Ransomware Gang Targets Windows-based Backup Applications to Compromise Customer Data

Veritas Perspectives November 08, 2021

Hackers are attempting to exploit Windows and backup applications’ vulnerabilities to impersonate privileged backup users. They grant themselves backup privileges that allow them to lock the victim’s system, prevent legitimate user access, and lock and/or remove backup files to create double extortion opportunities. With Windows being the most common operating system in the world and, according to the Common Vulnerabilities and Exposures (CVE) database, the most prone to security issues, ransomware hackers are specifically targeting organizations running backup applications on Windows.

While Veritas NetBackup customers can choose to use Windows, some backup solution providers only support Windows, making their customers vulnerable with NO options to mitigate these attacks. Veritas supports alternative operating systems and best practices that provide customers immunity from this type of nefarious activity.

Don’t become a victim! Assess your data protection strategy and take steps to prevent these types of attacks.

In addition to implementing the safeguard recommendations described in the Threatpost article, here are five backup-specific best practices you can use to reduce or eliminate vulnerabilities.

Top 5 Ransomware Resilience Best Practices:

  • Best Practice #1

Deploy the most up-to-date data protection infrastructure on hardened OS platforms using technologies like Security-Enhanced Linux. These hardened platforms provide host-based Intrusion Detection (IDS) and Prevention (IPS) by blocking rogue connections and denying malicious code execution.

NetBackup Feature:

The Veritas portfolio consisting of Veritas Flex and Flex Scale-based Appliances offers the entire NetBackup Platform on performance- and cost-optimized hardware as a single turnkey solution. Security-Enhanced RedHat Linux limits the IT attack surface from malware, while the deduplication engine offers optimized, encrypted, and immutable storage to limit risk from possible data exfiltration. For organizations looking to deploy on their own infrastructure, it’s best to deploy the most recent version of NetBackup (currently v9.1) on Security-Enhanced Linux.

  • Best Practice #2

Ensure data protection platform aligns with Zero Trust Security model by enforcing multi-factor authentication or role-based access control for accounts that access the backup system.

NetBackup Feature:

NetBackup secures authentication using smart cards and multi-factor authentication using the SAML 2.0 protocol-compliant identity provider. Use granular role-based access controls supported by NetBackup to establish segregation of duties. Some vendors still lack two-factor authentication for their backup and recovery consoles.

  • Best Practice #3

Encrypt data in flight and at rest.

NetBackup Feature:

Use TLS 1.2 certificates from NetBackup’s built-in Certificate Authority (CA) or customer-managed external CA, with 2048-bit key support to encrypt communication. Veritas Deduplication Engine enables both in-flight and at-rest data encryption using AES 256-bit keys and supports FIPS 140-2 cryptography standards with built-in or customer-provided Key Management systems using the Key Management Interoperability Protocol (KMIP).

  • Best Practice #4

Protect and store ALL workload data using WORM-compliant storage that is both immutable and indelible, supporting an air-gap strategy. A proprietary compliance clock enforces the retention period of stored backups and is independent of the OS time.

NetBackup Feature:

When it comes to storing workload data on immutable storage, some backup solutions only support VMware or NetApp workloads. NetBackup supports ALL workloads and can store this data on immutable or WORM storage. NetBackup also works with multiple immutable targets across both on-premises storage and cloud object storage, allowing ultimate choice and flexibility without compromise. Even if hackers gain access to the data, Veritas de-dupe technology encryption renders the exfiltrated data unusable.

  • Best Practice #5

Implement solutions that can scan the entire data estate to ID: protection gaps, user or file anomalies that travel laterally across the network, utilities such as Cobalt Strike and Ngrok, and the account that created them and using them, and more.

NetBackup Feature:

NetBackup IT Analytics (formerly APTARE IT Analytics) and Data Insight work seamlessly with NetBackup to provide this visibility and ensure complete and cost-effective protection.

Following these best practices will ensure your organization is protected against ransomware attacks, as outlined in the Threatpost article. In the event of a successful attack, recovery of data and applications becomes the most critical action to take. Unlike other data protection solutions on the market, NetBackup provides one-click recovery to existing or new production environments or an isolated recovery environment. This simplifies the recovery process and reduces the time it takes to get your business back online.

 For more information on our ransomware advantages, go to https://www.veritas.com/ransomware.

Dylon Mills
Senior Principal Product Manager, Enterprise Data Protection
VOX Profile