2018-07-30
备份是防御勒索攻击的最佳方式,但它们也需要保护。
今年勒索软件来势凶猛。保守估计,WannaCry和NotPetya两起重大攻击造成了数亿美元的损失,而网络犯罪分子则继续瞄准用户的系统和数据。
然而,主动的公司确实有选择权。防御勒索软件的最佳方法是备份数据并设置经过充分测试的恢复过程。定期备份数据并能够快速检测勒索软件的公司能够在最短的时间内恢复数据和运作。
在某些情况下,擦除程序伪装为勒索软件(如NotPetya伪装为Petya勒索软件),给出类似的赎金要求。在这些攻击中,即使受害者支付赎金也无法取回文件,此时从备份中恢复数据就更加重要了。
因此,勒索软件背后的网络犯罪分子开始瞄准备份过程和工具。一些勒索软件,如最近的WannaCry(WannaCrypt0r)和较新版本的CryptoLocker,删除了微软Windows操作系统创建的卷影副本。卷影副本是Windows系统提供的一种可以轻松恢复数据的方法。
在Mac系统上,网络犯罪分子从一开始就瞄准了备份。研究人员在2015年发布的第一个Mac勒索软件中发现了不完整的功能,它针对Mac OS X操作系统的自动备份工具Time Machine所使用的磁盘。
该策略很简单:加密备份,个人或公司就很可能会失去恢复数据的能力,更有可能支付赎金。攻击者已经不满足于感染单个工作站,他们不断升级攻击力度,旨在摧毁备份。
以下四个建议可以帮助企业保护其备份免受勒索攻击。
网络文件服务器使用简单,它的两个属性使得可以通过网络访问的“home”目录成为集中数据并轻松备份的热门方式。但是,当暴露于勒索软件面前时,这种数据架构存在严重的安全漏洞。大多数勒索程序加密连网的磁盘,因此受害者的home目录也将被加密。另外,运行像Windows这样存在漏洞且经常被攻击的操作系统的任何服务器都可能被感染,这将导致每个用户的数据都被加密。
因此,任何拥有网络文件服务器的公司都需要将数据备份到单独的系统或服务中,并测试系统的恢复能力。
云文件服务也无法免疫勒索攻击。2015年,一家为儿童演员及其父母提供信息的公司Children in Film遭到勒索攻击。该公司广泛使用云服务,包括一个常见的云盘。根据KrebsOnSecurity网站的一篇文章,在一名员工点击恶意电子邮件链接的30分钟内,存储在云盘中的4000多个文件被加密了。幸运的是,该公司的备份提供商能够恢复所有的文件,虽然恢复过程花费了将近一个星期。
根据云服务是否提供增量备份或容易管理的文件历史记录,恢复云中的数据可能会比恢复现场服务器中的数据更加困难。
公司越早发现勒索软件感染,就越有可能防止重大的数据损坏。备份过程的数据可以提供勒索软件感染的预警。突然加密数据的程序会在备份日志中留下痕迹。随着每个文件的本质改变,增量备份将会突然“爆炸”,而且加密的文件不能被压缩或重名剔除。
定期(基本上是每天)监控重要的指标,如备份过程中的空间利用率,可以帮助公司检测勒索软件是否已经感染了公司内部的系统,并降低感染损害。
如果勒索软件能够直接访问备份映像,那么阻止它加密公司备份将非常困难。因此,一个提取备份数据的专用备份系统将能够防止勒索软件加密历史数据。
通过将备份与正常操作环境分离并确保备份过程不在通用服务器和操作系统上运行,您的备份可以有效防御攻击。基于最常用的操作系统(微软Windows)的备份系统容易受到攻击,使得企业更难保护备份数据。
最后,除非您可以快速可靠地恢复数据,否则备份也不是什么好办法。一些勒索攻击的受害者已经备份了数据,但是仍然不得不支付赎金,这是因为他们的备份计划不够细粒度,或者他们错误地认为已经备份了某些数据。
测试恢复过程的一部分是确定数据丢失的窗口。如果一家公司每周进行一次完整备份,那么他们最多丢失一周的数据。每天或每小时进行一次备份能够大大提高保护水平。更精细的备份和及时检测勒索软件是防止损坏的关键。
最后,公司应该通过监控或反恶意软件防御措施尽早发现勒索攻击,使用专门的系统来分离备份数据和潜在受感染系统,并定期测试备份和恢复过程,以确保数据受到妥善的保护。
10/4/2017
10:30 AM
Backups are the best way to take control of your defense against ransomware, but they need protecting as well.
Ransomware has had a banner year so far. Two major attacks — WannaCry and NotPetya — have caused, conservatively, hundreds of millions of dollars in damages, while cybercriminals continue to target users' systems and data.
