From a hackers’ perspective, back-ups are bad news. They provide you with a lifeline and a means of recovery, which makes them a key target during an attack. Why? Because the harder it is, or the longer it takes, for you to recover, the more likely a hacker is to get their ransom. If your back-up is encryped or deleted during an attack your business will have no safety net of data to refer to, and the more effective the attack becomes.

For the purpose of this blog, we’ll assume that a hacker already has access to your network. Let’s say they got in through a highly targeted phishing campaign and, over a few weeks, have worked their way towards your data centre environment. At each step, they’ve covered their tracks to avoid detection, gathering more insight into your technical landscape along the way.

Before they alert you to the attack by installing ransomware on every endpoint and server connected to your network, they will look for your back-ups. Here are the five vulnerabilities that hackers love to exploit to encrypt or delete your back-ups.

Back-up best practices for ransomware

1. Don’t back up data to the same environment

Since a hacker already has access to your data centre environment, storing a copy in the same
place as the data is created makes it easy for hackers to delete your back-ups.

2. Ensure separation between your back-up server and the rest of your network  

The more that your back-up server can communicate with, the easier it is to find from a network scan. For example, if you’re backing up to your hypervisor, there’s no need for your back-up server to talk to your domain controller. With proper network separation in place, you’re making life much more difficult for hackers, slowing them down and increasing the chance of detection

3. Make sure back-up servers don’t share the same Active Directory (AD)  

If your back-up servers are set on the same AD, hackers can use this shared authentication to
access multiple back-up servers and delete the data.

4. Don’t use the same storage area network (SAN) for storing back-up and production data

We’ve seen cases where a SAN that’s used for replication and disaster recovery (DR) is also storing back-up data. Once the SAN’s been found, it’s light work for the hackers to remove your safety net.

5. How long does it take you to recover your network?

Recovering from an attack isn’t pretty or easy. While the recovery takes place, there’s forensics work happening on top of your ops team frantically checking logs. It’s a stressful and extremely busy time, so recovery can be slower than usual. Make sure you understand how long this takes you, and make sure you’ve got sufficient bandwidth between your back-up environment and your hypervisor platform so that you’re not slowed down unnecessarily.

There’s constant chatter in our industry about ransomware, and rightly so. It’s real and it’s affecting businesses of all sizes day in, day out. Last year, our security specialists and incident responders spent over 300 days assisting businesses with ransomware recovery.