Increasing Backup Data Security from Ransomware

One of the key fundamentals is having external copies of the data (aka backup copies) beyond just snapshots or versions maintained on the source system. It is important to differentiate a backup copy from a ‘version’ which is on the same system, which is of course not protected. Snapshots are also not appropriate backups in this context because the data must be in persistent copies in other locations. In the same way any copy which is maintained as a replicated copy will also become corrupted. Versions of the data from prior recovery points that are preserved in protected locations are very important.

Ransomware can lead to a hacker gaining access to file servers – so far most tend to focus on office types which they encrypt and if they can find access paths to any online backup sets then they delete them. If they just penetrated a client server – then backup copies are separated back in the content store and the front end systems can be recovered. This is one case where local snaps may leave exposure as a hacker may find and delete them. This is why secondary copies are so important.

By using a Commvault driver component, ransomware is blocked in from encrypting or deleting backup data from the MediaAgent itself. If the disk is exposed to other systems and local admin rights are discovered, the attached backup pool can potentially be deleted. The risk is reduced through having copy separation, different MediaAgents, different sites and offline media. Using a cloud library is another possibility in that it is not visible to the OS local admin account off the MediaAgent, unless a deep analysis attack has exposed the cloud user account credentials as well.

Commvault places check files in special areas that our service will monitor for changes. If those check files are altered an alert and notification are launched to investigate, react and take systems off the network before additional exposure can occur. At that point managed data paths should be monitored and locked down if necessary. An admin can create an alert using rate of change criteria to detect an unusual rate of change. In addition, an event will occur when the backup software detects ransomware. This message will be created: “Detected a possible Ransomware attack. Please verify the data on the machine”. It is also heavily recommended that UNC shares have a dedicated user name and password not used for any other purpose. In environments where the performance would be acceptable, files can be archived and then if the rate of recall exceeds a certain threshold a workflow can be constructed to shut down the recall mechanism.

Overall ransomware validates the need for persistent, secured copies in other locations.

Last modified: 4/14/2020 7:18:55 PM