Rethinking Your Backup Strategy in Light of Ransomware Threats

You’ve got a very serious problem on your hands should your firm’s computer network ever become infected with ransomware, which is a type of malware that either uses encryption to permanently block access to your data until a ransom is paid or enables the hacker to steal and then threaten to publish your data unless a ransom is paid. Often, it’s both. Whether you pay the ransoms or not, and I advise not, you are going to need the services of an IT specialist. And understand there are no guarantees here. She, he or they may or may not be able to completely restore the network, even if the hacker turns over a decryption key after you’ve paid one of the ransoms.

It’s important to also know that ransomware can infect your network via multiple channels, many of which involve some form of social engineering.  One common attack vector looks like this. Someone in your firm is tricked into opening an attachment in an email that purports to be a business document or invoice.  That’s all it takes. Once enabled, the malware will start to encrypt your data. 

Making matters worse and depending upon the specific family of ransomware you’ve been hit with, the ransomware can replicate itself and spread across an entire network, can scramble the file names of all encrypted files, can run several different encryption programs in a single attack, can identify and erase restore points, can erase all the data on the hard drives, can be programed to delay executing in order to infect backups, and the list goes on.  In short, any cybersecurity specialist brought in to try and address the situation is going to be facing an uphill battle trying to recover anything. 

Again, there are no guarantees in terms of the having the ability to recover from a ransomware attack. Cybercriminals continually work to improve the effectiveness of their tools. Certain strains of malware can now even jump to the cloud, many have been engineered to evade detection by antivirus software, and as stated above, can be programed to delay running. In light of all this, the institution of an effective backup process has become a critical component to an overall defensive strategy against ransomware and other forms of cybercrime. 

Best practices today dictate having at least three copies of all your data, utilizing two different media formats, one of which must be maintained off site; and some of these backups should be immutable backups, which means the data cannot be altered or encrypted by compromised network devices. For example, you might utilize an external hard drive and a cloud backup provider. An approach like this would allow you to have access to a copy stored locally in case your internet connection is down, and post ransomware attack, the cloud backup may be the only good backup available to the cybersecurity specialist as they try to help you recover. That said, a few side notes are in order.

1) Since ransomware can map drives and infect everything connected to the network, always disconnect backup drives (e.g., any external USB drives) from the network once the backup process has completed.

2) While cloud backups can be your salvation in the event of a ransomware attack, as with any backup process, sometimes the backup data set becomes corrupted.  Thus, having multiple versions of the backup in the cloud is a good idea.

3) Given the rise of time-delayed attacks, maintaining an archive of backups locally or in the cloud would be another prudent step to take.  Yes, while losing a month or two’s worth of data might be difficult if all your current backups become infected, archived backups serve a fallback making sure you don’t lose everything. 

4) Look for cloud backup providers that allow you to control the encryption key as a way to prevent anyone else from accessing your data.

Even with a well-designed backup process in play, the best defense to threats such as ransomware is an effective offense because, and for the last time, there are no guarantees that a full recovery is going to be possible.  Often, it’s not.  So, in addition to instituting a backup process along the lines presented above, every firm regardless of size should prioritize mandatory ongoing training for all staff and attorneys.  The training should focus on social engineering awareness to include presenting real-world examples that not only demonstrate how these types of attacks continue to evolve but also provide tips on how to spot them.  Finding quality training like this, however, can be a bit of a challenge for some.  To help with this, consider working with a security company like KnowBe4 whose entire focus is geared toward this kind of training.