One common mistake is when users have the same authentication method for their backups as they use elsewhere, says Landon Lewis, CEO at Pondurance, an Indianapolis-based cybersecurity services firm. ![]() The more barriers there are between an infected system and its backups, the harder it will be for the ransomware to get to it. "If your employees get infected with something, they can wipe it and. "If it doesn't do things the same way, the malware won't know where to delete the backups," he says. To defend against ransomware that deletes or encrypts local backups of files, Kujawa suggests using additional backups or third-party utilities or other tools that aren't part of the default Windows configuration. Supplement Windows backups with additional copies and third-party tools You can protect your backups and systems from these new ransomware tactics by taking a few basic precautions. "We do not expect to see any deliberate targeting of backups, but we do expect to see a more focused effort on lateral movement," he says. This kind of worming capability, as with WannaCry, is where he expects to see more activity in the future. Ransomware also tries to spread, to infect as many other systems as possible, he says. "If it encounters a backup file extension, it will most certainly encrypt it," he says. Depending on the ransomware, it typically operates by crawling a system looking for particular filetypes. When ransomware goes after backups, it's usually opportunistic, not deliberate, says David Lavinder, chief technologist at Booz Allen Hamilton. Ransomware attacks on backups opportunistic, not targeted "Most ransomware variants delete shadow copy snapshots," he says, adding that most ransomware attacks will also attack backups on mapped network drivers. It allows users to restore earlier versions of files. The most common way of doing this is through a Microsoft Windows feature called Previous Versions, says Mounir Hahad, head of threat research at Juniper Networks. ![]() “While this particular variant of malware does not specifically target backups it does put more simplistic backup solutions – ones that result in data residing on file shares – at risk," says Brian Downey, senior director of product management at Continuum, a Boston-based technology company that offers backup and recovery services. According to security researchers at Check Point, Ryuk includes a script that deletes shadow volumes and backup files. Ryuk hit several high-profile targets, including the Los Angeles Times and cloud hosting provider Data Resolution. Attackers maximized the damage, by launching attacks outside regular business hours and by "by encrypting backups of the victims’ computers," said the indictment. In November, the US Department of Justice indicted two Iranians for using the SamSam malware to extort more than $30 million from over 200 victims, including hospitals. Two well-known examples of ransomware that has backups in its sights are SamSam and Ryuk. "We've also seen them reach out to shared network drives." "So, if you go to system restore, you can't revert back," he said. For example, a common tactic for ransomware is to delete automatic copies of files that Windows creates. Ransomware will now delete any backups it happens to come across along the way, says Adam Kujawa, head of malware intelligence at Malwarebytes. In particular, ransomware writers are aware that backups are an effective defense and are modifying their malware to track down and eliminate the backups. Despite a recent decline in attacks, ransomware still poses significant threats to enterprises, as the attacks against healthcare organizations demonstrated this month.
0 Comments
Leave a Reply. |