Protect the Backup

Not only is it bad enough that hackers are managing to inflict ransomware attacks on our live systems, now they are managing to inflict ransomware attacks initiated through our backups. This is what happened in early November against the number of hospital systems.


These viruses have the capability of deleting backup files in addition to life files as identified by Malwarebytes on November 3. Classically, the ransomware virus is reset to automatically delete any file that Windows creates so if you try to do a system restore, you can even revert back. So this is easy to fix, you simply move them to network shares right. Wrong! Many of these ransomware viruses now have managed to laterally move up from workstations into network shares.

Cybersecurity experts have named the two viruses that can attack backup files as SamSam and Ryuk. Both of these ransomware attacks are initiated from foreign countries, primarily Iran, and have been successful and extorting over $30 million from several victims. Unfortunately, many of these victims are hospitals and the ransomware affected public safety significantly. These ransomware viruses are “scheduled” to kick off usually during after hours and are designed to encrypt backup files on computers. The Ryuk virus inundated the Los Angeles times and their cloud providers and managed to delete all shadow volumes and backup files within a three day period.

Wake up people!

Now it’s not enough to have a good backup. While these viruses target backup files, it usually is not a deliberate attempt to get to the backup rather opportunistic. These viruses are “crawlers” and will search through file lists looking for specific file types to inflict its encryption tools. The attacks are similar to the WannaCry ransomware attack last year and experts are expecting to see these types of infections increase over the next six months. This lateral movement makes these types of ransomware attacks very problematic.

What Can Be Done ???

As bad as they may seem, there are some steps that system administrators can implement to help lessen the effect of the virus:

  1. Augment all window backups with additional copies and third-party utilities other than Microsoft
  2. Isolate your backup from general files in a protected environment
  3. Develop automated testing protocols on your backups

Augment All Window Backups with Additional Copies and Third-Party Utilities Other Than Microsoft

Since most of these ransomware viruses are looking for Windows applications, one way to avoid the infection may be to ensure that third-party applications are performing the backups. This works by ensuring an unknown location of the backups to the virus. In addition, the backups are in a known location to the system administrator and can be managed accordingly.

Isolate Your Backup From General Files In A Protected Environment

There may not be a reason to keep backup files on the same device as the backup software. In fact, a best practice would be to ensure that the backups never touch the same device where the files originate. This is referred to as isolating a backup. In addition, authentication credentials to the backup files should be modified as not to be the same as the original files. This includes login account and password. A best practice would be to establish procedures to create three (3) copies of your backup files using at least two (2) backup tools. Your backup tools should be isolated from each other as well. Use of cloud infrastructure can assist in moving backup files to an off-site location with different authentication credentials. This used to be problematic, but with new techniques (block chaining or block storage) the difficulties are lessened and the cost moves more toward the acceptable side. Some of the newer cloud vendors or even offering versioning in order to roll back should a virus be identified. One such vendor can automate the procedure should a virus be detected thus ensuring a clean backup copy.

Develop Automated Testing Protocols On Your Backups

Many of my current customers have never thought about actually testing a backup for restore capability. This now is no longer a luxury but should be a requirement for all backups. A backup is the useless if you’re not able to restore the backup file or files to a true production status. Since many of the new variance of ransomware viruses have the ability to be stealthy and infect devices based upon schedules or triggers, it is going to be critical that all backup files be scanned with a quality malware identifying toolset to identify a dormant virus before it’s had time to infect devices.

Bottom Line

I know that it’s not always something that a system administrator wants to hear, but is going to be essential in order to protect your company’s assets that more attention is paid to the backup files to ensure that you have “clean” backup copies of production files that are virus free and restorable.

This article is presented by Martin Yarborough and Associates LLC.

Martin Yarborough and Associates is a consulting firm specializing in Infrastructure Assessments, Cybersecurity Risk Assessments, Disaster Recovery and Strategic Planning.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.