January 13, 2021

What is the value of immutable backup storage in ransomware recovery?

A number of vendors have recently started touting an “airgap” storage capability in backup storage, typically using AWS S3 WORM or immutable object storage classes. The immutable setting in S3 means that the stored backups cannot be corrupted by the malware implementing the attack. Has this scenario actually occurred in any of the known ransomware attacks? It has been my impression that organizations which have been impacted the worst have had the issue because they were not running backups properly; or, in other cases, they ran backups, but had limited retention periods. In the latter case, the malware infected systems and then lay dormant, waiting out the backup retention before enc rypting systems storage. In this case, any system recovered from backup still has the malware in the restored image and immediately attacks on recovery. In any event, the airgap solutions seem to be based on the assumption that malware is infiltrating the backup systems themselves and modifying or deleting the good backups. Are there any documented cases where this has happened? Are these “airgap” solutions marketing to a problem that has actually occurred? Or is it merely speculative, marketing for a problem or attack vector that might happen in the future if you don’t protect against it?

Comments

madmadG

That’s like saying “what’s the value of your business”. Your data is the lifeblood.

Yes there have been attacks that destroyed backups. https://krebsonsecurity.com/tag/john-senchak/

Yes there are ransomware that attack backup copies. Ryuk is one of those. You need to protect the backup architecture using 1. air gap 2. immutable copy

Remember – most attacks are detected 6 months after original entry into the network which means you may have been backing up ransomware.

Your backup environment could be storing copies of ransomware. Therefore you also need to protect yourself **from the backup architecture. That is, you need anomaly detection within the backups and scanning performed on backups before you restore data.

Finally, all this needs to be practiced and rehearsed as part of end to end DR testing. Because it is a “disaster” event.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.