Back up your backups: How this school outsmarted a ransomware attack
The evolution of ransomware attacks
Although some security researches are seeing a decline in ransomware attacks, this threat still poses a great risk to organizations. Of special concern is the fact that cybercriminals are aware that organizations are using backups to protect against ransomware — and consequently, many malware families are now also targeting data backups.
That’s why multiple backups are important. While backing up your backup may sound redundant, in the event of a ransomware attack, it could save you tens or hundreds of thousands of dollars. And that’s exactly what a school district in Texas found out.
How Athens ISD avoided paying $50,000 ransom
Athens Independent School District in Texas serves more than 3,000 students at five schools. In July 2020, the district discovered that data on its servers was encrypted, then received a ransom demand for $50,000. The school board quickly approved paying off the ransom, and subsequently the district negotiated the amount with the cybercriminals, getting it down to $25,000.
And this is where things got interesting. According to various media reports, the Athens IT team, with the help from a cybersecurity vendor and cyber response teams, learned two important facts within two or three days of receiving the demand. One, logs showed that the attackers didn’t access or steal the data itself (which is now a capability of some ransomware, like AgeLocker). Two, Athens ISD had a very recent, uncompromised backup of its most important database (including student records) and could restore much of its data.
As the school’s technology director put it in media interviews, “It felt incredible.” But while it may feel like Athens ISD got lucky, in reality what saved the taxpayers $25,000 was a best practice that the district followed: not relying on a single backup.
The incident wasn’t completely painless. Athens still had to spend time ensuring data integrity and restoring systems, as well as had to buy new hard drives. Plus, data from the teachers’ individual computers couldn’t be recovered. But $25,000 saved was still good news.
Of course, even redundant backups are not a guarantee that you’ll be able to restore your data or avoid paying a ransom. But your chances are certainly much improved.
How ransomware goes after backups
Two of the malware families that target backups, in addition to regular data, are Ryuk and SamSam.
Ryuk is sophisticated ransomware that’s been targeting potential victims who are more likely to pay or have critical data, such as hospitals. It uses a variety of tools to evade detection and often involves human operators to carry out the more advanced phases. Ryuk uses cyphers that make it very difficult to decrypt the files without the key, so there’s no publicly available decryptor tool.
In addition to encrypting data on the system, Ryuk runs a command that deletes the shadow volume copies and other backup files that it identifies. Shadow volume is a technology included in Microsoft Windows that creates snapshots or backups of files or volumes and makes it easy to restore previous versions. Typically, the copies are stored in the same volume—so the ransomware’s PowerShell command removes the shadow volume copies to prevent you from restoring them.
SamSam also attacks different types of backup files. For example, backup vendor Acronis (which provides options for both local and cloud backup) found that SamSam attacks the Acronis backup files (.tib) in addition to Windows backup files (.bkf). And while Acronis, in this case, provides protection against ransomware (actively detecting and blocking it), the sophistication of the threat actors illustrates why you should maintain the “3-2-1” backup rule as a best practice.
Back up your backups: The 3-2-1 rule
The 3-2-1 rule for backup is not new, and it’s also very simple. This best practice is all about redundancy, and all these steps prevent having a single point of failure. Here’s how the rule works:
- Keep at least three copies of the data: Which means at least one primary copy and two backup versions (i.e., two backups of your backup) stored in three different places. In other words, those shadow volume copies stored on the same Windows volume? Great if you need a previous version of a document for some reason. Not so great on their own (i.e., not enough) to protect you from a ransomware attack.
- Store copies on at least two different media: This could include the internal hard drive, a removal storage drive, the cloud and so on. By having two different formats, you’re giving yourself options in the event one format fails.
- Keep at least one backup offsite: So if your backup server is at the same location (like your headquarters), store one backup copy in the cloud, for example.
In addition to using the 3-2-1 rule, keep in mind these additional best practices:
- Back up regularly and often: In the case of Athens ISD, one thing that saved the district’s data was having a backup that was just a few days old.
- Consider all your data: With so many apps being cloud-based these days, it’s easy to think you can always access your data. That’s true in the sense that you can access it from anywhere — but that doesn’t mean your SaaS vendor follows good security practices. And even those vendors with excellent cybersecurity are not completely immune to data loss or disasters. So do your homework before entrusting your data to a provider. And just as important, look for ways to create your own backup of your SaaS apps (some third-party backup services, for example, will back up Microsoft 365 files).
- Test your backup: There’s nothing worse than having peace of mind with backup, only to find out the files were corrupted or you can’t restore them for another reason.
Back up the backup — but use prevention, too
Backups are only one tool to use against ransomware attacks. There’s much more you can do to prevent infections in the first place.
From patching your systems to using anti-malware, firewalls and other security tools; to educating your end users about phishing (often used to start a ransomware attack), malware and other threats — using multiple tools, processes and protection layers is the best way to keep up with the cybercriminals.
Security Tip (ST19-001): Protecting Against Ransomware, US Cybersecurity & Infrastructure Security Agency