View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 28, 2020updated 02 Mar 2020 9:17am

Ransomware is Encrypting Backups Too, Warns NCSC: From Cloud, to USB

Cyber criminals are conducting reconnaissance before triggering ransomware

By CBR Staff Writer

The National Cyber Security Centre (NCSC) has urged businesses to make sure that they keep backups offline – following a spate of incidents in which diverse forms of online backup were also encrypted in ransomware attacks.

The NCSC said in updated guidance this week that it has seen “numerous incidents where ransomware has not only encrypted the original data on-disk, but also connected USB and network storage drives holding data backups.

“Incidents involving ransomware have also compromised connected cloud storage locations containing backups.”

Offline Backups Are Vital, as Threat Actors Increasingly Conduct Pre-Ransomware Deployment Reconnaissance

The warning comes as threat actors increasingly deploy ransomware considerably AFTER having gained privileged access to a victim’s environment and conducted reconnaissance of target networks and critical systems.

This allows them to steal data, move further into businesses’ networks, often take action against security software, and identify backups to encrypt.

Read this: As AWS Slashes Disaster Recovery Costs by 80%, Can Independent Firms Compete?

Martin Jartelius, CSO of cybersecurity platform Outpost24 told Computer Business Review: “A backup should be protected against getting overwritten, and offline/offsite backups are a strong recommendation…

“Similarly, ensuring that the backup system is not granted write-rights to the systems it backs up is equally critical, as otherwise we are back to all eggs in one basket, just having shifted the role from this being the production system to this being the backup system.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The Risk of Ransomware

The NCSC’s guidance came as part of a sweeping review and consolidation of its guideline information that has cut back on denser technical information.

Emma W Head of Guidance, NCSC communications commented: “These technical trade-offs are sometimes necessary, because the NCSC needs to make sure the language used in its guidance matches what’s being used in the real world.”

See also: This New Ransomware Brings its own Legitimately Signed Hardware Driver

All this comes at a time when ransomware is causing real disruption to businesses and government agencies alike.

In the United States more than 100 cities are understood to have been hit by ransomware in 2019 alone, causing major disruption to public services. In the UK, Redcar and Cleveland council admitted this week that a ransomware attack had left it without IT services for three weeks.

It told the Guardian that it estimated the damage to cost between £11 million and £18 million: more than double its entire 2020/2021 central government grant.

(A recent IBM Harris Poll survey meanwhile found that only 38 percent of government employees said that they had received general ransomware prevention training.)

Ransomware: A Growing Threat to Operational Technology

Wendi Whitmore, VP of Threat Intelligence, IBM Security commented in the report that: “The emerging ransomware epidemic in our cities highlights the need for cities to better prepare for cyberattacks just as frequently as they prepare for natural disasters. The data in this new study suggests local and state employees recognize the threat but demonstrate over confidence in their ability to react to and manage it.”

Read this: Police Warning: Cyber Criminals are Using Cleaners to Access Your IT Infrastructure

Security firm FireEye meanwhile says ransomware looks set to increasingly hit infrastructure and operational technology (OT) in industrial sites.

It noted this week: “This is apparent in ransomware families such as SNAKEHOSE (a.k.a. Snake / Ekans), which was designed to execute its payload only after stopping a series of processes that included some industrial software from vendors such as General Electric and Honeywell. 

“At first glance, the SNAKEHOSE kill list appeared to be specifically tailored to OT environments due to the relatively small number of processes (yet high number of OT-related processes) identified with automated tools for initial triage. However, after manually extracting the list from the function that was terminating the processes, we realized that the kill list utilized by SNAKEHOSE actually targets over 1,000 processes.”

See Also:  IT Teams “Dangerously Misinformed” About Cloud Backup Provisions

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.