Ransomware (& the importance of backups)

By Chris Williams

“A backup is worth a thousand bitcoin.”
While not a literal exchange rate, the above quip does contain some truth in regards to ransomware attacks: if you still have access to your (unencrypted) data, then you don’t have to pay the ransom.

Backups methods (and pitfalls)

Many IT professionals advise scheduling a nightly backup as well as a periodic offsite backup utilizing multiple drives in a rotation, regularly scheduled cloud backup service, or both. The goal is to maintain multiple versions of the backup so that a “clean” backup isn’t mistakenly overwritten by an infected backup; versioning is easy in concept but poor management of physical media can result in errors that undermine the protection backups are supposed to offer.

Example: the Acme Company uses a tape drive for its weekly full backups; there are six tapes that are rotated sequentially meaning six versions of the backup data should exist at all times. One week, an administrator is supposed to rotate from tape #2 to tape #3, but by mistake he replaces tape #2 with tape #1 and the backup on that tape is subsequently over-written. If a problem emerges that requires restoring from backup tape #1, the company is now in serious trouble because that data is gone—instead they’ll be forced to use the backup from tape #6 and lose an additional week of data unnecessarily. (Full disclosure, both tape drives and weekly backups are considered archaic, but this scenario illustrates the point well.)

Many cloud backup solutions automate versioning so that there is no margin for error. Once the solution is configured, each subsequent backup sent to the cloud will be tracked separately so that administrators can restore from virtually any point in time (provided the backups go back that far). As far as commercially available products go, Carbonite seems to be reasonably popular for SOHO users and some medium-sized businesses as well.

Test restore procedures

Test backup and restore procedures periodically. Even if your scheduled backups execute as planned with no errors, there’s plenty of storage left on the media (or cloud), and all looks well, do yourself a favor and test the integrity of the data as frequently as is reasonable. Few things are worse than a false sense of security, and corrupted or unusable backup data is exactly that.

Scenario: Acme Company is infected with ransomware first thing Monday morning. Management decides to restore from Friday’s “known-good” offsite backup—however, due to physical damage to the backup media, the data is corrupt and incomplete (or worse, can’t be restored at all). Once again, the company is forced to rewind an additional week by using the previous backup. This could have been prevented by regular testing, which would have detected the physical media issues.

The takeaway

Ransomware is one of the most pervasive threats facing individuals and organizations today. The best medicine is, of course, prevention. However, the next best defense is to take away the hacker’s leverage—being able to recover your data without paying bitcoin for the decryption key saves money, reduces downtime, and perhaps mostly importantly doesn’t reward criminals for their behavior. If every user and every business maintained backup data properly, ransomware simply wouldn’t be profitable enough to continue.

Leave a Reply

Your email address will not be published. Required fields are marked *