Ransomware, Backups, and Testing your Plan — CyberHoot
The news headlines seem to be filled with ransomware attacks of late. Business owners are taking note and asking their Managed Service Providers (MSPs) and IT departments to improve their cybersecurity programs and prepare recovery plans, often called Business Continuity and Disaster Recovery — or BCDR), to recover quickly from a breach. However, the unfortunate truth is that many MSPs and IT departments only perform half the work.
While backups are certainly the first step in recovering from ransomware attacks, many businesses don’t understand the importance of testing their backups and their BCDR plans to identify weaknesses and mistakes that can often be made.
Backups are Difficult to do Right
There is only one way to get backups right. You have the data you want, accessible when you need it, in the time-frame, you must have it back within. There are literally dozens of ways to get backups wrong. Read on to fund out many of the most common failure points.
The unfortunate truth is that many businesses hit by ransomware think they have solid backups in place, but failed to test their backups. Some then realize they backed up the wrong data or missed some critical servers in unusual locations.
SUCCESSFUL BACKUPS THAT ACTUALLY FAILED TO WORK
Others realize only when they are restoring from a backup that the backups failed to work despite reporting success.
RESTORES THAT TAKE FOREVER
Finally, as the amount of data we all use to run our businesses grows exponentially, some businesses determine their restores times are unacceptably long.
Cybersecurity experts say the most common reason ransomware victims still pay when they have reliable backups is that “nobody at the victim organization bothered to test in advance how long this data restoration process might take“. Too many businesses assume simply because they backup data daily they aren’t at risk of paying for the decryption key. The problem is, they don’t realize how long the restoration process will take because they’ve never tested their backup procedure.
Fabian Wosar, Chief Technology Officer at Emsisoft when asked why companies have trouble restoring data following a ransomware attack:
“Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files. A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”
BACKUP KEY MANAGEMENT FAILURES
Wosar went on to say the next most common situation involves companies that have off-site, encrypted backups of their data but realize the digital key needed to decrypt their backups was stored on the same local network that got encrypted by ransomware.
Bill Siegel, CEO, and co-founder of Coveware, a company that negotiates ransomware payments for victims, said:
It can be that they have 50 petabytes of backups … but it’s in a … facility 30 miles away.… And then they start [restoring over a copper wire from those remote backups] and it’s going really slow … and someone pulls out a calculator and realizes it’s going to take 69 years to restore what they need. Or there’s lots of software applications that you actually use to do a restore, and some of these applications are in your network that got encrypted. So you’re like, ‘Oh great. We have backups, the data is there, but the application to actually do the restoration is encrypted.’ So there’s all these little things that can trip you up, that prevent you from doing a restore when you don’t practice.
With so many ways to get backups wrong, now’s the time to get your house in order, before a critical incident puts the added stress of an emergency on top of your troubleshooting efforts to get your data back. Here are CyberHoot’s recommendations on backups.
So What Can You Do?
It’s vital organizations practice their Business Continuity and Disaster Recovery (BCDR) plans, using tabletop exercises to practice a backup scenario. Many victims see themselves having to rebuild their data in a way they didn’t predict. That’s why tabletop exercises are especially important. CyberHoot recommends creating an entire BCDR Plan so you know your Recovery Point Objective and your Recovery Time Objective. CyberHoot also recommends the 3–2–1 backup method, which means 3 copies of our data should be kept (one primary, two backups), where files are saved on 2 types of media and 1 copy is stored off-site (this can be online). Testing your BCDR plan at least annually will help you eliminate many of the above mistakes that businesses commonly make.
Beyond Backups — Ransomware Prevention Tips
In addition to testing and documenting your BCDR with the 3–2–1 backup method, CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks:
- Adopt two-factor authentication on all critical Internet-accessible services
- Adopt a password manager for better personal/work password hygiene
- Require 14+ character Passwords in your Governance Policies
- Train employees to spot and avoid email-based phishing attacks
- Check that employees can spot and avoid phishing emails by testing them
- Perform a risk assessment every two to three years
Ransomware and Backup Conclusions
The time to work out all the kinks in your BCDR plan is when you are least stressed about doing so. During a ransomware attack is the least appropriate time to work through backup issues. Testing your BCDR plan on your time, not a hacker’s ransomware countdown clock time is a really good idea. You’ll be happy you did.
Start building your robust, defense-in-depth cybersecurity plan today with CyberHoot.