Can ransomware infect your backups?

When ransomware strikes, your backup should save you from paying the ransom. But can ransomware infect and corrupt your backup? Yes, in multiple ways.
Share on email
Share on print
Share on facebook
Share on google
Share on twitter
Share on linkedin

There’s nothing worse than having a backup, getting hit with ransomware and still having to pay the ransom. So can ransomware infect and destroy your backup?

Looking at the epidemic of ransom payments, it’s obvious that backups can fail with alarming regularity. And if you become a victim, it’s no different to skydiving with torn parachute – at best you have illusion of resilience, only to find out the truth too late.

“Ransomware killed my backup!” – but how can this happen?

A few years ago, a sysadmin called our tech support hotline – and he was not having a good day. His company had suffered a ransomware infection, and this rapidly encrypted files on the victim’s computer.

So he stepped in to help… isolating the computer, booting into a recovery environment and running malware removal tools. After the computer passed all the tests, he rebooted and undertook the next step – to plug in the backup (which was a USB disk) and restore the encrypted files.

And as he plugged in that backup USB disk… BANG. The ransomware sprang back to life, and started to encrypt the backup.

So yes, your backups can be infected by ransomware.

As the hapless admin found out that day, ransomware can infect and corrupt any file connected to the infected machine, whether locally or via a network.

This is an example of the most obvious way that ransomware can infect your backups – from the outside – encrypting the backup file(s) just like it would any other file.

This incident raises many questions:

  • What mistakes did he make? What should he have done?
  • How else can ransomware infect your backup?
  • Can someone else’s ransomware infection affect me?

Backups should mitigate against having to pay ransoms. But how else can things fail?

There are obviously situations where backups can fail to recover – user error, silent failures, hardware failures… all these are a great subject for another blog.

But when it comes to crypto ransomware, there are also many situations where the backups can be useless.

It’s obvious with hindsight, one key mistake is that the administrator trusted the malware removal tool too much.

What was done rightWhat was done wrong
1. Doing backups, and having an “air gapped” copy of data
2. Isolating the computer upon infection
1. Trusting the malware removal tool
2. Plugging a backup into a previously infected machine

We discuss the recommended way of dealing with ransomware in our article, The Definitive Ransomware Protection Guide for Business in 2019.

In the rest of this blog, let’s look at the other ways that ransomware can infect and destroy the effectiveness of your backups. Hint: they are not all not obvious.

The hidden infection from within

Ransomware destruction inside of backups is just as big a problem, with similar consequences.

It’s well known that ransomware will not just encrypt files on the locally infected machine, but it will also look for connected network shares and encrypt files on those shares. That’s precisely how a company’s server backups can get infected with sabotaged data.

Let’s take this example – which is common among professional services firms such as accounting and legal.

  1. A small business runs an on-premise file server
  2. Multiple workstations connect to that file server, and employees uses a shared drive to store their data
  3. Image backups are done on that file server, backing up the entire machine

One of the workstations then gets infected with ransomware. But it doesn’t spring into life immediately. Instead, it waits until the end of the day, when everyone has gone home, and it starts to encrypt the files on the file server.

The problem is, the next time the backup runs on the file server, the backup will contain encrypted files. And as we know, backing up ransomed data is as useful as a torn parachute.

How backups can be rendered useless by ransomware

This scenario poses particular problems that can render the entire backup useless:

  1. Most backup software will just dutifully back up what it’s told to back up. It doesn’t recognize that the source data might be corrupted. It just takes a copy of the source data.
  2. If the size of the infection is huge, it might mean that all historical versions of the backups get automatically deleted because the backup destination doesn’t have enough room.

    Normally, systems such as the built-in backup programs in Microsoft Windows and Apple Macs keep as much backup history as the backup destination allows, deleting old versions as needed. But because ransomware can infect large amounts of data very quickly, the next incremental backup will be huge and can displace all historical backups.

    The other hidden fact is that encrypted data will not compress. So if your backup software uses compression, you’ll find that backups of infected data will occupy typically twice as much space as real data – again displacing old backups with garbage.

This leaves the unfortunate victim in the situation where the backups are useless.

It’s not me; it’s you. Being a victim of someone else’s infection.

And while you might not have been hijacked by ransomware, the chances are – you know someone who has.

And here’s why that’s a problem – as a friend of mine recently found out.

