Compromised backup servers can thwart efforts to restore damage done by ransomware and give attackers the chance to extort payments in exchange for keeping sensitive stolen data secret.
Backup and recovery systems are at risk for two types of ransomware attacks: encryption and exfiltration – and most on-premises backup servers are wide open to both. This makes backup systems themselves the primary target of some ransomware groups, and warrants special attention.
Hackers understand that backup servers are often under-protected and administered by junior personnel that are less well versed in information security. And it seems no one wants to do something about it lest they become the new backup expert responsible for the server. This is an age-old problem that can allow backup systems to pass under the radar of sound processes that protect most servers.
It should be just the opposite. Backup server should be the most updated and secure systems in the data center. They should be the hardest to login to as Administrator or root. And they should require jumping through the most hoops to login remotely.
An important role backup servers play is providing the means to recover from a ransomware attack without paying the ransom. They contain the data needed to rebuild the machines that have been encrypted by the ransomware, so ransomware groups try to encrypt the backups, too. The saddest line in any ransomware story is, “and the backups were also encrypted.” They are your last line of defense, and you must hold the line.
That’s the traditional ransomware attack, but data exfiltration is fast becoming a primary motivation for ransomware attackers who target backup servers. If bad actors can exfiltrate and decrypt your company’s secrets via the backup server, they can extort you in a way that you cannot defend against: “Pay up or your company’s most important (or worst) secrets will become public knowledge.” Then they give you access to a web page where you can see the data they have, and your organization has little choice but to pay the ransom and hope they keep their promise.
This strategy makes sense for ransomware groups. It’s easier to go after the one server that definitely holds all of an organization’s sensitive data than to successfully attack many servers that may hold some sensitive data.
Following this logic, once a piece of malware gets into your data center, it immediately contacts its command-and-control server to find out what it should do next. Increasingly, the next step is to identify what type of backup system is being used and once they figure that out, to begin directly attacking that system.
The attackers might try to directly access your backup data over the network via NFS or SMB, and if they can—and it’s unencrypted—their job is done. If they can’t, they go directly at the operating system of the backup server using a system exploit or compromised credentials to gain Administrator/root access. Gaining access to the machine key used for basic encryption gives them the keys to the backup kingdom, and all bets are off.
The best way to defend against this scenario is to keep ransomware organizations from compromising your backup servers. Here’s how:
- Keep OS and application patches up to date
- Shut off all inbound ports except those required by backup software
- Enable necessary management ports (e.g. SSH, RDP) via a private VPN
- Use a local host file to prevent malware from contacting command-and-control servers
- Maintain a separate password-management system for backup and application servers (i.e. no LDAP)
- Enforce the use of multi-factor authentication
- Limit the use of root/Administrator; set off alarms when you do
- Use SaaS backup as an alternative to managing your own backup server
- Use least privilege wherever possible, giving each person privileges they need to do their job and nothing more
To protect the backup data itself from extortion or encryption, you should configure your backup system like this:
- Encrypt all backup data wherever it is stored
- Use third parties to manage encryption keys
- Do not store backups as files via DAS or NAS. Ask your vendor for more secure methods.
- Store backups on a different operating system than your backup server.
- Use on-premises storage with immutable features (e.g. Linux)
- Create a copy on tape/RDX and send it offsite
- Create a copy on immutable cloud storage.
This will be a lot of work for most environments but worth it if you recognize how much danger your backup server is in.