Thought leadership. threat analysis, news and alerts.
How to Strengthen Cloud Backups Against Ransomware
Cloud backup is an important defense against ransomware attacks. Cloud backups, however, have recently been the target by ransomware attackers.
In a ransomware attack, the computer or the data within is encrypted preventing users’ access to this computer or data. The lack of backups forces many victims to pay ransom in exchange for the decryption keys that would unlock these locked computers or locked data.
As many organizations have migrated their daily operations to the cloud, many have migrated their backups to the cloud as well. For many organizations, cloud backups have given them a false sense of security.
If not configured properly, cloud backups could easily be stolen, deleted and, in a worst-case scenario, used against your organization. The group behind the ransomware called “DoppelPaymer” recently published on their leak website the admin username and password for a Veeam user account owned by one of DoppelPaymer ransomware’s victims who refused to pay ransom.
Switzerland-based Veeam is a software company that develops cloud backup software. DoppelPaymer is the latest addition to the number of ransomware programs that establish leak websites to shame victims who refuse to pay ransom. Stolen data belonging to the victims prior to encryption are published on these leak websites.
"Cloud backups are a very good option against ransom but do not 100% protect as cloud backups are not always good configured, offline backups often outdated – the system of backups is really nice but human factor leaves some options," the group behind DoppelPaymertold Bleeping Computer.
How Cybercriminals Compromise Cloud Backups
Ransomware attackers often initially compromise victims’ computers through phishing campaigns or exposed RDP. In phishing campaigns, attackers trick victims in opening malicious emails containing malicious links or attachments. Opening these malicious links or attachments could lead to the downloading of the actual ransomware into the victims’ computers.
Exposed RDP is another gateway of ransomware attacker to the victims’ networks. RDP, short for remote desktop protocol, is a protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection. Exposed RDP, those that used weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security measures, are targeted by cybercriminals as an initial entry point to gain access to their victims’ networks.
The group behind the ransomware called “Maze” told Bleeping Computer that cloud backups credentials are used to restore the victims’ data stored in the cloud to the servers under the group’s control. Maze ransomware started the trend among ransomware operators in establishing leak websites in order to shame victims who refuse to pay ransom.
"Yes, we download them [data stored in the cloud],” the group behind Maze ransomware told Bleeping Computer. “It is very useful. No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to data breach detection software.”
Operators of the DoppelPaymer and Maze ransomware, however, didn’t elaborate to Bleeping Computer how they were able to gain access to their victims’ cloud backups. In the case of users using the Veeam software for cloud backups, the role of Mimikatz and configuring Veeam to use Windows authentication could have led to the compromise of these cloud backups.
Once malicious actors gain access to their victims’ networks, they systematically move through the network, for instance, via the use of Mimikatz – an open-source application that allows attackers to view and save Windows authentication credentials. These stolen Windows authentication credentials are used by the attackers in accessing cloud backups that use the Veeam software as some administrators configure Veeam to use Windows authentication.
Cybersecurity Best Practices in Securing Your Organization’s Cloud Backups
In a white paper released by Veeam, the company said that one of the best practices in securing your organization’s cloud backups is through the use of different credentials for cloud backups. “One of the key characteristics of ransomware is its ability to propagate,” Veeam said. “By using different credentials within the Veeam infrastructure, we can introduce more resiliency by limiting propagation from other operating systems on the network. The best, broadest recommendation is to have at least two credential mechanisms in use. That can include both Windows and Linux accounts, Windows and Veeam Cloud Connect, etc.”
It’s also important to follow the time-tested 3-2-1 rule:
3: Keep 3 copies of any important file: 1 primary and 2 backups.
2: Keep the files on 2 different media types to protect against different types of hazards.
1: Store 1 copy offsite (for example, cloud backup).
Following the 3-2-1 rule, aside from cloud backup, it’s also important to keep a backup on-premise or on-site. This on-premise backup must be kept offline to ward off ransomware attackers. Aside from attacking cloud backups, ransomware attackers have targeted on-premise backups exposed to the internet.
In the past few months, ransomware attackers have targeted Network Attached Storage (NAS) devices. NAS is a storage and backup system that consists of one or more hard drives.
To gain access to NAS devices, attackers use brute force attack, that is, guessing through trial-and-error the correct username and password combination. To gain access to NAS devices, attackers also exploit security vulnerabilities that remained unpatched either through an absence of a vendor’s security update or failure of a NAS device user in installing in a timely manner the vendor’s available security update.
When you need help securing your cloud backups and applications against ransomware attacks, our experts are here to help. Get in touch with us today and protect your valuable assets.
Steve E. Driz, I.S.P., ITCP