The do’s and don’ts for ransomware threats | #ransomware | #cybercrime

The threat of ransomware to backup data in the cloud is becoming a security concern, as new guidance from the National Cyber Security Council (NCSC) has highlighted.

While backups are an integral part of security protocol, cloud backups pose a particular risk as ransomware gangs become more creative and widen their scope of targets.

From September 2021 through to September 2022, 81% of companies suffered a cloud security incident, according to data from Venafi.

In 2022, Cloudstar, a major cloud services provider, suffered a major ransomware attack, with hundreds of firms affected.

According to the NCSC, threat actors often target backups and infrastructure in the early stages of a destructive ransomware attack, deleting or destroying the data stored there to make it harder for the victim to recover their data, and more likely to pay the ransom.

This puts data in cloud-based backup services a particular risk form ransomware actors, unless additional measures are taken to protect it.

As cloud-based backup services will not necessarily be resistant to ransomware attacks by default, the NCSC has set out the functions a service should offer, so that it can be considered resistant to destruction by ransomware.

Vendors of cloud-based backup services should show how their service meets the principles outlined by the NCSC, allowing them to describe their service as resistant to ransomware, and helping customers understand how their backup data will be protected.

For system owners, the guidance can provide a launching-off point to form questions for potential suppliers in order to understand how their service will protect backup data if a ransomware attack occurs.

Principle 1. Backup Resiliency to Destructive Actions

Backups should be resistant to the destruction threat actors may try to cause to frustrate or prevent the effective recovery of victim data.

The NCSC says that effective measures to prevent the destruction of backup data include outright blocking deletion requests and delaying deletion requests.

Further, companies can offer a soft-delete by default option, where ‘deleted’ data is marked as inaccessible, but is still recoverable for a certain period of time.

Principle 2. Configuring For Unblocked Customer Access

Instead of outright deleting backup data, ransomware gangs can instead attempt to block victim organisations from access this data by deleting or disabling customer accounts.

In order to mitigate this, backup systems should be configured so that threat actors cannot deny all customer access.


To prevent this, organisations can allow customer access to the backup service even if all existing corporate IT systems and assets are unavailable due to an attack. This would be possible by agreeing to a separate, out-of-band mechanism.

Organisations are also advised to forbid any identity and asset management (IAM) policy that restricts access to a single account within an attacker’s control.

Principle 3. Mitigating Against a Corrupted Backup

Threat actors can corrupt backups instead of destroying them, so a backup service should allow customers to store backups for a retention period that aligns with their risk appetite, and system owners should monitor and test the state of their backups regularly.

Creating and retaining a version history, storing backup data according to a fixed time period, and offering flexible storage policies, can mitigate the risks of a corrupted backup.

Further, providing mechanisms so that system owners can test whether they can restore from the current backup state can also provide more security.

Principe 4. Robust Key Manage for Data-at-Rest Protection 

Threat actors can simply delete or modify encryption keys to block users off data that is protected through encryption.

The NCSC has its own guidance of cloud key management created specifically to mitigate against this risk.

Offering an out-of-band key backup option, such as a QR code form, so that the key data can be stored in a secure location, can also provide customers with more piece of mind.

Principle 5. Alerts for Changes and Privileged Action Attempts

Attackers rarely want to be noticed until it is too late, so creating alerts that users can approve or raise to their vendor for significant changes to their backup or for privilege actions are vital in raising an early alarm bell.

These alerts should be raised even if a change is unsuccessful so customers can be aware they are at greater risk of a threat, and the alerts should still work even if a customer’s infrastructure is compromised.

Significant changes themselves should require extra authorisation and automatically initiate extra protective monitoring in order to prevent successful attacks.

Source link

National Cyber Security