Ransomware is a very coordinated and widespread threat, and traditional defenses are increasingly struggling to neutralize it. Today’s ransomware attacks target the backup infrastructure, initially at the last line of defense. Before locking up the production environment, cybercriminals criminals criminals hang up their ability to chase and recover back up, increasing the likelihood of ransom payments.
In particular, these attacks are carefully designed takedowns of your defense. Threat actors disable backup agents, delete snapshots, change retention policies, encrypt backup volumes (particularly those that are accessible to the network), and exploit vulnerabilities in the integrated backup platform. They are no longer trying to deny your access, they are also erasing the very means of recovery. If a backup environment is not built with this evolving threat situation in mind, it is at a high risk of compromise.
How can you protect professionals against this? This guide uncovers weak strategies to explore practical steps to keep backups exposed and to enhance both onsite and cloud-based backups against ransomware. Let’s take a look at how you can build a 100% reliable backup strategy even in the face of sophisticated ransomware attacks.
Common pitfalls that keep your backups exposed
Insufficient isolation and lack of offsite or immutable copying are one of the most common weaknesses of backup strategies. Snapshots and local backups are not enough. If it resides in the same onsite environment as the production system, it can be easily discovered, encrypted or deleted by an attacker. Without proper isolation, the backup environment is highly susceptible to lateral movement, allowing ransomware to spread from compromised systems to the backup infrastructure.
Some of the most common lateral attack techniques used to compromise backups are:
Active Directory (AD) Attacks: Attackers leverage AD to escalate privileges and access the backup system. Virtual Host Takeover: Malicious actors take advantage of misunderstandings or vulnerabilities in guest tools or hypervisor code to control the hypervisor and virtual machines (VMs) that host the backup. Windows-based software attacks: Threat actors leverage built-in Windows services and known behavior across versions of the backup software and entry points to the backup repository. Common Vulnerabilities and Exposure (CVE) Exploits: High-Strength CVE routinely targets violations of backup hosts before patching is applied.
Another major pitfall is relying on a single cloud provider for cloud backups. This creates a single point of failure, increasing the risk of data loss. For example, if you are backing up Microsoft 365 data in a Microsoft environment, it is easy to discover because the backup infrastructure and source systems share the same ecosystem. Stolen credentials or application programming interface (API) access allows an attacker to compromise both at once.
Build backup resilience with the 3-2-1-1-0 strategy
The 3-2-1 backup rule has long been the gold standard for data protection. However, it’s not enough anymore as ransomware is increasingly targeting backup infrastructure. Today’s threat situation calls for a more resilient approach than assuming that an attacker attempts to destroy the ability to recover.
That’s where the 3-2-2-1-1-0 strategy comes into play. This approach aims to keep three copies of the data and store it on two different media.
Figure 1: 3-2-1-1-0Backup Strategy
How does this work:
Copy data: 1 production + 2 backups
When backing up, it is important not to rely solely on file-level backups. For a more complete recovery, use image-based backups that capture the complete system (operating system (OS), applications, configurations, data). Look for features like bare metal recovery and instant virtualization.
Instead of standard backup software, use a dedicated backup appliance (physical or virtual) for greater isolation and control. When looking for appliances, consider those built on hardened Linux to reduce attack surfaces and avoid window-based vulnerabilities and generally targeted file types.
Two different media formats
To diversify risk and prevent simultaneous compromise, store backups on two different media types (local disk and cloud storage).
1Offsite copy
Make sure that one backup copy is stored offsite and is geographically isolated to protect against natural disasters or site-wide attacks. Use physical or logical air gaps whenever possible.
One immutable copy
Keep at least one backup copy in immutable cloud storage to prevent it from being modified, encrypted or deleted by Ransomware or Rogue users.
0 Error
Backups should be periodically verified, tested and monitored to ensure that they are error-free and recoverable as needed. Until you are completely confident in your recovery, your strategy is not perfect.
