W. Curtis Preston | Network World
The key to not having to pay the ransom is to have a backup so that even if your system is encrypted with ransomware, you can restore it. The key to protecting backups from ransomware is to place as many barriers as possible between the production system and the backup system. Whatever the case, the only thing to avoid is to just put one unique backup in a directory on the Windows server in the same data center you want to protect. Let’s take a closer look at the core parts of this sentence, such as’window’,’same data center’, and’put in directory’.
Windows protectionMost ransomware attacks target Windows hosts. Once a host is infected, it spreads to other Windows hosts in the user’s computer environment. After the ransomware spreads to enough hosts in that way, the attacker activates the encryption program. Then, the entire user’s world suddenly stops. So, above all, you should use a backup server other than Windows.
Unfortunately, many popular backup products run primarily on Windows. Fortunately, there are also many Linux alternatives available. Even though the basic backup software must run on Windows, it may be equipped with the Linux Media Server option. The media server is the key. This is because the media server is where the data you want to protect resides. Backups that can only be accessed through a Linux-based media server cannot be invaded by ransomware attacks on Windows-based servers.
Behind the Linux-based media server, you must store not only periodic backups but also backups of the basic backup server. Backup Of course, decrypting the backup is useless if even the database required to access the backup is encrypted with ransomware.
In addition, Windows-based backup servers should provide maximum protection. It is necessary to find out which services ransomware uses to attack the server (e.g. RDP) and disable as many as possible. Keep in mind, this server is your last line of defense, so you should think about security, not convenience.
Sending backups outside the data centerRegardless of which backup solution you choose, your backup copies must have a different storage location. It means more than simply placing a backup server on a virtual machine (VM) in the cloud. Just like when a VM is in a data center, it’s as easy to attack if it has electronic access. It must be configured in such a way that attacks on users’ data center systems cannot be propagated to backup systems in the cloud. It can be done in a variety of ways, including firewall rules, operating system and storage protocol changes.
For example, most cloud vendors provide object storage, and most backup software products and services can be written to that storage. Ransomware attackers may be high-level, but have yet to figure out how to attack backups stored in object-based storage. In addition, object storage providers offer Write-Once, Read-Many (WORM) options that cannot be modified once written. This means that even the person concerned can specify a period of time during which backups cannot be modified or deleted.
There are also backup services that allow data to be written to storage that cannot be accessed without going through the user interface. If users can’t directly view backups, so is ransomware.
The idea is to keep backups (or at least one backup copy) as far away as possible from the infected Windows system. Backups are placed in the provider’s cloud protected by firewall rules, use a different operating system for the backup server, and write to different types of storage for the backup.
Remove file-system access to backupIf the backup system writes the backup to disk, it should do its best to ensure that it cannot be accessed through normal file-system directories. For example, the worst place to put your backup data is E:backups. Ransomware products are specifically targeting directories with such names and will encrypt backups there.
So, you need to figure out how to make sure that backups stored on disk are not seen as files in the operating system. For example, one of the most common backup configurations is a backup server that writes backup data to a target deduplication array mounted on the backup server via a server message block (SMB) or network file system (NFS), which is a ransomware server. If infected with the product, the backup on the target deduplication system can be encrypted. This is because it is a backup accessible through a directory. You should investigate how your backup product can write to the target deduplication array without using SMB or NFS. All popular backup products have such an option.
How about the tape?Of course, there are tapes of our old friends. Tape is a great medium for copying last night or last week’s backups. After copying, sending it to another location outside can keep it safe from ransomware attacks. If a user pulls a backup from the tape library and gives it to the Iron Mountain driver, there is no way to infect the backup, even the best ransomware product. Sometimes the old way is the best.
Obstacle placementUsers should not make backups easy for ransomware to verify and encrypt. If possible, do not store it on a Windows server, but try to store at least one copy in a location that is not electronically accessible from the user’s data center. Finally, when configuring your backup system, you should do it in a way that your backups cannot be seen as files on your backup server. In the event of a ransomware attack, you should at least give yourself a chance to fight. [email protected]
Source: ITWorld Korea by www.itworld.co.kr.
*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!