Backup Is Not Enough

As a defense against ransomware attacks, most backup solutions fall miserably short.

by James Slaby

Riding a meteoric growth wave that most tech startups would envy, ransomware recently gained the top spot among the world’s biggest malware threats. According to Verizon’s 2018 Data Breach Investigations Report, ransomware won the World’s Most Prevalent Malware prize by combining ease of deployment –handy toolkits enable even low-skilled operators to get into the game -- and the low risks and costs of mounting successful attacks, as criminals do not have to monetize stolen data. They simply infect victims’ computers and mobile devices with a virus that quietly encrypts every data file it finds, then demands an online payment in Bitcoin for the decryption keys needed to restore the files. It’s a lucrative and destructive illicit enterprise: tech researcher Cybersecurity Ventures forecasts that ransomware attacks will cost businesses $11.5B annually by 2019.

Historically, the simplest and most foolproof defense against ransomware attacks has been backup software. If you get hit, you don’t pay the ransom, but merely restore your systems from a backup made before you got infected. (Paying the ransom is discouraged by security experts and law enforcement, anyway: fewer than half the victims who pay are able to successfully restore their files.) If your company is rigorous about its backup regimen, you can usually resume operations quickly after an attack. But there is always a cost in lost data: most organizations cannot afford the luxury of very short recovery point objectives, having to balance short RTO’s against factors like storage costs and the performance impact of backup operations on production applications. So most businesses will be restoring from a backup that is at least a few hours if not a day or more old, so some valuable data will inevitably get lost in the recovery effort.

Ask the typical data protection vendor how they fight ransomware, and this is their only real answer: restore infected systems from backup. They will wrap this solution with some good advice about keeping ransomware out and minimizing the damage from successful attacks, including:

• Follow the 3-2-1 rule of backup: store backups on different media and keep them in different locations, with at least one copy offsite, typically in cloud storage.
• Train users to avoid the most common ransomware traps, like opening links and attachments in phishing emails
• Patch operating systems and applications religiously to close known software vulnerabilities that ransomware can exploit as an attack vector
• Deploy endpoint defenses like anti-virus software to detect and block widely-known ransomware strains
• Use network segmentation techniques like VLANs to hinder the worm-enabled proliferation of some ransomware variants across private networks

These are solid tips, but they do nothing to address the fact that most backup solutions are quite limited in their response to ransomware. For starters, most ransomware gangsters understand that a company with a well-executed backup plan in place will have an easier time not paying the ransom: they’ll restore their infected systems from backup and move on. To undermine the effectiveness of backup as an anti-ransomware tactic, criminal developers now build ransomware that doesn’t just encrypt the user’s files, but also attacks backup agents and backup repositories. A ransomware-encrypted backup is useless in recovering a ransomware-encrypted production system, so the victim is more likely to pay up.

Some vendors offer modest defenses against ransomware attacks on backups, e.g., by write-protecting backup mount paths from all processes except the backup program, or otherwise restricting access to backup repositories and keeping them offline. Another feature some vendors offer is a daily check of the files on a system to see if anything that looks suspiciously like a ransomware attack has occurred, and sending an alert to the backup console if it has. (By the time most IT operations people notice an infrequent alert like this, the attack may have spread to every other endpoint on the local network.)

Every vendor also touts features that speak to the comprehensiveness and speed of their backup and restore features: “We back up all your systems, and we have many ways to make the restoral process faster.” These are indeed important: fast and complete restoral from an attack means faster time to resume operations. But none of these features does anything to address:

• The disruptive effect a successful ransomware attack has on business operations during the period of detection, containment, restoral, cleanup, and post-attack forensics, analysis and reporting.
• The cost of recreating or writing off data lost since the last backup
• The business and reputation costs that ensue from an attack that results in a compliance violation that mandates security breach reporting to authorities and customers. For example, a successful ransomware attack constitutes a breach of private user data under the EU’s stringent new General Data Protection Regulation.
• The potential for the recurrence of another ransomware attack, beginning a costly cycle of attack and response.

Fortunately, there are superior approaches to the typical backup vendor’s solution of “Back up everything up, try to make your archives less accessible, and restore from backup if you get attacked.’ As a baseline, businesses should look for data protection solutions with the following features:

• Comprehensive backup of every endpoint and workload, including servers, PCs and mobile devices in physical, virtual and cloud environments
• Fast restoral of workloads to any type of endpoint (physical, virtual or cloud), regardless of what type of platform the backup was made from
• Hardening of backup agents and backup repositories against tampering by any process not strictly associated with the data protection software
• The ability to define backup administrative roles according to the principle of least privilege, giving IT staffers only the minimum powers they need to do their jobs
• Robust tools for monitoring, alerting and dashboarding of the data protection environment to quickly flag and report any anomalies that might be symptomatic of a ransomware attack

These are all critical features, but still largely relate to robust backup and restore capabilities. The most important feature of all to look for is a backup solution that actively detects and terminates ransomware attacks as soon as they begin, and then restores any files (using a local cache) that were damaged before the attack was detected and stopped.

This is by far the most preferable method to addressing ransomware attacks: not simply by mopping up the damage from a successful attack by restoring from the most recent backup, but ending the attack before it necessitates a restore-from-backup operation in the first place. This obviates a whole host of problems:

• Operations are only momentarily affected; instant repair of damaged files enables immediate resumption of normal business activities
• Snuffing out an attack on a compromised endpoint means that it cannot propagate to other local systems across the network
• Businesses avoid the large potential adverse impact on operations, profitability and brand integrity that a successful attack and the resultant mop-up operations can entail
• Termination of a ransomware attack before it can damage customers’ personal data may obviate what would otherwise be a costly and embarrassing security breach notification for compliance reasons

Business looking for such a solution should consider Acronis Backup and Acronis Backup Advanced, which in addition to providing the industry’s most comprehensive data protection solution also include Acronis Active Protection, an advanced ransomware protection technology. Completely compatible with the most common anti-malware solutions, this technology actively protects all of the data on your systems, including documents, media files, programs, and backup files.

Acronis Active Protection constantly observes patterns in how data files are being changed on a system, looking for ransomware-like behaviors. With the aid of a built-in machine learning engine, Active Protection positively identifies malicious behavior patterns, even by previously unknown ransomware variants, with unparalleled accuracy. When it identifies a process as ransomware, Active Protection immediately terminates the attack, then restores any files (using local cache) that were encrypted before the attack was detected.

Backup is a great last line of defense against the world’s most pervasive malware threat, but it shouldn’t be your only line of defense. See for yourself what a difference an active behavioral endpoint defense against ransomware can do to protect your critical business data. Get a free trial of Acronis Backup with Active Protection here: https://www.acronis.com/en-us/business/backup/workstation/