3-2-2-1-1-0To make your strategy truly effective, it is important to strengthen the environment where backups live. Consider the following best practices:
Deploy backup servers in a secure local area network (LAN) environment to limit accessibility. Use the principle of least privilege to restrict access. Use role-based access control (RBAC) to ensure that your local domain account does not have administrator rights on the backup system. Segmental backup networks with no inbound traffic from the Internet. Only outbound is allowed. Additionally, only protected systems should be able to communicate with the backup server. Use a firewall to enforce network access control and use port-based access control lists (ACLs) on network switch ports. To deploy agent-level encryption, data written to the backup server is encrypted using a unique key that can be generated with a unique passphrase. Disable unused services and ports to reduce the number of potential attack vectors. Enable Multifactor Authentication (MFA) (biometric over time-based one-time password (TOTP)) for all access to the backup environment. Keep your backup system patched and up-to-date to avoid exposure to known vulnerabilities. Physically protect all backup devices with locked enclosures, access logs, and monitoring measures.
Best Practices for Securing Cloud-based Backups
Ransomware can easily target cloud platforms, especially if the backups live in the same ecosystem. Therefore, segmentation and separation are important.
Data segmentation and separation
To create a true air gap in the cloud, the backup data must reside in another cloud infrastructure with its own authentication system. Avoid reliance on production and storage secrets and qualifications. This isolation reduces the risk of a production environment breaches that affect backups.
Use a private cloud backup architecture
Select the service that moves the backup data from the source environment to an alternative cloud environment, such as a private cloud. This creates a logically isolated environment protected from the original access vector, providing the air-gap protection needed to withstand modern ransomware. A shared environment makes it easier for an attacker to discover, access, or destroy both source and backup assets in a single campaign.
Authentication and Access Control
Cloud-based backups must use a completely separate identity system. Alerts about unauthorized changes such as MFA (preferably biometrics), RBAC, and agent removal or changes to retention policies. Your credentials should never be stored in the same ecosystem as they are backed up. Keeping access tokens and secrets outside of your production environment (such as Azure or Microsoft 365) eliminates backup recovery dependencies.
How DattoBCDR ensures 100% recovery reliability to ensure backups
Even with the right strategy, resilience will ultimately depend on the tool you choose. That’s where Datto’s Business Continuity and Disaster Recovery (BCDR) platform stands out. Datto BCDR offers seamless local and cloud continuity with Siris and Alto appliances and the immutable Dutt BCDR cloud. It ensures that backups are always recoverable, even in the worst case scenario.
Figure 2: How Datto BCDR provides business continuity
Here’s how Datto BCDR provides guaranteed recovery:
Local and Cloud Redundancy: Datto BCDR offers a robust backup appliance that doubles as a local recovery goal. Workloads and applications can be run directly on the device during a failure. If on-plame systems are at risk, recovery seamlessly shifts to the Datto BCDR cloud for virtualized operations, ensuring business continuity without disruption. The Power of the Unchanging Dutt BCDR Cloud: Dedicated to backup and disaster recovery, the Datto BCDR Cloud offers unparalleled flexibility, security and performance. Beyond basic off-site storage, it offers multi-layered protection, making your critical data safe and instantly recoverable. Effective Ransom Protection: The Datto appliance runs on a hardened Linux architecture to mitigate vulnerabilities that are commonly targeted in Windows systems. It also includes built-in ransomware detection that actively scans for threats before recovery begins. Automated and verified backup tests: Automated screenshot verification from Datto confirms that VMs can boot from backups. It also performs application-level checks to ensure that your workload works correctly after a restore, and helps IT teams validate recovery without speculation. Lightning recovery options for seamless recovery include the following features: Features such as 1-click disaster recovery (1-click DR) provide immediate disaster recovery. Safe image-based backup for full system restoration. Cloud Deletion Defense™ instantly recovers deleted cloud snapshots, whether accidental or malicious.
Is it time to rethink your backup strategy?
Cyber resilience starts with backup security. Before you hit the ransomware, ask yourself: Is your backup really separate from your production system? Can I delete or encrypt it with a compromised account? When was the last time you tested it?
Now is the time to evaluate your backup strategy through a risk-based lens. Identify gaps, strengthen weaknesses, and ensure recovery. It’s not a question.
Find out how Datto BCDR can help you implement a secure, resilient backup architecture built for real threats. Get the price today.
Source link
