Protecting Backups From Ransomware Is As Easy As 3-2-1


Ransomware attackers will attempt to locate your backups, steal the data from them, and then delete them. If you can prevent this, you can recover from an attack without giving in to blackmail.

Ransomware has been a red-hot problem for some time now. As they usually do with important events, ransomware attackers have been setting traps using the COVID-19 pandemic as a lure. That makes this a time for special alertness and a review of whether existing procedures are adequate enough to prevent or mitigate an attack.

Backing up your data is a key part of the defense against ransomware and other malware. If the backups are wiped out by ransomware, this defense is rendered useless. Ransomware attackers often try to find and delete or encrypt backups, many of which are accessible through compromised accounts. The loss of backups, even just recent backups, makes an attack a much more costly event and limits your ability to resist the attacker. What are practical ways to ensure this does not happen?

As with most security precautions, there is no 100% guaranteed way to protect your backups. But by following best practices, you can significantly increase your chances of being able to use backups for recovery from the attack with minimal losses of time and business. Having backups available won’t remove the need for an organized response to the attack run by incident response professionals, but it will make the recovery process quicker and easier.

The best backup practices can involve nontrivial cost and diligence by IT personnel. The methods used, mostly involving the 3-2-1 rule, are the right way to protect your organization—not just from ransomware but from myriad other problems that over the years have crippled companies and ruined careers. But, even if you’re not going to go to the lengths you should in backup, there are actions you can take to lessen the vulnerability of your backups in the event of an attack.

Follow the 3-2-1 rule of backup

The 3-2-1 rule of backups:

  • Three copies of the data are backed up
  • Two different storage media are used for the backup
  • One copy of the data is kept off site

The goal of the 3-2-1 rule is to increase the chances that a backup will be available. Keeping a copy remote protects you even in case of a fire or natural disaster. Backup strategists keep adding numbers to make corollaries of the rule. 

Enterprise backup software is generally designed to facilitate this approach as a best practice. Typically, one copy will be kept on an on-site storage device like a deduplicating backup appliance or high-density disk storage system. At least one of the others is written to an off-site deduplicating backup appliance or tape. But a cloud storage service is a candidate for one of the copies as well.

A good data protection setup will set the backup frequency, retention, and number of copies in relation to the value of the data, as not all organizational data has the same value. You really need to think the strategy through with respect to your own organization’s needs and capabilities, not to mention regulatory requirements. For some data, a 3-2-1+1 rule may be appropriate (regular 3-2-1, plus one copy offline). For others, a 2+1 (2 copies, one offline) rule may suffice.

Other rules follow from the 3-2-1 rule and from common sense: An on-site copy should be available for quick, operational recoveries. It should be in separate hardware so that it can’t be taken down by a problem in the devices it is backing up. The second copy doesn’t need to be as instantly accessible, but it should be available if needed.

Historically, the off-site copy has been a tape made on site and shipped to another location, probably a tape vaulting service like Iron Mountain. (Of course, you can archive non-tape media, or even paper, with such services.) A large enough company might use remote company facilities for this purpose.

The many problems with physical tapes stored off site—they get lost, they degrade from improper storage, and they are (deliberately) inconvenient—has led many companies to switch to disk storage or a cloud storage service as the off-site option.

One of the critical characteristics of the one off-site backup in the 3-2-1 rule above is that it is also, or at least should be, offline. This makes it inaccessible to the attacker. But the benefits of being offline mean that cloud storage isn’t necessarily appropriate for the off-site copy. If the attacker, through stolen credentials, can gain privileges sufficient to delete cloud storage, the whole point of off-site storage is lost.

One possible barrier you could place in the way of attackers attempting to reach your cloud-based backup is to use unique credentials, not from your company network, along with a separate second authentication factor to access and manage the backups. Even if the attacker completely compromises your network, the cloud backups may still be protected. Backup software vendor Veeam specifically recommends using different credentials for backup repositories in a paper about protecting backups from ransomware.

In fact, you need to be specifically careful with cloud backups, because ransomware attackers will use them to steal your data before they lock your data and blackmail you. This story tells of a victim whose online backups were compromised because their Active Directory was compromised and the service was set up to use Windows authentication. Because you are sure to back up your most sensitive data, the attacker is sure to have it. Preserving the backups is not your only big problem. The ways to prevent this situation are discussed below.

The same Veeam paper makes another recommendation that would tend to smooth the process of recovery from ransomware: Make backups more frequent and back up more types of things, like virtual machines.

But, for the most part, backups are just for data. If you only ever write data to them, you should be safe restoring them. If you are also backing up executable code, which theoretically could even be a Microsoft Office macro, then the backups themselves are compromised if the attacker infects your network and waits long enough before springing the trap. The answer to this problem is that you need to work with professional security people during the incident recovery, where your backups will be malware-scanned and otherwise scrutinized before being restored. They need to determine when the attacker gained control and to treat network data accordingly as of that point.

It is important to note that there’s a difference between what is possible for the attacker, with enough time and privilege, and what is typically done. Consider this detailed description of Ryuk, one of the most prevalent and successful ransomware strains. It attempts to stop backup processes and then delete backups available in the Windows file space. Here’s an example command:

del /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk

Ryuk also attempts to shut down Windows volume shadow copying and delete all the copies. It does not seek out high-end backup servers and tape drives in an attempt to delete them. But a sophisticated attacker could.

Prevent the attack

There are a small number of ways ransomware attackers get a foothold in your network: phishing for credentials, running malware to gain access, and connecting through unsecured RDP ports, which may be the most popular one.