Proactive companies, however, do have options. The most consistent defense against ransomware continues to be good backups and a well-tested restore process. Companies that consistently back up their data and can quickly detect a ransomware attack should be able to restore their data and operations with a minimum of disruption.
In some cases, we have seen wiper malware such as NotPetya pretending to be Petya ransomware while serving a similar ransom note. In these attacks, the victims won't be able to get their files back even they pay the ransom — making the ability to restore from a backup even more critical.
For that reason, the cybercriminals — and, in some cases, nation-state agents — behind ransomware have begun targeting the backup processes and tools, as well. Several ransomware programs — such as the recent WannaCry (WannaCrypt0r) and the newer version of CryptoLocker — delete the shadow volume copies created by Microsoft's Windows operating system. Shadow copies are a simple method that Microsoft Windows provides for easy restoration.
On the Mac, cybercriminals targeted backups from the get-go. Researchers have discovered incomplete functions in the first Mac ransomware — released in 2015 — that targeted the disk used by the Mac OS X operating system's automated backup tool called Time Machine.
The strategy is straightforward: Encrypt the backup and individuals or companies are likely to lose the ability to restore data and are more likely to pay a ransom. Attackers are escalating their efforts beyond infecting single workstations and aim to destroy the backups, too.
Here are four recommendations to help companies protect their backups against ransomware attacks.
1. Be careful
using network file servers and online sharing services.
Network file
servers can be easy to use and are always available, two attributes that make
network-accessible "home" directories a popular way to centralize
data and make it easy to back up. However, when exposed to ransomware, this
type of data architecture has serious security weaknesses. Most ransomware
programs encrypt connected drives, so the victim's home directory would be
encrypted as well. In addition, any server that runs a vulnerable and highly
targeted operating system like Windows could be infected, which would lead to
every user's data being encrypted.
Thus, any company with a network file server needs to assiduously back up the data to a separate system or service, and specifically test the system's restore capability if faced with ransomware.
Cloud file services aren't immune to ransomware either. In 2015, Children in Film, a business providing information for child actors and their parents, got hit with ransomware. The company extensively used the cloud for its business, including a common cloud drive. Within 30 minutes of an employee clicking on a malicious e-mail link, more than 4,000 files stored in the cloud were encrypted, according to an article in KrebsOnSecurity. Fortunately, the company's backup provider was able to restore all of the files, even though it took almost a week to complete the process.
Depending on whether the cloud service provided incremental backups or easily managed file histories, recovering data in the cloud could be more difficult than an on-premises server.
2. Get
visibility into your backup process.
The earlier
that a company can detect a ransomware infection, the more likely that the
business can prevent significant corruption of data. Data from the backup
process can provide early warning of a ransomware infection. A program that suddenly
encrypts your data leaves signs in your backup log. Incremental backups will
suddenly "blow up" as every file is essentially changed, and the
encrypted files can't be compressed or deduplicated.
Monitoring vital metrics such as capacity utilization from the backup process on a regular basis — essentially, every day — can help companies detect when ransomware has infected a system inside the company and limit the damage from the compromise.
3. Consider
your solution options.
If ransomware
can directly access backup images, then it will be very challenging if not
impossible to stop it from encrypting corporate backups. For that reason, a
purpose-built backup system that abstracts the backup data will be able to
prevent ransomware from encrypting historical data.
By separating backups from your normal operating environment and making sure the process is not running on a general-purpose server and operating system, your backups can be hardened against attack. Backup systems based on the most commonly targeted operating system, Microsoft Windows, are prone to being attacked and make it much harder to protect your backup data.
4. Regularly
test your recovery process
Finally,
backups are no good unless you can recover both reliably and quickly. Some
victims of ransomware have had backups but still have had to pay the ransom
because the backup schedule did not perform backups with enough granularity, or
they were not backing up the data they thought they were backing up.
Part of testing the recovery process is determining the window of data loss. A company that does a full backup every week will lose up to a week of data should it need to recover after its last backup. Doing daily or hourly backups greatly increases the level of protection. More granular backups and detecting ransomware events as early as possible are both key to fending off damage.
In the end, companies should aim to detect ransomware attacks early through monitoring or anti-malware defenses, use a purpose-built system to maintain a separation between the backup data and a potentially compromised system, and regularly test the backup and restore process to ensure data is properly protected.
These efforts will keep backups at the top of the list of ransomware defenses and will reduce the risk of losing data in the event of an attack.
附件:
《Ransomware Will Target Backups - 4 Ways to Protect Your Data》--原文.pdf
《Ransomware Will Target Backups - 4 Ways to Protect Your Data》--译文.pdf
微信公众号