skout-blog

CyberPartner Notes: Backup-Disabling Ransomware

By: Mike Talon for SKOUT CYBERSECURITY

SKOUT has been tracking a new twist to ransomware that’s specifically targeting MSP’s and their customers. While all ransomware is damaging, this one adds a component of pure nastiness that can and will have devastating impact.

Standard variants of ransomware will encrypt some or all information on a desktop, laptop, or server’s disk systems – including those attached to a server externally like USB disks, SAN, or NAS platforms. Most also purposely or accidentally break native technologies like Windows ShadowCopy, removing the ability to revert to previous versions of the files that reside on the attacked device itself. To date, the only three ways to retrieve encrypted files are to either pay the ransom; to restore from an off-system backup copy (a backup that goes to some other machine, to the Cloud, to tape, etc.); or to use a decryption tool available from the cybersecurity community if one has been found for the variant of ransomware that the device was infected with.

Paying the ransom is never recommended as it encourages more ransomware overall; and also because several threat actors have shown that they never intended to undo the damage of the attack or provide the decryption keys even after they have been paid. Restoration using community decryption tools (if they are available) or from backup are the best options.

Now there’s a new twist to the story. Recent variants of ransomware that appear targeted primarily at MSP’s will purposely disable backup solutions prior to initiating the encryption phase of the attack. Since at least some versions of this attack disable the backup agents/systems weeks or even months before the actual encryption phase initiates, data is not restorable from backups; as the backup jobs haven’t been running for the intervening period. Luckily, the attack doesn’t destroy existing backup data that resides off-machine – it just stops any new backups from happening for a period of time prior to the encryption phase of the attack starting off. Note that this type of attack will mutate, and may morph into a version that actively encrypts any backup copies it can find in addition to stopping new backups from taking place.

There is one silver lining: Many off-machine backup tools do not perform differencing or incremental backups; instead only backing up the latest version of any given file. With traditional ransomware this renders the backup unusable since the backup data is overwritten by the encrypted versions of those files if the infection is not caught before the next scheduled backup job runs. In this case, no backups are taken after the initialization, so while the data will be outdated it will still be restorable.

Defense advice against this form of ransomware is to utilize a combination of well-established systems of protection and monitoring:

– Ensure that all devices are running appropriate anti-malware solutions (like SKOUT Endpoint Protection), including server systems. Keep this protection updated.
– Ensure that all desktops, laptops, and servers are kept up to date with Operating System and application patches, fixes, and updates.
– Monitor backup tools for anomalies. Ensure that backups are completing on schedule, and that there are no errors or failed backup jobs.
– Use backup tools that save multiple versions of files, as opposed to only the most recent version.

Additional information can be found at [Hackers Disable MSP Backups, Launch Ransomware Attacks – ChannelE2E](https://www.channele2e.com/technology/security/hackers-disable-msp-backups/), and your SKOUT Team can assist in helping your MSP and your customers avoid this form of attack and continuously monitor for threat activity across your environments.