Search
Close this search box.

5 Key Backup Solution Features to Protect Against and Recover from Ransomware Attacks

Anyone who believes their organization remains impervious to ransomware after the recent attack on the MGM Resorts, I hope you are right! However, if this attack has finally prompted you to act, or at least reaffirm the security actions you have already taken work properly, then read on.

This latest ransomware attack illustrates that hackers continue to employ ever more ingenious approaches to conduct attacks. Yet as they do, five core features found in many backup solutions will, if properly and comprehensively deployed, provide organizations a viable path forward for data protection and restores.

Here’s What We Know about the MGM Resorts Ransomware Attack

MGMwebsiteunavailableDue to the relative recentness of the ransomware attack on the MGM Resort details remain sketchy. However, some recent articles provide insight into the attack and the methods that the hackers used in their attack.

An article that appeared on Vox alleges a group known as Scattered Spider is responsible for the attack. To conduct the attack, this group utilized a ransomware-as-a-service (RaaS) offering and adapted it to attack the MGM Resorts.

vishing image mainThese hackers apparently used a methodology known as “vishing” to initially gain access. Using this approach, an individual places a phone call into the organization. He or she represents themselves as a “trusted” internal security professional or system administrator.

The help desk then assists this individual in obtaining the necessary security credentials to remotely log in and gain access. Once in, the individual uses the access for nefarious purposes.

A separate blog post on the Morphisec web site provided some additional color and technical detail about the attack. It also mentions Scattered Spider as a group responsible for the attack. However, it points out that ALPHV/Blackcat have now publicly claimed responsibility in a Reddit post.

This post lays out a possible attack flow in the MGM Resorts attack. It suggests hackers likely targeted an MGM Resorts Administrator to gain access to its network, which corroborates the claims in Vox’s story. It appears the hackers succeeded in this approach by first targeting and then successfully profiling MGM Resorts employees.

When the hacker’s attempts to contact and negotiate with MGM Resorts failed, they then initiated an attack. It appears they may have successfully attacked more than 100 ESXi hypervisors. They may have also exfiltrated (i.e., copied) personally identifiable information from the MGM Resorts network. Further, the hackers may even now continue to have access to the MGM Resorts network despite attempts to lock them out.

Perhaps most disconcerting, Morphisec believes this attack caught MGM Resorts IT staff by surprise. This led to a poor response that was reflected by prolonged downtime and slow or incomplete system and data restores and recoveries.

Five Security Features Available in Backup Solutions Now

Anyone reading this blog entry should recognize the facts on the MGM Resorts ransomware attack are still coming to light. Further, the two reports I cite reflect some supposition and theories as to what occurred. Yet in reading through these two stories, two thoughts struck me.

      1. Create air gapped backups. This feature requires organizations to store copies of data in a physical location separate from your primary production location. Further, it should be stored in such a way that one cannot logically or virtually access it through the production environment. The media (cloud, disk, tape, or optical) on which it is stored does not matter as much as making the media physically separate. As the MGM Resorts incident illustrates, having data physically stored elsewhere may become a requirement if administrative credentials become compromised.
      2. Encrypted backups. Copying data to a remote location accessible only to the hacker has become more common in ransomware attacks. Once they have it, hackers can threaten to release it unless organizations pay a ransom. Even then should they pay, organizations may have few assurances the hackers will destroy the data. Since backups contain much or all organizational data, accessing and copying backup data offsite may be a primary objective in a ransomware attack. Encrypting backups mitigates the possibility that backup data, even if copied offsite, is usable by hackers.
      3. Immutable storage. Storing backups on immutable storage helps ensure hackers do not delete, compromise, or encrypt backups as part of the attacks. Ransomware attacks increasingly begin with the ransomware seeking out backup repositories. If ransomware can find and destroy or compromise backups, it mitigates the ability of organizations to recover. Immutable storage protects against this type of attack.
      4. Instant restores. Backups are only as good as their ability to position organizations to recover. Should production systems or data become compromised or encrypted, organizations often must restore and recover quickly. More backup solutions offer instant restore capabilities. Since providers define “instant restore” differently, identify a solution or solutions that can restore in the appropriate time frame.
      5. Multi-factor authentication (MFA). MFA helps ensure only those individuals that have the proper permissions to access and administer the systems or data can access it. However, as the MGM Resorts incident helps illustrate, this approach may not be 100 percent foolproof.

    Employing All Five Features Required to Secure One’s Backup Environment

    The MGM Resorts ransomware attack illustrates every organization’s production IT environment may be susceptible to a ransomware attack. However, if organizations employ these five security features as part of their backup processes, they should be positioned to recover.

