Ransomware Attackers Use Your Cloud Backups Against You:
Backups are one the most, if not the most, important defense against ransomware, but if not configured properly, attackers will use it against you.
Recently the DoppelPaymer Ransomware operators published on their leak site the Admin user name and password for a non-paying victim's Veeam backup software.
This was not meant to expose the information to others for further attacks but was used as a warning to the victim that the ransomware operators had full access to their network, including the backups.
After seeing this information, I reached out to the operators of the DoppelPaymer and Maze Ransomware families to learn how they target victim's backups and was surprised by what I learned.
It should be noted that in this article we will be focusing on the Veeam backup software. Not because it is less secure than other software, but simply because it is one of the most popular enterprise backup products and was mentioned by the ransomware operators.
(Score: 5, Insightful) by Anonymous Coward on Sunday March 08 2020, @06:18PM (9 children)
I remember working at Zuora, about ten years ago, and proposing that we back up certain development-related servers, only to be told by the Director of IT, that everything was "mirrored", and so no backups were necessary.
I cite this as yet more evidence that people who are not technically qualified to make technical decisions really ought to leave those decisions to the technical people they go to so much trouble to locate and employ.
After arguing with nitwits like this guy and getting terminated for not being a "yes" man, time after time, I've put a lot of thought into just exactly what a "backup" is.
I am going to introduce the following nomenclature: "copy", and "backup".
I am going to suggest that the hard line separating a copy from a backup is its ease of access.
If it is online it is a copy. I don't care if it's compressed, encrypted, whatever. If it's online you MUST ASSUME it can be modified.
If it is OFFLINE then it is a BACKUP. A backup is a copy that has been moved offline to prevent it from being modified, and perhaps physically secured, possibly offsite. It is a physical tangible that is subject to tracking.
If you have a RAID array that is too big to back up, and so you build another RAID array, and use it to back up the first RAID array, then, shut the second RAID array down, power it off, and disconnect it from the network ... then, that is a BACKUP.
It's not about the media.
It's all about the methodology.
A backup GUARANTEES that you can back up.
A copy is not a guarantee. A copy on the same filesystem as the data itself exists upon, is useless, if the entire filesystem becomes corrupt.
By my rules, if your data is on the same hard drive ... on the same computer ... or even, continuously online, for convenience ... it is not backed up.
If you can't access your copies when the Internet is down, they are useless to you.
Argue with me if you want. I've been backing up computers for forty years.
When the bad stuff happens ... I have backups ... and you, don't.
~childo
(Score: 5, Interesting) by Common Joe on Sunday March 08 2020, @06:59PM (4 children)
I like your comment a lot and I'm adopting your definition.
I'm also starting my own mini-crusade and wish to add to yours: it's not a "backup". It's a "backup and restore". I know I'm preaching to the choir on SoylentNews, but what most suits don't understand is that the backup isn't important. It's the restore that's important. How we get the ability to restore includes testing and exactly what you said about taking things offline.
(Score: 5, Interesting) by edIII on Sunday March 08 2020, @08:20PM (3 children)
Fucking Aye.
A backup without a tested restore process, is just a hope of a backup. Just like a RAID isn't a mirroring solution, until you actually test it, and it performs as advertised. Just like a buildsheet isn't a buildsheet until somebody else uses it and succeeds.
Too many people stop halfway, go to lunch, and then operate with a false sense of confidence.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by PiMuNu on Monday March 09 2020, @12:38PM (1 child)
Computing Rule #1: If you don't test it, it doesn't work.
(Score: 0) by Anonymous Coward on Monday March 09 2020, @08:58PM
Sort of the inverse(?) of what we say here: everything works correctly, until you check the results.
(Score: 2) by Freeman on Monday March 09 2020, @05:35PM
Sad face story, our archives are being pushed to the cloud by our IT department. At least they're saying they'll keep one on site "copy/backup". They're pushing everything they can to the Cloud, so they don't have to bother with it.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by vux984 on Monday March 09 2020, @12:44AM (2 children)
(Score: 2) by Pino P on Monday March 09 2020, @03:43AM (1 child)
That depends on which country you live in. For how long have all ISPs in Kashmir been ordered to cease service?
(Score: 2) by vux984 on Monday March 09 2020, @04:25AM
"For how long have all ISPs in Kashmir been ordered to cease service?"
Long enough that if I needed to get my cloud backups I could have walked somewhere that still had service and back several times over by now.
(Score: 2) by darkfeline on Monday March 09 2020, @12:55AM
If it's offline, you must assume it can be modified too. Hell, if it exists, you must assume it can be modified; reality doesn't have a readonly bit. The difference is that if it's online, you can monitor and recover from data corruption. Not so when you come back to your offline backup and discover it no longer works.
There are no guarantees, there are only probabilities.
Join the SDF Public Access UNIX System today!