Data backups targeted by new attack strategies

31. March, 2021

Since 2011, World Backup Day has taken place on 31 March to remind all IT users of the importance of keeping up-to-date backups of private and business data. IKARUS expert Andreas Kramel warns of new attack strategies that make it necessary to rethink familiar backup routines.

The well-known guidelines are still valid: Companies and private users should regularly create valid backups of their data. These must be stored separately from the system in as secure a location as possible so that no data is lost in the event of a hardware or service failure or even infection with malware.

In order to still be able to run successful ransomware campaigns, the attackers have adapted their strategies. “Backups are often targeted first – if the backup can be destroyed or encrypted, the motivation to pay the demanded ransom increases,” knows Andreas Kramel from the IKARUS Managed Defense Team: “We also know of cases where backups were deliberately manipulated. These attacks are not immediately noticed because the backups are still ‘there’. However, when trying to restore the data after an attack, the backup is also already encrypted or contains updated malware.”

Protect backup infrastructure

Ransomware attacks are now much more precise, versatile and better planned than they were just a few years ago. They specifically attack backup systems to increase their chances of success. In addition to setup, validation and recovery tests, it is therefore important to better protect the backup infrastructure.

Backup data should not be stored or be visible on the main file server. Often, a software update allows new security features for common backup enterprise solutions that provide additional protection against manipulation. In general, comprehensive admin access to backup systems and data should only be possible for a small group of people. Similarly, multi-factor authentication and other measures are recommended in the case of massive changes to data inventories to make unauthorized manipulation and deletion of data more difficult. Contact the manufacturer of your backup system for this.

Complement 3-2-1 or Grandfather-Father-Son strategy

“From our point of view, a complete offline backup with tapes or other external, unchangeable media has become indispensable – the way it was known in the past,” Andreas Kramel recommends: “First, backups of the important systems are created on local disks and then outsourced to tapes according to the GFS (Grandfather/Father/Son) principle.” The tapes are stored in a safe place and prevent a total loss in the event of damage, if the main system has been compromised, due to the physical separation and outsourcing. Regular validations and tests are still important to ensure that a recovery can be carried out successfully.

Caution with cloud services

Some online services such as Microsoft Office 365 now offer good basic protection against ransomware attacks by versioning and storing all file changes. [1] However, access to the service remains a weak point – if unsecured, backups are simply encrypted as well. Be sure to activate multifactor authentication so that attackers do not have all the data on a silver platter if the username/password is lost. Another point of criticism is the recovery of large amounts of data: “In the event of a disaster, you are very dependent on your internet speed,” Andreas Kramel points out. Cloud backups should also be regularly backed up to physical offline media on site in any case.

Back up private documents, photos or messages

For private users, an external USB hard drive still offers good protection for your own data if you separate it from the system and keep it safe. Don’t forget about the ever-increasing data on various cloud services or on your smartphone and back them up regularly as well!  Information, tips and instructions on creating a data backup can be found at www.worldbackupday.com.

Worth reading:

Here to stay: Tips from the IKARUS expert for secure mobile working

[1] https://support.microsoft.com/en-us/office/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f

HarfangLab Guard
MITRE ATT&CK Framework
v.l.n.r.: Joe Pichlmayr (CEO IKARUS) – Anouck Teiller (CSO HarfangLab) –Alexander van der Bellen (Bundespräsident Österreich) - Frédéric Joureau (Erster Botschaftsrat der französischen Botschaft in Wien) – Christian Fritz (COO IKARUS)
EDR
Cyber Kill Chain
Business Email Compromise
Prognosen für die zehn größten Cybersecurity-Bedrohungen für 2030
E-Mail Verschlüsselung
Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Bedrohung
Indicators of Attack
Gefahren durch vertrauenswürdige Services
Threat Intelligence
SQL Injection
SMTP Smuggling

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500
sales@ikarus.at

SUPPORT HOTLINE

Support hotline:
+43 1 58995-400
support@ikarus.at

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download