Compromised backup servers can thwart efforts to restore damage done by ransomware and give attackers the chance to extort payments in exchange for keeping sensitive stolen data secret. Credit: The Lightwriter / Getty Images Backup and recovery systems are at risk for two types of ransomware attacks: encryption and exfiltration – and most on-premises backup servers are wide open to both. This makes backup systems themselves the primary target of some ransomware groups, and warrants special attention. Hackers understand that backup servers are often under-protected and administered by junior personnel that are less well versed in information security. And it seems no one wants to do something about it lest they become the new backup expert responsible for the server. This is an age-old problem that can allow backup systems to pass under the radar of sound processes that protect most servers. It should be just the opposite. Backup server should be the most updated and secure systems in the data center. They should be the hardest to login to as Administrator or root. And they should require jumping through the most hoops to login remotely. An important role backup servers play is providing the means to recover from a ransomware attack without paying the ransom. They contain the data needed to rebuild the machines that have been encrypted by the ransomware, so ransomware groups try to encrypt the backups, too. The saddest line in any ransomware story is, “and the backups were also encrypted.” They are your last line of defense, and you must hold the line. That’s the traditional ransomware attack, but data exfiltration is fast becoming a primary motivation for ransomware attackers who target backup servers. If bad actors can exfiltrate and decrypt your company’s secrets via the backup server, they can extort you in a way that you cannot defend against: “Pay up or your company’s most important (or worst) secrets will become public knowledge.” Then they give you access to a web page where you can see the data they have, and your organization has little choice but to pay the ransom and hope they keep their promise. This strategy makes sense for ransomware groups. It’s easier to go after the one server that definitely holds all of an organization’s sensitive data than to successfully attack many servers that may hold some sensitive data. Following this logic, once a piece of malware gets into your data center, it immediately contacts its command-and-control server to find out what it should do next. Increasingly, the next step is to identify what type of backup system is being used and once they figure that out, to begin directly attacking that system. The attackers might try to directly access your backup data over the network via NFS or SMB, and if they can—and it’s unencrypted—their job is done. If they can’t, they go directly at the operating system of the backup server using a system exploit or compromised credentials to gain Administrator/root access. Gaining access to the machine key used for basic encryption gives them the keys to the backup kingdom, and all bets are off. The best way to defend against this scenario is to keep ransomware organizations from compromising your backup servers. Here’s how: Keep OS and application patches up to date Shut off all inbound ports except those required by backup software Enable necessary management ports (e.g. SSH, RDP) via a private VPN Use a local host file to prevent malware from contacting command-and-control servers Maintain a separate password-management system for backup and application servers (i.e. no LDAP) Enforce the use of multi-factor authentication Limit the use of root/Administrator; set off alarms when you do Use SaaS backup as an alternative to managing your own backup server Use least privilege wherever possible, giving each person privileges they need to do their job and nothing more To protect the backup data itself from extortion or encryption, you should configure your backup system like this: Encrypt all backup data wherever it is stored Use third parties to manage encryption keys Do not store backups as files via DAS or NAS. Ask your vendor for more secure methods. Store backups on a different operating system than your backup server. Use on-premises storage with immutable features (e.g. Linux) Create a copy on tape/RDX and send it offsite Create a copy on immutable cloud storage. This will be a lot of work for most environments but worth it if you recognize how much danger your backup server is in. Related content analysis Beware the gap between security readiness and confidence levels, Cisco warns Companies need greater network segmentation, sandboxes, firewalls, and anomaly detection to fight attackers, according to Cisco's 2024 Cybersecurity Readiness Index. By Michael Cooney Mar 27, 2024 6 mins SASE Network Security Networking analysis Cisco: AI tools, better workspaces would boost in-office appeal Office environments need to change to foster collaboration, and employers need to close the AI skills gap, Cisco reports in its hybrid work study. By Michael Cooney Mar 27, 2024 3 mins Generative AI Careers Networking news HPE Aruba adds genAI search tools to network management platform HPE Aruba is using proprietary LLMs to better understand questions posed in its Networking Central platform and generate more accurate, detailed responses. By Michael Cooney Mar 26, 2024 2 mins Generative AI Data Center Management Network Management Software brandpost Sponsored by HPE Aruba Networking EdgeConnect SD-WAN with SWG: building a SASE foundation By Gabriel Gomane Mar 25, 2024 7 mins SD-WAN PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe