Ransomware attacks target backup systems, compromising the company ‘insurance policy’

The success of ransomware is reliant on whether or not the target organization has patched its devices properly.

Daniel Norman, Senior Solutions Analyst at the ISF

Before Clay Heuckendorf and members of his team could even hazard a guess as to why some of a client’s backup data was missing, bad actors launched a ransomware attack right before their eyes.

“The ransomware attack started while we were sitting there, observing,” says Heuckendorf, senior architect at Insight Enterprises, which bills itself as modernizing and securing critical platforms and transforming IT for its customers.

The timing was coincidental – and fortuitous. Heuckendorf’s team was onsite to discuss a separate solution they were building for the company when the client brought up anomalies with its backup data. It was the first time Heuckendorf had seen an attack on data protection systems – but it would not be the last. In short order, another client reported missing and corrupted backup data followed by a ransomware attack.

In both cases, the organizations hit “said the backups were the first one to go,” said Heuckendorf. “We looked at each other and said, ‘tell us more.’”

The attackers, as he discovered, had deleted their clients’ backup images and activated ransomware in servers, playing a very thorough long game. In at least one case, “malicious software had been sitting out there for six months and they put a key logger in place,” he said “They targeted arrays first and then went in and attacked.”

Backup attacks typically wipe away an organization’s backup infrastructure and storage snapshots before locking and encrypting file systems, preventing the recovery of backup data, thereby giving bad actors the leverage to coerce a company into paying ransom.

The effects of ransomware attacks aimed at backup, though, can be devastating, and not just because they could coax ransom payment from an organization that typically wouldn’t be inclined to do so.

Backup attacks, too, can offer attackers broad access and the opportunity to spread their malign activities throughout an organization. For instance, if different backup systems are connected, Kelley pointed out, attackers can reach across business systems.

Other basic hygiene can also help fend off ransomware attacks on backup. “The success of ransomware is reliant on whether or not the target organization has patched its devices properly. Therefore, having all systems patched and current is a minimum for security,” said Daniel Norman, senior solutions analyst at the Information Security Forum. “Also, a strong antivirus and antispam solution should be able to frequently scan devices for malware.”

“An organization ought to have an incident response or crisis management plan for ransomware events, knowing who to contact and what to do,” Norman added. “This should be regularly rehearsed so that if ransomware hits, the organization can recover quickly.”