Ransomware Horror Stories
During my time working in the trenches of Data Protection, I encountered ransomware numerous times. These were true horror stories where business owners were put on the verge of bankruptcy or complete loss of reputation. The following is a short collection of thoughts and descriptions of my horror story about ransomware attacks.
In the beginning, there was the simple restore
I will never forget the first time I got a call after a customer had been hit with a strange new virus that had encrypted all of their files. They had tried everything but could not figure out how to get their business back up and running again. That experience was difficult, but a quick full restore from the last backup did the trick, and everyone was happy.
Unfortunately, this was not going away, and it did not take too long for the next call to come in a few weeks later. This was a horror story that was going to be ongoing and ever-evolving.
Upping the Ante
It did not take long for the creators of ransomware to realize that backups were hindering their extortion efforts and, therefore, had to be neutralized.
The humdrum string of ordinary ransomware calls ended abruptly when, one day, the customer announced that their backups had also been encrypted. The bad actors had encrypted the backup server and the NTFS repository located on the backup server's local drive. This was a setup typical in many mid to small organizations. Luckily, the customer also had tape backup jobs, and we were able to restore a somewhat older but nevertheless good backup. It became increasingly apparent that when it came to ransomware protection, more backups were definitely better.
They evolve, we evolve
After that incident, we started telling our clients to remove the VBR server from the production domain and to have offsite backups or offline backups. In the past, we had thought of offsite backups mainly from the disaster point of view, in other words, potential physical problems at the local data center, but with the advent of ransomware, the importance of keeping an extra copy offsite became essential.
However, it was not long before we had our first case of deleted cloud backups. The ransomware gangs had figured out how to delete the Cloud Connect backup copy jobs once they had taken control of the VBR server. In response to this and insider threats, Veeam added insider protection, which would move any deleted backups to a hidden recycle bin. However, the clever crooks were, in some cases, able to reduce backup retention and encrypt the last backups, which affected this defensive mechanism. There needed to be something more!
Enter Immutability
The Linux file system has supported the immutable bit for quite some time. Still, this was only relatively recently combined with Veeam backups to create solid, unmovable backups.
Now, even if the bad actor took control of the VBR server, they would still not be able to delete the backups.
Adding immutability, we thought was the solution, the garlic for our ransomware vampires!
Halloween every day!
Alas, the horror stories did not end there. Unfortunately, our spooky foes devised new methods to undermine data protection defenses. By placing dormant ransomware on the attacked systems, they could infect the backups so that even if they could not delete the latter, they would simply re-infect the victim soon after all the restores had been completed. This was perhaps one of the scariest and worst scenarios, as the emotional roller coasters of having to perform multiple restore sessions numerous days in a row would significantly wear down IT teams. They would restore their systems only to find them re-infected again soon after. Intense battles took place using ransomware detection methods and anti-viruses, resulting in more downtime and stress for the affected customers.
When it comes to Ransomware, Halloween does not come once a year but is a daily, repetitive threat. The ransomware gangs' form of trick-or-treating is simply too lucrative for them to give up, and with each new defense, they attempt to find some type of loophole to continue in their evil but highly profitable ways.
The only solution is to scare the ghosts away!
ZTDR, or Zerto Trust Data Resilience, is Veeam’s new strategy to frighten away the Ransomware fiends. Its tenants include assuming breach, segmenting backup storage away from the other components of the Data Protection setup, testing backups for infections by leveraging inline scanning and Yara rules, and, of course, making sure all of your backups are immutable!
If you don’t want to enter the ransomware graveyard of encrypted business data, then make sure to follow ZTDR