jamdesign - stock.adobe.com

The limits and risks of backup as ransomware protection

Backups can provide a sound means of recovery from ransomware infection, but they are not 100% certain to foil attackers. We look at the limits and risks of depending on backups

Ransomware has pushed backup and recovery firmly back onto the corporate agenda. Without a sound backup and recovery strategy, firms have little chance of surviving a ransomware attack, even if they pay the ransom.

IBM, for example, named ransomware as the leading cyber security threat in 2021, accounting for 23% of all cyber attacks.

This has forced CIOs to revisit their backup and recovery strategies, says Barnaby Mote, managing director at online backup provider Databarracks. “The paradox is that ransomware has brought backup and recovery back into focus,” he says. “If you go back five years, it was a hygiene issue, and not on the CIO or CEO agenda. Now it is again.”

High-profile attacks against organisations including shipping company Maersk and US oil network Colonial Pipeline have focused attention on the risks posed by this type of cyber attack and prompted organisations to invest in cyber defences.

But ransomware is becoming smarter, with double- and triple-extortion attacks, and techniques that allow the malware to remain undetected for longer. This puts pressure on that other essential defence against ransomware – good data backups.

“The other factor that has changed dramatically is that when you get a ransomware infection, it doesn’t always trigger immediately,” says Tony Lock, analyst at Freeform Dynamics. “You might find that the ransomware has been in your system a long time before you noticed it, but it’s only now they’ve triggered it and everything’s encrypted.”

As a result, organisations have to go back further in time to find clean backups, stretching recovery point objectives (RPOs) to the point where the business is put at risk, or its leaders might even feel they must pay the ransom. “How far do you need to go,” says Lock, “so that when you’re doing a recovery from your copies, you make sure you’re not bringing the infection back with you?”

Backups at risk

As Lock suggests, when organisations deal with a ransomware attack, one of the greatest risks is reinfecting systems from a compromised backup. Some of the industry’s tried-and-tested backup and recovery and business continuity tools offer little protection against ransomware.

Snapshots record the live state of a system to another location, whether that is on-premise or in the cloud. So, if ransomware hits the production system, there is every chance it will be replicated onto the copy.

Conventional data backup systems face the same risk, copying compromised files to the backup library. And malware authors are adapting ransomware so it actively targets backups, prevents data recovery, or immediately targets any attempt to use recovered files by encrypting them.

Some ransomware – Locky and Crypto, for example – now bypass production systems altogether and go straight for backups, knowing that this puts the victim at a real disadvantage. This has forced organisations to look again at their backup strategies.

Immutable backups

One option is to use so-called “immutable” backups. These are backups that, once written, cannot be changed. Backup and recovery suppliers are building immutable backups into their technology, often targeting it specifically as a way to counter ransomware.

The most common method for creating immutable backups is through snapshots. In some respects, a snapshot is always immutable. However, suppliers are taking additional measures to prevent these backups being targeted by ransomware.

Typically, this is by ensuring the backup can only be written to, mounted or erased by the software that created it. Some suppliers go further, such as requiring two people to use a PIN to authorise overwriting a backup.

The issue with snapshots is the volume of data they create, and the fact that those snapshots are often written to tier one storage, for reasons of rapidity and to lessen disruption. This makes snapshots expensive, especially if organisations need to keep days, or even weeks, of backups as a protection against ransomware.

“The issue with snapshot recovery is it will create a lot of additional data,” says Databarracks’ Mote. “It will work, but has a large impact on the storage you need, and there is the cost of putting it on primary storage.”

Air gaps

Another way to protect against ransomware is to “air gap” storage, especially backups. In some ways this is the safest option, especially if the backups are stored off-site, on write-only (WORM) media such as optical storage, or even tape.

“Personally I like air gaps,” says Freeform’s Lock. “I’d like the backup to be on something that is totally air-gapped – take a copy on tape and put it somewhere. Preferably with logical and physical air gaps.”

The disadvantage of air gaps, especially physical air gaps with off-site storage, is the time it takes to recover data. Recovery time might be too long to ensure business continuity. And if IT teams have to go back through several generations of backups to find ransomware-free copies, the cost of recovering lost data can be high, maybe even higher than the cost of the ransom.

“Time to restore, at scale, is now key,” says Patrick Smith, field CTO, Europe, Middle East and Africa (EMEA) at Pure Storage. “This may mean specific solutions for the business-critical applications that need to be online first.”

Suppliers are trying to work round this through virtual air-gapped technology, which allows backups to be stored on faster local (or cloud) storage. But for businesses with the most critical data, it is likely that only fully immutable and air-gapped backups will suffice, even if it is as a second or third line of defence.

Defence in depth: backups and security tools

However, CIOs are also looking to augment their backup tools with security measures aimed specifically at ransomware.

Perhaps the greatest risk to an organisation with a solid backup policy is unwittingly re-infecting systems from ransomware hidden in backups.

Firms need to put measures in place to scan backups before they restore to a recovery environment, but again this takes time. And malware authors are adept at hiding their trails.

Anomaly detection is one route suppliers are exploring to check whether backups are safe. According to Freeform Dynamics’ Lock, machine learning tools are best placed to pick up changes in data that could be malware. This type of technology is increasingly important as attackers turn to double- and triple-extortion attacks.

“You need to make data protection, observability and checking for anomalies a continuous process,” he says.

Read more on ransomware and data protection

Read more on Data protection, backup and archiving