Today we live in an interconnected world. We use file sync tools like OneDrive (which is even built into Windows) and Dropbox, which automatically sync between the cloud and your hard drive.

If you are using such a file sync tool among a group of friends or colleagues, if anyone in that group gets infected with ransomware, their copies of files will be encrypted. Their file sync app will then upload the garbage copies of the files to the cloud… and then your file sync app will sync those garbage copies from the cloud to your computer. Then the next time you back up, you’ll have garbage in your backups instead of the original files.

Sometimes there are ways to retrieve the original files (if for example, some premium plans offer extended historical file versioning) but often it’s difficult or time consuming to restore large sets of data to a particular point in time, as you would do if restoring from backup.

That’s simply the risk of living in a connected world.

So what solutions are possible to preserve the backups?

As the creator of BackupAssist, I’m well aware that backups need to be dependable. By 2016, it was clear to me that backup software was now playing a different role to what it had done traditionally, with far greater emphasis on resilience to cyber crime.

The old risks of data lossThe new risks of data loss
Natural disaster
Fire
Theft
Employee sabotage
Hard drive theft
Ransomware
Hacking
Account compromise

So we embarked on an R&D project to see what we could do to assist in the situation, with our goal was to make backups resilient to ransomware.

Innovation 1: the shield

Knowing that the only purpose of a backup is to enable a recovery, the foremost priority is to make sure that the backup remains intact and does not get corrupted from the outside.

That led us to develop a software component that would shield the backup from unauthorized access. Testing this component proved successful, as we were able to block access to the backup from every strain of ransomware we could throw at it.

Innovation 2: early detection

The second half of the puzzle is to make sure that only legitimate data files are backed up – that is to say, to make sure the backup does not get corrupted from the inside.

Detecting the presence of ransomware-encrypted files in the source seemed easy at the start (leaning on my Computer Science background). By definition, encrypted files should be indistinguishable from random, and therefore should have high entropy. The same mathematical tests that determine if a random number generator is secure should also determine if a file is encrypted.

However, while that sounded great in theory, in practice it was not very effective at detecting an infection. We found that many strains of ransomware actually produced files where the entropy was not that high.

There are of course, other signs that we can look for. For example, ransom notices repeated in multiple directories. There’s factors such as examining the nature of changes to a file system – volume, patterns, and so on.

It turned out that looking for clusters of behaviour was the best way to detect an outbreak.

Putting it together

It’s our belief that ransomware should not be allowed to infect your backup if you truly want a dependable recovery point.

In 2017, we launched our CryptoSafeGuard feature in BackupAssist. It combines a shield and an early detector to help keep our clients safe, and their backups intact when they need it the most.

The shield works 24/7, monitoring access to the backup devices and blocking unauthorized access. It adds another layer of protection on top of the regular NTFS access control lists, which are not particularly effective against ransomware given that ransomware often has administrator or system level access.

And the early detector works by looking for malicious activity at the time of backup. As soon as such activity is found, CryptoSafeGuard will send an SMS to the registered administrator, and lock-down the backups.

When combining CryptoSafeGuard with multiple air-gapped backups (which come as default settings in BackupAssist), it maximizes the chance of a successful recovery, with no need to pay the ransom.

So will things be safe forever?

Can anyone be absolutely sure that ransomware will never infect their backup? I don’t believe so – only death and taxes are truly guaranteed. But this is in fact, the wrong question to ask.

Some better questions are – how can we reduce the risks of data loss and business downtime due to ransomware, and have we done all that we can? Is a solution like CryptoSafeGuard effective against practical attacks? Prior to widespread release, we commissioned an independent security test laboratory to verify the effectiveness of the solution, and we were very pleased with the results.

And the work continues.

We’ve entered a new age of computing where interconnectedness means we have both huge productivity and convenience benefits (such as the Cloud), but equally we have an entirely new set of risks to contend with.

The reality is that whether we like it or not, we have entered an arms race, where the good guys and bad guys continually have to innovate and try to stay one step ahead. What is “safe” this year may not be safe next year, which is why it’s so important to stay up to date with security – including OS updates and of course, updates to backup software.

In our labs, we’ve continued our R&D to protect backup data against ransomware, and we have many exciting avenues that are proving promising. But that’s a story for another time…

Leave a Comment

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email. Join 1,874 other subscribers
Share on email
Share on print
Share on facebook
Share on google
Share on twitter
Share on linkedin

Leave a Comment