1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

3/7/2020

0 Comments

How to Strengthen Cloud Backups Against Ransomware

 
cloud backups ransomware

How to Strengthen Cloud Backups Against Ransomware

Cloud backup is an important defense against ransomware attacks. Cloud backups, however, have recently been the target by ransomware attackers.

In a ransomware attack, the computer or the data within is encrypted preventing users’ access to this computer or data. The lack of backups forces many victims to pay ransom in exchange for the decryption keys that would unlock these locked computers or locked data.

Cloud Backups

As many organizations have migrated their daily operations to the cloud, many have migrated their backups to the cloud as well. For many organizations, cloud backups have given them a false sense of security.

If not configured properly, cloud backups could easily be stolen, deleted and, in a worst-case scenario, used against your organization. The group behind the ransomware called “DoppelPaymer” recently published on their leak website the admin username and password for a Veeam user account owned by one of DoppelPaymer ransomware’s victims who refused to pay ransom.

Switzerland-based Veeam is a software company that develops cloud backup software. DoppelPaymer is the latest addition to the number of ransomware programs that establish leak websites to shame victims who refuse to pay ransom. Stolen data belonging to the victims prior to encryption are published on these leak websites.

"Cloud backups are a very good option against ransom but do not 100% protect as cloud backups are not always good configured, offline backups often outdated – the system of backups is really nice but human factor leaves some options," the group behind DoppelPaymertold Bleeping Computer.

How Cybercriminals Compromise Cloud Backups

Ransomware attackers often initially compromise victims’ computers through phishing campaigns or exposed RDP. In phishing campaigns, attackers trick victims in opening malicious emails containing malicious links or attachments. Opening these malicious links or attachments could lead to the downloading of the actual ransomware into the victims’ computers.

Exposed RDP is another gateway of ransomware attacker to the victims’ networks. RDP, short for remote desktop protocol, is a protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection. Exposed RDP, those that used weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security measures, are targeted by cybercriminals as an initial entry point to gain access to their victims’ networks.

The group behind the ransomware called “Maze” told Bleeping Computer that cloud backups credentials are used to restore the victims’ data stored in the cloud to the servers under the group’s control. Maze ransomware started the trend among ransomware operators in establishing leak websites in order to shame victims who refuse to pay ransom.

"Yes, we download them [data stored in the cloud],” the group behind Maze ransomware told Bleeping Computer. “It is very useful. No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to data breach detection software.”

Operators of the DoppelPaymer and Maze ransomware, however, didn’t elaborate to Bleeping Computer how they were able to gain access to their victims’ cloud backups. In the case of users using the Veeam software for cloud backups, the role of Mimikatz and configuring Veeam to use Windows authentication could have led to the compromise of these cloud backups.

Once malicious actors gain access to their victims’ networks, they systematically move through the network, for instance, via the use of Mimikatz – an open-source application that allows attackers to view and save Windows authentication credentials. These stolen Windows authentication credentials are used by the attackers in accessing cloud backups that use the Veeam software as some administrators configure Veeam to use Windows authentication.

Cybersecurity Best Practices in Securing Your Organization’s Cloud Backups

In a white paper released by Veeam, the company said that one of the best practices in securing your organization’s cloud backups is through the use of different credentials for cloud backups. “One of the key characteristics of ransomware is its ability to propagate,” Veeam said. “By using different credentials within the Veeam infrastructure, we can introduce more resiliency by limiting propagation from other operating systems on the network. The best, broadest recommendation is to have at least two credential mechanisms in use. That can include both Windows and Linux accounts, Windows and Veeam Cloud Connect, etc.”

It’s also important to follow the time-tested 3-2-1 rule:

3: Keep 3 copies of any important file: 1 primary and 2 backups.

2: Keep the files on 2 different media types to protect against different types of hazards.

1: Store 1 copy offsite (for example, cloud backup).

Following the 3-2-1 rule, aside from cloud backup, it’s also important to keep a backup on-premise or on-site. This on-premise backup must be kept offline to ward off ransomware attackers. Aside from attacking cloud backups, ransomware attackers have targeted on-premise backups exposed to the internet.

In the past few months, ransomware attackers have targeted Network Attached Storage (NAS) devices. NAS is a storage and backup system that consists of one or more hard drives.

To gain access to NAS devices, attackers use brute force attack, that is, guessing through trial-and-error the correct username and password combination. To gain access to NAS devices, attackers also exploit security vulnerabilities that remained unpatched either through an absence of a vendor’s security update or failure of a NAS device user in installing in a timely manner the vendor’s available security update.

When you need help securing your cloud backups and applications against ransomware attacks, our experts are here to help. Get in touch with us today and protect your valuable assets.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit