Backup’s Two-Pronged Response to Ransomware

This research, written byJerome M. Wendt, president and founder, DCIG LLC, was published on March 19, 2020.

Backup’s Two-pronged Response Ransomware

Organizations everywhere currently must grapple with how to best prepare for and respond to the corona virus. Many must currently make decisions on the fly and formulate responses with only partial or information. Thankfully, when it comes to dealing with another threat they face, ransomware, they have better information and answers. Already, many backup solutions offer a two-pronged response to ransomware.

Legacy Features, New Relevance
All enterprise backup solutions, by default, offer some means of protection against ransomware. They collectively make copies of production data and store it somewhere else – the cloud, network drives, and/or direct attached storage. These copies of production data ensure some level of protection against ransomware and generally provide a means to recover.

Further, many of these solutions support removable media, such as disk or tape. When removed, it creates an air gap that ransomware cannot bridge that serves to protect the data from a ransomware attack.

Integration with Microsoft Active Directory (AD) to authenticate user logins also helps repel ransomware attacks. Some ransomware strains, such as DoppelPaymerhttps://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/, now target backup software and attempt to log into it using an admin login and password.

Once logged in, it seeks to compromise existing backups in at least two way. It may simply delete them. Alternatively, it may copy the data and send it to the hacker. The hacker may then threaten to release and publish the data unless the organization pays the hacker a ransom. Using backup software integration with Microsoft AD, enterprises can use more sophisticated login and password schemes to better deter ransomware attacks against the backup software itself.

Next-Gen Features
While these legacy features do help organizations respond to ransomware’s threats, they only go so far. New technologies now exist that better equip organizations to detect, prevent, and recover from ransomware attacks. In almost all cases, these newest features complement, rather than replace, these legacy approaches. Some of the latest features include:

1. Storing data in immutable object stores
   Immutable object stores may reside in multiple locations. These include on-premises, in general-purpose clouds, purpose-built clouds, or any combination thereof. Using an immutable object store, once data is written to it, the data cannot be erased though it can be overwritten. Overwrites may occur if the ransomware finds the object store and encrypts the data in it. However, if ransomware does encrypt it, one may configure the object store to retain the older, previous version of the data. In this way, one can recover and restore the original versions of the data.
2. Integration with cybersecurity software
   A backup solution’s integration with cybersecurity software may occur in at least two ways. Some backup solutions partner with cybersecurity software providers to help enterprises better secure their endpoint devices from ransomware attacks. Others integrate cybersecurity software into their offering to scan backup data for ransomware and alert to its presence. In both cases, the cybersecurity software helps organizations detect and defeat ransomware before it detonates, which is always preferable.
3. AI and ML algorithms.
   Using AI or ML, each scans production and/or backup data and looks for abnormal change rates or unexpected changes to it. Detecting these changes can help alert enterprises to the possible presence of ransomware in their environment. Of the 3 next-gen technologies discussed here, this one is perhaps the most immature. Currently, it cannot conclusively determine if ransomware resides in the data. Expect significant advancement in this technology in the years to come. For example, it may more tightly integrate with cybersecurity software to better determine if suspicious data does, in fact, contain ransomware.

Prevention is Better Than Cure
As organizations evaluate backup solutions in the context of defeating ransomware attacks, remember no backup solution provides a 100% guarantee. However, the more legacy and next-gen techniques that your backup solution offers to detect, prevent, and recover from ransomware attacks, the better. Collectively, they increased your odds that your organization will successfully respond to an attack if and when one occurs