In today’s blog, we are going to look at how ransomware works and why it necessitates the use of offline backups for your organization. Having audited hundreds of organizations, it is clear to me that most IT professionals are considering availability. It is very common for organizations to be taking regular backups and for these backups to be hosted at multiple geographic locations. This is in-line with how we, as IT professionals, were taught. We need to protect ourselves from natural disasters with our backup plan. Therefore, if a hurricane takes out our office in North Carolina, we need to have a backup in California so that our organization can continue to operate. However, the rise of ransomware has created a need for this strategy to evolve, and sadly, I am not seeing many organizations realize this until it is too late.
Here comes an obvious statement: the rise of ransomware has had a tremendous impact on information security. Whether it is the City of Atlanta brought to its knees, the State of Louisiana declaring a state of emergency, or yet another hospital with patient files locked up, putting patient safety in jeopardy. I have never personally audited the City of Atlanta, but I can tell you it is reasonably certain that they had some kind of backups and those backups were probably spread across several regions. I can also reasonably assure you that they had tested their backup strategy. Maybe with a few ransomware attacks, we can brush it off and say “oh they probably didn’t have backups”, or “oh, well they obviously didn’t test their recovery plan, shame on them.” But the simple fact is, ransomware is affecting organizations big and small across every vertical, many of whom have backups.
If we think about the motivation behind a ransomware attack, it is monetarily driven as they are hoping that you pay the ransom. This is how they make money. Therefore, they aren’t worried about Sally from marketing who clicked on that link that gave them initial access. No one is going to pay for her files (sorry Sally). They are designed to spread throughout the network. So not only will they get Sally’s data, but they will use Sally’s passwords to spread to the shared drive and other systems that Sally’s account gives them access to. Most IT professionals understand this. In fact, this is when they will stop and tell me that the backups are only accessible by individuals in the domain administrator group, and that there’s only a few people in that group, and that those DAs know not to click on that link.
Here is the most critical thing to understand, once I have access to an internal network, over 90% of the time, I am able to elevate my permissions to domain administrator. Therefore, I have access to everything in the domain, including those backups.
This can be done using a number of different methods: shared local administrator passwords, Kerberoasting, cleartext credentials in memory, unsupported operating systems, default passwords, etc. For more on that, or if you want to see if your organization is really vulnerable, consider having an internal penetration test done, as it looks for all these vulnerabilities. My point being, in a ransomware attack, in order to better their chances of obtaining the ransom, the attackers are going to try to elevate their permissions and are absolutely going to target your backups.
Therefore, the only way to protect your organization is to have offline backups. The key concept is that these should not be accessible from your network at all, if possible. If they are online, make sure access is not tied to a domain account and the system is as segmented as possible from the rest of your network. You can do this yourself or you can use a third party that offers a cloud backup solution, it doesn’t matter. The key concept here is to assume your network is exploited and an attacker knows one of your domain administrator’s passwords, then think through your backup solution and see how well it holds up. Additionally, these backups do not necessarily need to follow the same rules and timing of your current backup solution. These offline backups are protection against a specific type of event. Your organization should take into account the likelihood of a ransomware event occurring, the maximum amount of time you could stand all of your network operations being down, and how much you want to spend to bring that risk down to a reasonable level. For many organizations, they do nightly backups of systems but for an offline solution, they can accept the data being a week old.