Physical and logical security are two important factors when considering backup files. Modern restore capabilities allow for entire virtual machines and systems to be brought back online from a backup very quickly, assuming that a local/on-premises version is available. With the 3-2-1 rule in place (3 copies of your data, 2 different types of media, 1 offsite copy) data gains resiliency against a multitude of failures; however, hackers are aware of this and have advanced their attack techniques to target all types of backup files. See also this Back to Basics 3-2-1 Backup Rule post and video.
Many times, backup sets consist of a chain of smaller files that make up a whole backup, and all of these files, or a subset of them at least, are required to restore the entire server or system. All of these files are sent offsite as a normal operation and precaution, and it becomes difficult to track changes to these files, since some backup files change periodically by nature. When malware or ransomware targets these files after affecting local copies, chances are it is too late to prevent further issues.
Viruses and malware can enter an environment and behave in a multitude of ways. Like human viruses, computer viruses can mutate and adapt (or be adapted) and can sit quietly or proliferate and spread explosively. Some are designed to appear as normal files and processes while gathering as much information about an environment as possible; either to gain access to specific targets or to capture as many targets as possible. These “time bombs” are often difficult to detect because they do not behave in a pattern typical of malware. They can also stealthily spread, innocently being carried along in backup files or replicated data. This is a favored method of attackers because it allows them to infest offsite backup repositories for the ultimate “gotcha” when the timer ends.
Good backups are the best protection
For attacks such as ransomware, the general consensus is that good backups are the best protection against paying the ransom. Hackers are aware of the need to intelligently find and disable or destroy backup files, even if they are offsite or in the cloud, so they can get paid. When these incidents occur, history indicates it can take days—or weeks—to recover, and this may include paying the ransom. Part of that time is trying to “fix” the problem, then trying to restore previous versions, then consulting legal or law enforcement representatives, and finally paying the ransom…assuming the cash is available, or a bitcoin exchange is complete. All of this happens while your business is shut down, or key components are not available, such as when 22 municipalities in Texas were hit simultaneously.
Global Data Vault partners with cybersecurity firm BitLyft to provide Enhanced Data Protection (EDP) as an included offering to customers in order to thwart such threats. With EDP in place, we are able to monitor normal behavior, detect and respond to events and incidents, often before actual harm to data. EDP takes Veeam’s Insider Protection to the next level by maintaining versioned copies of backup files (including incrementals, reverse incrementals, full backups, etc.) in a “gapped” repository to protect you from insider threats and ransomware encryption. Likewise, when files on a backup server or backup repository begin opening suspicious or unusual network connections, we can quickly act to counter any threats before further damage occurs.
We all know that bad actors and hackers are not going to go away. At Global Data Vault, our goal is to continue to improve our resilience and responses in order to provide the highest quality of service to our customers at a fair price.