Modern ransomware attacks have evolved significantly, displaying greater sophistication not only in their methods of attack but also in their choice of targets. The majority of today’s attacks seek to steal sensitive data and weaponize it against the victim with the threat to publish for unpaid ransoms. This shifting monetization strategy away from the pay-to-decrypt model means that backup data, once the solution to the ransomware threat, is now one of the company's greatest vulnerabilities. Not only do data backups contain a trove of sensitive and historical information that would be damaging to any organization if leaked but they also have the ability to strip the victim of its last line of defense, thereby wreaking the most amount of havoc to the organization.
For these reasons, hackers target the backup systems first in 94% of cases. And with growing data volumes, IT teams are finding difficulty in maintaining a secure environment. Compounding this threat is the often unspoken truth that most backup repositories lack security measures to protect the data held within such as early threat detection, attack blocking and anti-theft controls.
To understand how Ransomware attacks data backups, let’s look at the ways in which it breaks in:
7 Common Threats to Data Backups
1. Vulnerabilities and Exploits: The most common entry point is via NFS or SMB. If this doesn’t work attackers may look for known exploits (CVE’s) or common misconfigurations directly on the operations system of the backup server.
2. Phishing and Social Engineering: Ransomware attackers often use phishing emails to trick employees or administrators into clicking on malicious links or downloading infected attachments. These phishing emails can contain malware that spreads to the backup server once a user falls for the attack.
3. Credential Theft: Attackers may use techniques like keyloggers or credential-stealing malware to capture login credentials of backup server administrators. With these credentials, they can disable security controls and gain unauthorized access to manipulate, copy, or delete backup data.
4. Remote Desktop Protocol (RDP) Attacks: If a backup server is exposed to the internet and protected by weak or default passwords, attackers can use brute force or credential stuffing attacks to gain remote access.
5. Supply Chain Attacks: Ransomware operators might compromise software vendors or service providers that have access to backup systems. They can then inject malware or manipulate backups through these trusted channels.
6. Lateral Movement: In some cases, attackers may first compromise a less secure system within the network and then use it as a pivot point to move laterally to the backup server. Once they gain access to the backup server, they can encrypt, steal, or delete the backups.
7. Insider Threats: Malicious insiders with access to backup servers can intentionally delete or encrypt backup data as part of a ransomware attack. Insiders may be motivated by financial gain or other personal reasons.
Modern Cyber Vaulting
Backup security tools including encryption, immutability, and others are increasingly being compromised as attacks grow in sophistication. Modern cyber vaulting is an approach to storing and securing backups that addresses vulnerabilities, and allows use of technologies like cloud object storage. One emerging trend to cyber vaulting is the Data Harbor, popular for its performance and flexibility. Unlike traditional tape or air-gapped solutions, data held within the Data Harbor remains fully accessible, even during an attack. Eliminating downtime and speeding up recovery processes, the Data Harbor offers a fully-automated, scalable solution that simplifies operations while keeping costs low and predictable, no matter how the attack vectors shift.
Ready to learn more about protecting backups against today’s toughest ransomware? Check out the ultimate guide to securing backups here: