Maintaining Credible Data Backups to Minimize Downtime
If you were hit with ransomware tomorrow, could you restore from backups with minimal downtime?
As an Incident Response Lead for Coalition’s affiliate incident response firm, Coalition Incident Response (CIR), I’ve worked with many clients who couldn’t answer this question. Understanding the viability of backups in the event of a cyber attack is critical for every organization.
Before I explain our recommended best practices for maintaining credible backups, I want to share a story about a ransomware claim I recently handled where an insured had backups but could not fully restore the data from them.
Encrypted backups lead to ransomware payment
The policyholder in this case was an industrial machinery manufacturer with nine locations throughout the U.S. In April 2023, they received a ransom note from a particularly advanced ransomware group. They called the Coalition Claims Hotline within an hour and selected Coalition Incident Response (CIR) to begin the incident response process.
Within 3.5 hours of their initial call, CIR deployed SentinelOne for endpoint monitoring and began recovery efforts. The manufacturer believed the threat actor was out of their environment. CIR often reviews the client email environment to ensure threat actors cannot access the case communications and updates between CIR and the insured.
Next, we assessed their backups. In this case, the manufacturer used Veeam® software to manage their backups and had a second set of backups offline with Azure®. Unfortunately, the threat actor accessed Veeam® and encrypted over 50% of that data. While they could’ve pieced together and restored about 75% of their data between Veeam® and Azure®, it wasn’t enough to become fully operational again.
On top of the restoration concerns, the insured was worried about the threat actor leaking the stolen data, which contained highly sensitive information. The threat actor demanded $1.5 million in ransom, and we agreed to move forward with the negotiating process. We successfully negotiated the amount to less than half of the initial demand, then received the decryptor and a file deletion confirmation from the threat actor.
In concluding the forensic investigation, CIR couldn’t determine the root cause of this ransomware attack because the manufacturer didn’t maintain proper logging on the network, which is extremely helpful in determining the root cause of an attack. However, we could see a device not owned by the insured that entered the insured’s VPN space, which led us to believe the VPN was compromised as an entry point by the threat actor.
Best practices for maintaining good backups
The goal of any ransomware incident is to avoid paying the ransom. However, we understand that it may be the only option for businesses that don’t want highly sensitive data leaked or don’t have viable backups to quickly resume operations.
When opting to pay a ransom, we put our trust in threat actors — there is no guarantee of honor among thieves. Even after payment is made and threat actors deliver proof of deletion, retained copies of the data can still resurface on the dark web at a later time.
Dealing with threat actors is always risky, which is why we believe it’s so important to have reliable backups in place and a team of experts to help navigate the process.
Here are our best recommendations for maintaining backups:
Triage the data on your systems. Determine what would be needed to restore critical business and all business operations (across teams like Sales, Finance, Marketing, and Operations).
Always maintain at least two backups. One set should include your critical data and be completely offline from the primary network so it cannot be accessed and encrypted.
Avoid onsite software backups when possible. They’re the least effective, as threat actors are familiar with how to corrupt or delete them.
Determine a cadence for backing up critical data. Some businesses are comfortable with weekly backups, while others need to run them every 24 hours.
Test your backups every three months. Testing verifies if restoration is possible and gives you an idea of how long it will take. Data recovery timeframes can range from as low as 45 minutes to six months or more.
Having a viable set of backups is a helpful step in allowing organizations to recover from a ransomware event. Otherwise, you are more likely to be at the mercy of the cybercriminals.
In addition to a good set of backups, organizations can manage cyber risk with Coalition Control, our cyber risk management platform that offers organizations a view of their known cyber risks before they become attacks.
Insurance products are offered in the U.S. by Coalition Insurance Solutions Inc.(“CIS”), a licensed insurance producer and surplus lines broker, (Cal. license # 0L76155) acting on behalf of a number of unaffiliated insurance companies, and on an admitted basis through Coalition Insurance Company (“CIC”) a licensed insurance underwriter (NAIC # 29530). See licenses and disclaimers. Copyright © 2023. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.