Compromised backup servers can thwart efforts to restore damage done by ransomware and give attackers the chance to extort payments in exchange for keeping sensitive stolen data secret. Credit: The Lightwriter / Getty Images Backup and recovery systems are at risk for two types of ransomware attacks: encryption and exfiltration – and most on-premises backup servers are wide open to both. This makes backup systems themselves the primary target of some ransomware groups, and warrants special attention. Hackers understand that backup servers are often under-protected and administered by junior personnel that are less well versed in information security. And it seems no one wants to do something about it lest they become the new backup expert responsible for the server. This is an age-old problem that can allow backup systems to pass under the radar of sound processes that protect most servers. It should be just the opposite. Backup server should be the most updated and secure systems in the data center. They should be the hardest to login to as Administrator or root. And they should require jumping through the most hoops to login remotely. An important role backup servers play is providing the means to recover from a ransomware attack without paying the ransom. They contain the data needed to rebuild the machines that have been encrypted by the ransomware, so ransomware groups try to encrypt the backups, too. The saddest line in any ransomware story is, “and the backups were also encrypted.” They are your last line of defense, and you must hold the line. That’s the traditional ransomware attack, but data exfiltration is fast becoming a primary motivation for ransomware attackers who target backup servers. If bad actors can exfiltrate and decrypt your company’s secrets via the backup server, they can extort you in a way that you cannot defend against: “Pay up or your company’s most important (or worst) secrets will become public knowledge.” Then they give you access to a web page where you can see the data they have, and your organization has little choice but to pay the ransom and hope they keep their promise. This strategy makes sense for ransomware groups. It’s easier to go after the one server that definitely holds all of an organization’s sensitive data than to successfully attack many servers that may hold some sensitive data. Following this logic, once a piece of malware gets into your data center, it immediately contacts its command-and-control server to find out what it should do next. Increasingly, the next step is to identify what type of backup system is being used and once they figure that out, to begin directly attacking that system. The attackers might try to directly access your backup data over the network via NFS or SMB, and if they can—and it’s unencrypted—their job is done. If they can’t, they go directly at the operating system of the backup server using a system exploit or compromised credentials to gain Administrator/root access. Gaining access to the machine key used for basic encryption gives them the keys to the backup kingdom, and all bets are off. The best way to defend against this scenario is to keep ransomware organizations from compromising your backup servers. Here’s how: Keep OS and application patches up to date Shut off all inbound ports except those required by backup software Enable necessary management ports (e.g. SSH, RDP) via a private VPN Use a local host file to prevent malware from contacting command-and-control servers Maintain a separate password-management system for backup and application servers (i.e. no LDAP) Enforce the use of multi-factor authentication Limit the use of root/Administrator; set off alarms when you do Use SaaS backup as an alternative to managing your own backup server Use least privilege wherever possible, giving each person privileges they need to do their job and nothing more To protect the backup data itself from extortion or encryption, you should configure your backup system like this: Encrypt all backup data wherever it is stored Use third parties to manage encryption keys Do not store backups as files via DAS or NAS. Ask your vendor for more secure methods. Store backups on a different operating system than your backup server. Use on-premises storage with immutable features (e.g. Linux) Create a copy on tape/RDX and send it offsite Create a copy on immutable cloud storage. This will be a lot of work for most environments but worth it if you recognize how much danger your backup server is in. Related content analysis At RSA, Cisco unveils Splunk integrations, Hypershield upgrades At RSA Conference 2024, Cisco announced plans to integrate its XDR platform and Splunk’s SIEM, bolster its Hypershield AI-native security architecture, and add to its Duo access-protection software. By Michael Cooney May 06, 2024 5 mins Network Management Software Network Security Networking how-to Download our Zero Trust network access (ZTNA) enterprise buyer’s guide From the editors of Network World, this enterprise buyer’s guide helps network and security IT staff understand what ZTNA can do for their organizations and how to choose the right solution. By Josh Fruhlinger and Steve Zurier May 06, 2024 1 min Network Security Enterprise Buyer’s Guides news Network jobs watch: Hiring, skills and certification trends What IT leaders need to know about expanding responsibilities, new titles and hot skills for network professionals and I&O teams. By Denise Dubie May 06, 2024 6 mins Careers Data Center Networking feature IBM’s bets on AI and hybrid cloud pay off Three key differentiators of IBM’s AI and cloud offerings are cross-platform automation, integration with multiple clouds, and tie-ins to IBM professional services. By Jeff Vance May 06, 2024 9 mins Hybrid Cloud Network Management Software Cloud Computing PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe