The UK‘s cybersecurity agency has updated its guidance on what to do after a ransomware attack, following a series of incidents where organisations were hit with ransomware, but also had their backups encrypted because they had left them connected to their networks.
Keeping a backup copy of vital data is a good way of reducing the damage of a ransomware attack: it allows companies to get systems up and running again without having to pay off the crooks. But that backup data isn’t much good if it’s also infected with ransomware — and thus encrypted and unusable — because it was still connected to the network when the attack took place.
The UK‘s National Cyber Security Centre (NCSC) said it has now updated its guidance by emphasising offline backups as a defence against ransomware.
Offsite backups are important to prepare for any sort of incident, but are even more important in the case of ransomware. However, even backups alone may not be sufficient. We\’re seeing ransomware evolve to the point that the criminals steal critical information from organisations when they infect them with ransomware. They then try to extort the company, its customers, and partners for money in order to not release the stolen information.
Therefore, it\’s essential that organisation do all they can to prevent ransomware to begin with. This requires a layered approach to make it difficult for criminals to get in such as patching external-facing systems, implementing MFA, encrypting data, and providing security awareness and training to all users.
This has been something stressed for a long time by security organizations, a backup should be protected against getting overwritten, and offline- offsite backups are a strong recommendation, both to ensure a capability to restore and the integrity of the information.
Similarly, ensuring that the backup system is not granted write-rights to the systems it backs up is equally critical, as otherwise we are back to all eggs in one basket, just having shifted the role from this being the production system to this being the backup system.