Your IT Consultant

Ransomware Now Attacking Your Cloud Backups Too

March 4, 2020

Having good solid backups is one of the requirements to help recover from a ransomware attack. If your data gets encrypted, don't pay the ransom and restore your data from backup. While the backup data will get you back in business, it won't stop the extraction of data as in a Maze ransomware attack. But having a good backup is better than not having any at all. Obviously, you have to make sure you have properly configured your backups.

Bleeping Computer reports on a new trend where the bad guys are now attacking your cloud backups in addition to your local data. Specifically, the attacks are targeting the victim's Veeam backup software. Basically, the attackers gain access to a device on your network and then move laterally to gain access to the administrator credentials and any domain controller. They use a tool called Mimikatz to extract credentials from active directory and attempt to access the cloud backups. The Maze Ransomware group told Bleeping Computer:

"Yes, we download them. It is very useful. No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to "data breach detection software". Clouds is about security, right?"

Once they extract your data, the backups are deleted. Pretty scary stuff. The recommendation is to not use an active directory account for your cloud backups. A separate account would be best. Multiple backups should be configured too and storing in an alternate location would help too. Bottom line, our data is under constant attack and we need to continually adjust our actions to protect it.

Email: Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://senseient.com