Ransomware & Backups

Ransomware was first seen in the mid 2000’s and has grown into a prevalent security threat, with TrendMicro reporting they blocked 100 million plus threats between 2015-16.

 What is Ransomeware?

Ransomware is essentially a hijack of the users of machine, that renders it unusable or operating at reduced capacity unless a payment is made. The hijacks fall into two main types of attack, a lockout screen which stops the users accessing any elements of the system until payment is made. In the second type of attack the users files are encrypted and again a ransom is demanded but this time to decrypt the files. The prevalence of these sort of attacks is unfortunately directly linked to that fact they have proved to be a highly effective business for the criminals behind them. We storage administrators have known for some time that both users and organisations data is critically important to them, now unfortunately it seems so do criminals and they are willing to cash in. ZDNet estimated based on Bitcoin transaction information that between 15 October and 18 December CryptoLocker had been used to extort $27 million from victims.


 Infection and removal

The method of infection generally takes two forms, with a machine already compromised with another form of malware triggering the attack or through email. E-mail based attacks will coerce the victim to releasing the pay load via a link or attachment, often by pretending to be from a legitimate source, e.g.click here to see your speeding fine.


In terms of removal the screen locking ransomware is generally easier to remove and can be removed using traditional malware protection products. However once users files have been encrypted this poses a significant challenge. The encryption is often based on a public and private key system, with the private key only known to the hijackers. It is generally impossible to crack these encryption keys, with the only options being to pay the ransom or restore from backup. The police and most security vendors suggest against paying the ransom since it is only fuelling the crime.

 Preventing Ransomeware

Prevention is better than cure and a multi layered approach is suggested.  This would include user education against the threats and giving users the most restrictive rights, so execution is not possible. More direct preventions methods include the use of firewalls, end user protection software and of course keeping patching levels up to date.

 Ransomeware and backups

Given that this is a data protection focused blog I wanted to look at the specific considerations around backup given that this is the predominant recovery method. It is an important consideration that the encryption type software will look to encrypt all attached local and network drives.  The behaviour of encrypting network shares can be particularly damaging to organisation and is why it is important that users are given the most restrictive rights possible so that the ransomware cannot execute.  

Considerations specific to backup are:                                  

Replication is not backup – Sometimes high availability and backup are confused.  Replication is not backup and ransomware is a good example of why not. If the primary end becomes infected, so will the target once replication is competeBear in mind this would include automatic backup to the cloud services.

Hold an offline copy of data – Whilst there have been no confirmed cases of backup software getting hit by an attack ,it is a sensible precaution to protect against a future variant by keeping a backup copy offline or at least in a separate media form.  This is in accordance with the standard good practice laid out in the 3-2-1 rule, have 3 copies of your data, 2 different types of media and one offsite copy.

RPO becomes key – With the random nature of these attacks and the potential level of destruction with multiple key file shares potentially being rendered unusable by a single users, how much data can you afford to lose? For those shares which you consider to be at greater risk perhaps due to the number of users you could consider a shorter RPO. Read this article to learn more about selecting an effective RPO and RTO.

Number of Recovery points – The number of recovery points and retention policy also needs to be considered. If you are using a simple policy of 14 days for example it is possible that an infrequently used share, such as one containing monthly finance reporting may only be noticed by a when time all the backups also contain the encrypted files.

Endpoint backup – If users save files locally to their desktop / laptop consider endpoint protection such as Mozzy or Veeam End point protection to safeguard these devices.