Ransomware is a data integrity attack that encrypts data, leaving it modified and in an unusable state that restricts access to a computer system or computer files until money or “ransom” is paid. Normally delivered via email either as an attachment or malicious URL, ransomware encrypts files on target devices, making them inaccessible. Ransomware can also be delivered through downloads on compromised or malicious websites and through social media messaging. Cyber criminals often distribute generic ransomware using a “shotgun” approach or spamming email lists. Ransomware also can spread to as many as systems as possible with built-in worming capabilities.
When ransomware goes after data backup copies, it’s usually opportunistic and not deliberate or targeted, although some ransomware does have that capability. Depending on the type of ransomware, the malicious software operates by crawling systems looking for specific file types. If the ransomware encounters a backup file extension, it will encrypt the files.
To protect data and networks against ransomware, organizations should perform frequent system backups and store backups on separate devices that cannot be accessed from a network, also called “air gapping.” In order to prevent ransomware infections organizations should also always update and patch operating systems and applications, use caution with URLs delivered via email and when visiting websites.
An air-gapped backup and recovery strategy, also known as ransomware backups, means ensuring that a copy of an organization’s data is stored offline and cannot be accessed via the internet or private network creating a secondary copy that is immutable. Cloud solutions are also becoming the modern equivalent of air-gapped backup strategies if they are segmented away from the public internet.
Organizations should always use properly air-gapped ransomware backup processes. For instance, air-gapped ransomware backups may become corrupted during the copy process if a ransomware event occurs and the data on a device was encrypted before the next backup cycle. Then the encrypted files will be replicated and become part of the backup set.1
Ransomware can also find and delete data copy backups across networks by including scripts that delete shadow volumes and backup files as most ransomware variants delete shadow copy snapshots. Most ransomware attacks will also attack backups on mapped network drives.
Although Microsoft Windows allows users to restore earlier versions, a common tactic for ransomware is to delete automatic copies of files that Windows creates, making system restore non-functional so that systems cannot be recovered.