Immutable Backup Storage: How to Stop Worrying About Ransomware


The Challenge

Immutable backup storage has become prominent because hackers are everywhere and they are becoming smarter.  And because the Internet is inherently globally connected, hackers from anywhere in the world can attack the networks and IT infrastructure of anyone, from the smallest business to the largest governments.  They use various methods to attack including, but not limited to:

Social Engineering & Phishing – The attacker uses fake or misleading emails, phone calls, or letters that seem like they come from legitimate organizations making valid requests, but are fake and trick the victim into divulging personal information.

Password Cracking – The attacker uses various methods to guess a victim’s password to gain access to their account.

Taking Advantage of Security Vulnerabilities – The attacker exploits holes in a company’s IT infrastructure due to network appliances, servers, computers, etc. falling behind on security patches and updates.

Malware-Injecting Devices – the attacker uses hardware, like a USB thumb drive, to inject malware into a system.

What do all the above have in common?  They present opportunities for hackers to gain access to your environment, steal information, delete information (including backups), and/or lock down and encrypt all your company’s data using Ransomware.  They will then usually ask for a large sum of digital currency to unencrypt your data.  But even after the hackers are paid, there is no guarantee they will unencrypt your data, and even if they do, it’s still possible they’ve kept copies of your data and can further use it to exploit your company, or individuals within.

According to the leading cause of Ransomware attacks is from phishing emails.  This is followed by poor user practices, and lack of cyber training.

Additionally, 68% of all US business who are hit with ransomware pay the fine.

The Solution

To counteract and minimize this threat, it’s important for organizations to not only keep up-to-date with the latest security patches and user-training to help identify potentially malicious forms of contact, but also have secure backups that you know cannot be modified or deleted under any circumstances.  This is where immutable backup storage comes in.

This discussion is going to take you through:

What immutable backups are?

Why you need them in the first place?

What the solution looks like?

What are immutable backups?

Immutable backups are a type of backup that exist off your network and cannot be modified or deleted by anyone or anything for a set period.  Whereas standard backups can be modified by the backup server or deleted by an administrator (or a hacker with administrator privileges), immutable backup storage is impervious to such access.

Having standard backups is a great first-step to protecting your environment in the event of small incidences such as a user deleting a file, and/or production-halting disasters such as a virtual machine failing and needed to restore it to a previous state.  Standard backups are one of the most important keys to business continuity in addition to replications.

If your company has backups configured, you may be thinking, “well, this is swell!  We are protected in the event of file loss, server failure, or hacks.”  And that may be true, depending on your RPO (Recovery Point Objective – or how much data can be lost within a period of time) and retention policies (how long you hang onto data).  But what if a hacker gains control of all servers on your network including your backup server and repository?

Well, if that happens, deleting or locking/encrypting a backup file is as easy as navigating to the folder where the files exist, selecting all, and deleting.  Or to make it even easier, a hacker can simply encrypt all files on the backup server and repository in an instant.

You may be thinking, “but I have my backup server on another network separated from the domain.  If they attack my domain with domain admin access, won’t my backups be safe?”  They could be.  But if the attacker gains access to the admin credentials to your backup server or repository, they can still do the same damage.  And once they gain access to your backup files, it may as well mean you’ve never had any backups at all!

This is why immutable backup storage is so important.  The concept of immutable backups means that a hacker cannot modify, encrypt, or delete your backup files, even with full admin access to your backup server.  Therefore, if a ransomware event happens, and all of your servers and files are encrypted, there’s no need to pay the hacker absurd extortion fees to release your data.  You can instead spin-up a new backup server, connect to your immutable backup repository in the cloud, and restore your entire environment.

Why You Need Immutable Backup Storage

Not all backups are created equally.  You may think to yourself, “I’ve got local encrypted backups, off-site backups, and replications.  I’m covered, right?”  The truth is, while that is a great and necessary start, there is still the risk of a hacker gaining access to your backup server and modifying or deleting all of your backup data.  The only way to prevent this is to make your backups immutable to prevent them from being modified or deleted by anyone under any circumstance.

Let’s say you’re a CPA, and you have all of your clients’ prepared tax documents on your file server.  You are backing up your data with your backup software of choice to a local repository.  You’ve also got shadow copies enabled on that file server so that you can restore data that’s accidentally deleted more quickly.  But one day, a client emails you their missing W-2.  The body of the email tells you that you can securely download the file from the link provided.  You enter your username and password only to grant access to a hacker who can now install ransomware on your computer.  It quickly spreads across your network and encrypts your backup server as well.  He’s asking for $50,000 in Bitcoin.  You think to yourself, “wait a minute, I’ve got my backups.  I can ignore him.  I can take everything offline, and restore my servers from the latest backup.”  The problem is, all of your backup data is locked as well.  Decades of client data is now gone unless you pay the ransom and hope the hacker releases your data.