    If anything, this recent attack highlighted the importance of implementing all five of these features. If one cherry picks the ones you like or the most cost effective or easiest to implement, one or more of them may be compromised. In the MGM Resorts case, hackers figured out a workaround to accessing the network by compromising an administrator’s login credentials.

    Yet even in this case, that compromise alone should not result in hackers destroying all organizational backup data. While it may contribute to making restores and recoveries more difficult, a path forward to performing restores and recoveries should still exist.

    Keep Up-to-Date With DCIG

    To be notified of new DCIG articles, reports, and webinars, sign up for DCIG’s free weekly Newsletter.

    To learn about DCIG’s future research and publications, see the DCIG Editorial Calendar.

    Technology providers interested in licensing DCIG TOP 5 reports or having DCIG produce custom reports, please contact DCIG for more information.

    Editor’s Note: This post was updated on 9/29/2023 to correct some grammatical mistakes.

        1. No organization of any size should assume it is immune from a successful ransomware attack on their production environment.
        2. Features exist that organizations can take that minimally protect their backup data and position them for restores and recoveries.

      Organizations need to keep their production environments online running an optimal state. This requirement often makes them susceptible to attacks since organizations cannot employ every known security measure. Doing so may too severely negatively impact production activities.

      However, organizations can employ five existing security features to better protect their backup data. Since I have previously written about these measures and included them in a report available on Quest’s website, I will simply summarize them here:

        1. Create air gapped backups. This feature requires organizations to store copies of data in a physical location separate from your primary production location. Further, it should be stored in such a way that one cannot logically or virtually access it through the production environment. The media (cloud, disk, tape, or optical) on which it is stored does not matter as much as making the media physically separate. As the MGM Resorts incident illustrates, having data physically stored elsewhere may become a requirement if administrative credentials become compromised.
        2. Encrypted backups. Copying data to a remote location accessible only to the hacker has become more common in ransomware attacks. Once they have it, hackers can threaten to release it unless organizations pay a ransom. Even then should they pay, organizations may have few assurances the hackers will destroy the data. Since backups contain much or all organizational data, accessing and copying backup data offsite may be a primary objective in a ransomware attack. Encrypting backups mitigates the possibility that backup data, even if copied offsite, is usable by hackers.
        3. Immutable storage. Storing backups on immutable storage helps ensure hackers do not delete, compromise, or encrypt backups as part of the attacks. Ransomware attacks increasingly begin with the ransomware seeking out backup repositories. If ransomware can find and destroy or compromise backups, it mitigates the ability of organizations to recover. Immutable storage protects against this type of attack.
        4. Instant restores. Backups are only as good as their ability to position organizations to recover. Should production systems or data become compromised or encrypted, organizations often must restore and recover quickly. More backup solutions offer instant restore capabilities. Since providers define “instant restore” differently, identify a solution or solutions that can restore in the appropriate time frame.
        5. Multi-factor authentication (MFA). MFA helps ensure only those individuals that have the proper permissions to access and administer the systems or data can access it. However, as the MGM Resorts incident helps illustrate, this approach may not be 100 percent foolproof.

      Employing All Five Features Required to Secure One’s Backup Environment

      The MGM Resorts ransomware attack illustrates every organization’s production IT environment may be susceptible to a ransomware attack. However, if organizations employ these five security features as part of their backup processes, they should be positioned to recover.

      If anything, this recent attack highlighted the importance of implementing all five of these features. If one cherry picks the ones you like or the most cost effective or easiest to implement, one or more of them may be compromised. In the MGM Resorts case, hackers figured out a workaround to accessing the network by compromising an administrator’s login credentials.

      Yet even in this case, that compromise alone should not result in hackers destroying all organizational backup data. While it may contribute to making restores and recoveries more difficult, a path forward to performing restores and recoveries should still exist.

      Keep Up-to-Date With DCIG

      To be notified of new DCIG articles, reports, and webinars, sign up for DCIG’s free weekly Newsletter.

      To learn about DCIG’s future research and publications, see the DCIG Editorial Calendar.

      Technology providers interested in licensing DCIG TOP 5 reports or having DCIG produce custom reports, please contact DCIG for more information.

      Editor’s Note: This post was updated on 9/29/2023 to correct some grammatical mistakes.

      Share
      Share

      Click Here to Signup for the DCIG Newsletter!

      Categories

      DCIG Newsletter Signup

      Thank you for your interest in DCIG research and analysis.

      Please sign up for the free DCIG Newsletter to have new analysis delivered to your inbox each week.