US Cybersecurity & Infrastructure Security Agency have recently warned about increases in cases of the RYUK ransomware (specifically affecting the healthcare industry). This got me wondering about how useful backups are as a protection against ransomware. In theory it should work, right? Ransomware works by encrypting your data on disk and then ransoming your data by offering to sell you the encryption keys so you can decrypt it and get it back. So if you can just restore the backup from before you got ransomed you should be fine. Well if it was that easy why did Garmin pay USD 10 million to that ransomware crew? Why have so many other companies paid ransoms? And why do ransomware gangs appear to be so successful?
If you want to understand why, this DFIR write up of a RYUK attack has some great detail. It describes a real big game ransomware attack and what it involved. You can read the full report (if you are really interested), but here’s my brief summary. First they successfully gained initial entry via a phishing email that infected someone’s desktop with malware. Then they investigated the network, and got privileged access through a server vulnerability (called zerologon). They then moved through the network (a technique called “lateral movement”) to gain control of more important things. Once they had sufficient knowledge of the network, the attacker was ready to start encrypting the victims data, and the first thing they went after was their backups! That’s right, even before encrypting the important data in production, they encrypted the backed up data. There are two reasons for this:
- Backups are less visible. In general they are not monitored, and an attacker has longer before anyone notices that something untoward has happened.
- The first thing that the attacker has disabled is the organisation’s primary defence against this ransomware attack.
When you add to this the uncertainty that many organisations have about their restore procedures, backups don’t look like a sure bet for protecting you against ransomware. If you follow CERT NZ’s advice and have 3 backups, one offline then you will have some protection, but I don’t know of many organisation that implement that rigorous a regime – it’s expensive and hard to maintain – good on you if you are!
Now this doesn’t mean that backups are a waste of time – they definitely are important. They offer some protection from a host of threats, and even from simple ransomware attacks, but they aren’t foolproof, and don’t offer good protection against sophisticated gangs.
So what else can you do to defend your organisation from ransomware? Well firstly, update your software, and specifically apply security patches immediately. If the organisation in the report had applied the available security patch from Microsoft this attack would not have succeeded. Most ransomware attacks take quite a bit longer than 5 hours from start to finish, so robust monitoring and alerting would usually help, and good control of privileged accounts is also key (as most of these attacks rely on moving from compromising a normal user account to compromising more powerful accounts such as system administrators (a technique we call privilege escalation). Putting in place these measures will usually help prevent or contain all except the most determined and skilful attackers.