Backup strategy against data extortion

The perfidious thing about this is that anti-virus solutions only detected - and continue to detect - the ever new versions when it is already too late. The current wave of attacks with ransomware was only detected by virus scanners weeks after it became known.

In the meantime, the Trojans had long been up to no good. Several companies and administrations in Germany were affected and some had to shut down operations.

Hospitals in the USA have paid ransoms. Depending on the size of the company, this amounts to between 200 and 15,000 euros. The only possible effective protection is an intelligent backup strategy.

But some companies are shying away from this logical step, preferring to stockpile Bitcoin in order to be able to buy their own data free, as a recent survey of British companies shows.

The data protection strategy should be an integral part of the IT security concept. What's more, the whole thing isn't all that difficult, but it can still make the difference between the weal and woe of business success. You just have to follow a few rules.

Currently, the majority of attacks are aimed at Windows systems. But recently, other systems have also been at risk. The success rate of the blackmails encourages the cybercriminals to attack other operating systems as well.

Since this form of cybercrime is promising for the attackers, as the British survey shows, attacks on SAP environments in the corporate environment and open source solutions must also be expected in the near future.

Backups also compromised

As a specialist for backup solutions, SEP sees the database files as the main target in the case of the Crypto Trojans. Organizations can be hit most seriously here in their business operations.

Recovery after an attack usually corresponds to a disaster case. But what happens if the backup data is also already infected and cannot be read during recovery either?

In addition to the classic backup scenarios, i.e. weekly complete backup of all data (full backup) and at least daily backup of data that has changed in the meantime (differential or incremental backup), further measures are necessary.

Thus, the backup data should be stored using "media break" on a separate tape drive (tape) and, if feasible, in a different location.

This way, the malware can no longer access the backup data. The retention period must be extended in view of the undetected propagation period.

As in all backup scenarios, data volumes add up with every backup, especially full backups. Deduplication can help here and intelligently minimize the volume of data kept in backup storage.

Attack - and now?

Once an attack has happened, the point in time must be narrowed down. Then the recovery process begins. Initially, data may only be accessed in read-only mode.

If the encryption command has not yet been executed, at least the data can be read this way. If the last secure data set is found, the systems are restored cleanly with this.

To ensure a speedy recovery at all times, regular recovery tests should generally be rehearsed by all systems or automatically validated by the backup software.

So when it comes to protection against threats, firewalls and antivirus software are no longer the only relevant factors. The awareness for an intelligent backup strategy must be strengthened again by the new threats.

After all, backup and recovery are an important pillar when it comes to IT security in companies and organizations.