Ransomware Secure Backup Strategy
- Reading time:
- 5 min
We provide you with information about ransomware attacks, the attackers and their consequences. Based on this, you will receive requirements for a ransomware secure backup strategy and how you can implement this with BorgBackup to best protect yourself from an attack.
Ransomware is currently a real, serious threat […] which can also attract a lot of media attention. The probability that your company/agency will also be hit is currently high and realistic – BSI Catalogue of Measures for Ransomware.
What is ransomware and what are the consequences of an attack?
Generally, malware is called ransomware when it restricts the availability of data or systems or even prevents them altogether. To do this, the data is often encrypted using a method that cannot be broken. Only by paying a ransom does the victim obtain the key to decrypt their data. Without this, the data cannot be decrypted. If there is no backup of the data, it is lost for good. This loss of data or production downtimes resulting from the attack can threaten the existence of the affected company.
A backup is the most important protective measure to ensure data availability and a quick resumption of operations in the event of a ransomware incident – BSI Catalogue of Measures for Ransomware.
Who are the attackers and who are their victims?
In recent years, there has been an increasing professionalization in the ransomware scene. Ransomware developers are increasingly using advanced attack methods to carry out attacks. But the target group of their potential victims has also changed. The first generations of ransomware still randomly encrypted individual computers and demanded a flat ransom. This situation has now changed. Today, there are several well-known ransomware groups, such as REvil, which have received a lot of media attention due to ransomware attacks on well-known companies. These groups are now targeting businesses with the aim of crippling the operations of the entire company through their ransomware.
How does a typical attack look like?
First, the attackers try to gain access to the victim’s network. Sophisticated social engineering methods via e-mail are mainly used for this purpose. The latest method used by the attackers is to carry out a fake conversation between several participants and to place the victim in the CC of the respective e-mails. The conversation is intended to make the victim believe that the communication partners are real people and that they are trustworthy and credible. In the course of the communication, the actual attack occurs, for example, through a prepared Word file. After the victim has been successfully infected, the next step is an automated attempt to take over the victim’s entire network. To do this, the attackers use automated tools that collect information about the network and send it to the attacker. In the next step, the attacker manually checks whether the victim is worthwhile. To do this, the attackers use both the previously collected information and, for example, publicly viewable financial statements. As soon as the attackers can count on the company being able to pay a high ransom demand, the next step is to attack all connected systems, including all accessible backups, are encrypted with ransomware. This step often occurs several weeks after the initial infection. At the same time, the victim receives a high ransom demand based on his or her economic circumstances.
Requirements for a Ransomware Secure Backup Strategy
When designing a ransomware-proof backup strategy, the expertise of the BSI should be drawn upon. Recommended here are the BSI Catalogue of Measures for Ransomware and from the IT-Grundschutz Kompendium the article CON.3: Data Backup Concept. These should be considered when creating your own individual data backup concept. In summary, your individual data backup concept should at least meet the following BSI requirements:
- At least one offline backup should be performed, which cannot be changed or deleted
- All data necessary to restore operations must be backed up
- Backups must be performed regularly and should go back several weeks
- There must be several different and independent backups
- Backups should be stored in several different geographic locations
- Backups must be physically separated from the corporate network
- Backups must be encrypted and keys must be kept separate from backups
- Before restoring, backups must be checked to see if they are infected by malware
- Backup systems must have sufficient storage capacity
- Restoring a backup should not be done on an infected device
- There must be a recovery concept after an attack
- There must be regular checks to see if the data can be restored by a backup
- The backup software should also be backed up
Implementing the Ransomware Secure Backup Strategy with BorgBackup
Now that you know what the minimum requirements of your individual backup strategy are, we will introduce you to the open source software BorgBackup. With this software and an appropriate configuration you can meet the above requirements. If you use BorgBackup and configure it properly, your backup will meet the following requirements, among others:
- Attackers cannot encrypt or delete backups
- Backups are protected against unauthorized viewing and modification
- Backups are stored in a space-saving manner
For more information, visit www.borgbackup.com. However, since every company has different requirements for a backup strategy, an expert should create an individual backup strategy for you and implement it technically accordingly. Then you can be sure that your company is much better prepared against a ranomware attack.