Ransomware is Encrypting Backups Too, Warns NCSC: From Cloud, to USB

The National Cyber Security Centre (NCSC) has urged businesses to make sure that they keep backups offline – following a spate of incidents in which diverse forms of online backup were also encrypted in ransomware attacks.

The NCSC said in updated guidance this week that it has seen “numerous incidents where ransomware has not only encrypted the original data on-disk, but also connected USB and network storage drives holding data backups.

“Incidents involving ransomware have also compromised connected cloud storage locations containing backups.”

Offline Backups Are Vital, as Threat Actors Increasingly Conduct Pre-Ransomware Deployment Reconnaissance

The warning comes as threat actors increasingly deploy ransomware considerably AFTER having gained privileged access to a victim’s environment and conducted reconnaissance of target networks and critical systems.

This allows them to steal data, move further into businesses’ networks, often take action against security software, and identify backups to encrypt.

Read this: As AWS Slashes Disaster Recovery Costs by 80%, Can Independent Firms Compete?

Martin Jartelius, CSO of cybersecurity platform Outpost24 told Computer Business Review: “A backup should be protected against getting overwritten, and offline/offsite backups are a strong recommendation…

“Similarly, ensuring that the backup system is not granted write-rights to the systems it backs up is equally critical, as otherwise we are back to all eggs in one basket, just having shifted the role from this being the production system to this being the backup system.”

The Risk of Ransomware

The NCSC’s guidance came as part of a sweeping review and consolidation of its guideline information that has cut back on denser technical information.

Emma W Head of Guidance, NCSC communications commented: “These technical trade-offs are sometimes necessary, because the NCSC needs to make sure the language used in its guidance matches what’s being used in the real world.”

See also: This New Ransomware Brings its own Legitimately Signed Hardware Driver

All this comes at a time when ransomware is causing real disruption to businesses and government agencies alike.

In the United States more than 100 cities are understood to have been hit by ransomware in 2019 alone, causing major disruption to public services. In the UK, Redcar and Cleveland council admitted this week that a ransomware attack had left it without IT services for three weeks.

It told the Guardian that it estimated the damage to cost between £11 million and £18 million: more than double its entire 2020/2021 central government grant.

(A recent IBM Harris Poll survey meanwhile found that only 38 percent of government employees said that they had received general ransomware prevention training.)

Ransomware: A Growing Threat to Operational Technology

Wendi Whitmore, VP of Threat Intelligence, IBM Security commented in the report that: “The emerging ransomware epidemic in our cities highlights the need for cities to better prepare for cyberattacks just as frequently as they prepare for natural disasters. The data in this new study suggests local and state employees recognize the threat but demonstrate over confidence in their ability to react to and manage it.”

Read this: Police Warning: Cyber Criminals are Using Cleaners to Access Your IT Infrastructure

Security firm FireEye meanwhile says ransomware looks set to increasingly hit infrastructure and operational technology (OT) in industrial sites.

It noted this week: “This is apparent in ransomware families such as SNAKEHOSE (a.k.a. Snake / Ekans), which was designed to execute its payload only after stopping a series of processes that included some industrial software from vendors such as General Electric and Honeywell. 

“At first glance, the SNAKEHOSE kill list appeared to be specifically tailored to OT environments due to the relatively small number of processes (yet high number of OT-related processes) identified with automated tools for initial triage. However, after manually extracting the list from the function that was terminating the processes, we realized that the kill list utilized by SNAKEHOSE actually targets over 1,000 processes.”

See Also:  IT Teams “Dangerously Misinformed” About Cloud Backup Provisions