So, you tell your best friend about this.  She is the CIO of a national shipping and logistic company with offices around the globe.  You ask about her backup solution and she tells you that she has local backups at each of her 20 offices around the country.  From there, each site has its backup data copied to another site for redundancy.  Finally, all servers are replicated to a central data center.  She tells you that because the data exists in multiple locations, she is protected from something like ransomware.  And it sounds right in theory.  However, all 20 offices throughout the country are on the same domain and the same network.  And unbeknownst to her, a system engineer accidentally configured a new user with domain admin rights.  That user receives a faux-welcome email from a hacker requesting her credentials in order to begin the process of setting up multi-factor authentication.  The hacker now has access to the user’s computer and is able to spread the ransomware across the network and within minutes, across all sites.  The local backup data for each site as well as the copied backup data from other sites is now locked.  And the encrypted servers are replicated to the central data center.  The hacker wants $500,000 in Dogecoin.

In both scenarios, if the companies had immutable backups, it doesn’t matter if the hacker has gained control of their backup servers – their backup data would’ve remained untouched since it cannot be modified of deleted.  The companies can now take their systems offline and restore all of their data from the most recent backups.  Better luck next time, hackers!

In the US, the average cost of remediating a ransomware attack more than doubled in the last year.  It averages $761,106 in 2020.  Now it averages $1,850,000!

It doesn’t matter how large or small your business is, immutable backup storage can literally save your business.  And rather than pay hackers absurd amount of money, you can instead reinvest that money in your business to continue to expand and rest easy knowing your data is secure.

Here’s What a Solution Might Look Like

So what might an immutable backup storage solution look like?  It’s actually quite simple and not much will change from a configuration standpoint.

1) Configure your Veeam VBR server – This is the first step to protecting your Veeam server from ransomware attacks.  While one could use a standard Next > Next > Next installation of Veeam, hardening the server is strongly recommended.  A hardened server includes:

a) Backing up the Veeam Configuration files to the VirtuIT S3 Repo.  A standard deployment only backs up the Config files locally.  Copying these files to S3 means that in the event of an attack, you can restore your original Veeam Config files to a new Veeam server, and re-create your backup and replication jobs within minutes, instead of hours or days.

b) Run the Veeam console on a secondary server in your DMZ.  A standard installation of Veeam VBR installs the console locally meaning that in order to access Veeam, one needs to RDP into the Veeam server directly.  This presents a vulnerability because if a hacker gains access to your Veeam login, they can also RDP into the Veeam server.

c) Do not use a Domain Admin Account to log into the Veeam console. Instead use Veeam-specific creds with 25+ character complex passwords and lockout policies.

d) Enable Encryption for backup data over the network and at rest.  By default, Network encryption is enabled, but encryption of data at rest is not.

e) Isolate Your Backup Traffic on its own network.  By default, the backup traffic will run on your production network if you set up the Veeam server on said network.

f) Keep your Veeam server off the Domain.  Do not domain-join the Veeam server.  If a ransomware attack hits your domain, having the Veeam server on a different domain or in a workgroup will help protect it.

g) Keep your primary backup repository on a separate Windows server, NAS, or dedupe appliance.  The default is to configure a repo on the Veeam server itself.  It’s best to keep these two items separated.

2) Configure the VirtuIT S3 Bucket with Object Lock – VirtuIT will create a S3 bucket that only your organization can access.  The bucket resides completely off your network.  The Object Lock function is immutability.  The S3 bucket will be configured with the contracted immutability duration.  Immutability can be for however long you decide, but the longer items are kept, the more local and S3 cloud repository space you will need.

3) Create a SOBR (Scale-Out Backup Repository) Within Veeam – this links your local repository with the S3 cloud repository.  Data that is backed up locally can be copied to the S3 repo as soon as a backup completes, or moved to the S3 repo after a period of time.

4) Backed Up Data Is Now Immutable – Let’s say you want 30 days of immutability.  In that case, all data will be immutable, both on the local repo and in S3 for 30 days.  The data can not be modified or deleted for that time period, no matter what.  Any attempt to modify or delete the data will result in that action failing.

5) Long Term Archive Storage Will Persist Past the Immutability Period – With Veeam GFS (Grandfather-Father-Son) settings, long-term full backups will continue to exist in the S3 repo.  These can exist for weeks, months, or years.  While these files will no longer be immutable and can be modified or deleted, it’s important to note that you will still be able to perform file or full VM restores from these archive backup files for as long as they exist.

Closing Out

Ultimately, immutable backup storage is not only one of the most important ways to protect your business from ransomware attacks, but also the easiest.  With just a few clicks, you can rest easy knowing that your company’s precious data is fully protected from modification or deletion. 

It is a simple solution, but also probably the most invaluable and important solution since the concept of even the most basic backups and replications were introduced.

Let us know how you’re better protecting your data.