These methods point to a series of well-understood best practices, including but not limited to:

  • Apply security updates to software promptly.
  • Use role-based authentication and apply least-privilege rules to these roles.
  • Enforce strong authentication rules, including two-factor authentication.
  • Run updated malware scanning software, intrusion detection, firewalls, and other standard security products.
  • Use an SIEM (security information and event management) solution to keep up with developments on your network.
  • Lock down services (such as RDP) where they are not necessary, and enforce authentication for them where they are necessary.

You can find a lot of good advice along these lines in this HPE white paper: Protect your Windows SMB file infrastructure from ransomware

Use defense-in-depth

The defense-in-depth principle is that no one failure of a security measure should result in a security breach. The advice above is full of defense-in-depth: The 3-2-1 backup rule is designed to protect data even if there is a hardware failure, even if there is a local security breach, even if there is a fire or natural disaster. Strong authentication and malware scanning and locking down services all are, in part, different ways of protecting against the same sorts of attacks.

For a security professional, defense-in-depth is a philosophy that should pervade the IT infrastructure. Some security measures inevitably will be loosened in the name of usability, but you should always take advantage of opportunities to secure your network and users. Consider examining your network and applications in light of the OWASP Top 10, a list of the most common and serious vulnerabilities.

Use smart software

The most sophisticated backup products are more than just storage devices. They are intelligent systems that provide new ways to notice that something is wrong. For instance, they often will compress or deduplicate data being backed up. If the data is encrypted, it cannot be compressed or deduplicated, and this will be apparent in the backup results. Smart server monitoring software may notice the same thing.

There are other advanced capabilities of high-end backup devices that serve to impede the work of ransomware attackers. Some can mark backup data as immutable, meaning it cannot be deleted or modified, at least not until conditions set by policy are met, such as a certain date having passed. Some separate the actual storage interface in a controller with a private interface.

As a general rule, ransomware attacks are mass attacks, targeting common and relatively soft implementations. Sophisticated targets with astute administrators are a less attractive target for them.

Think comprehensively

Protecting backups is just one of the ways you have to plan to prevent a ransomware disaster. Obviously, knowing that you have a good plan to protect backups is no reason to take the other protective measures lightly. Better the attacker doesn’t get past your perimeter, doesn’t steal credentials, and doesn’t execute malware on your systems.

If you fail to stop the attacker from gaining entry, fail to prevent them from encrypting your data, and fail to prevent them from killing your backups, you’ve failed. With the right knowledge and resources, you can succeed.

Protecting backups from ransomware: Lessons for leaders

  • Commit to an aggressive backup plan, following the 3-2-1 rule.
  • Use separate credentials for cloud-based backups.
  • Use smart, modern products for a thorough and secure backup plan.
  • Consider backing up using a protocol which is hard for malware to access.


5 Common Mistakes That Lead To Ransomware

If you’re a system administrator, the network you look after is almost certainly way more spread out since coronavirus stay-at-home regulations kicked in.

But even if your colleagues are using their own computers now, and connecting in via their own internet connections, it’s still “your” network, and it still represents a valuable target – as a network, not just as numerous individual computers – to cybercriminals.

And one of the most dramatic all-at-once attacks that your network can suffer is, of course, ransomware.

Ransomware attacks often rely on victims making a few basic mistakes that are often quite uncomfortable to confront – it’s natural to assume you haven’t made any (or, at least, not many), and it can feel both tired and tiring to keep going through the basics.

So we decided that we’d find a fun way to help you to keep track of the common blunders that often lead to ransomware – something with rhyme and rhythym as well as reason.

Imagine that your computer were a house, and ransomware a gang of burglars, and chant along with us…


     Don't lock the door and then forget
        And leave the windows wide.         <--PROTECT YOUR SYSTEM PORTALS
     Don't think that keys beneath the mat
        Will keep the crooks outside.       <--PICK PROPER PASSWORDS
     Don't set a guard to watch all night    
        And write things in a book,
     Yet when you get their careful notes,
        just never take a look.             <--PERUSE YOUR SYSTEM LOGS
     Don't buy alarms but turn them off 
        Because they make a row.            <--PAY ATTENTION TO WARNINGS
     And when you need to do repairs,       
        Don't shrug, and say, "Not now."    <--PATCH EARLY, PATCH OFTEN


We’ve summarized the actions you can take into 5 simple phrases, each starting with P so they’re easy to remember.

1. Protect your system portals

Crooks often sneak in by looking for remote access portals such as RDP (remote desktop protocol) and SSH (secure shell) that aren’t properly secured, perhaps because they were set up temporarily but then forgotten about.

Learn how to scan your own network from the outside and make sure that any services that are open and listening for connections are supposed to be there, and that they are on your regular security checklist.

If you don’t check your network for access holes you’ve left open by mistake, then the crooks will do it for you!

2. Pick proper passwords

When you’re in a hurry, especially if you have to rely almost exclusively on remote access these days due to coronavirus lockdown, it’s easy to take shortcuts to “get it working” and to promise yourself you’ll check all the locks and latches later.

Yet every time there’s a huge password dump due to a data breach, you will invariably find the password changeme somewhere near the top of the list.

Clearly, lots of people start out with basic passwords with every good intention to pick a proper one soon, but then never get around to it.

Start as you plan to go on, with proper passwords from the outset, plus two-factor authentication to augment your security whenever it’s available.

3. Peruse your system logs

Many, if not most, ransomware attacks don’t happen instantly or without warning – the crooks usually take some time, often days and sometimes longer, to get a picture of your entire network first.

That’s how they make sure, when they finally pull the trigger that initiates the attacks, that they will get the destructive result they want for the ransom they plan to demand.

So there will often be numerous telltale signs in your logs, such as the appearance of “grey hat” hacking tools that you wouldn’t expect your own users to need or use; sysadmin operations such as creating new accounts that happened at unusual times; and network connections from outside that don’t follow your usual pattern.

4. Pay attention to warnings

If you’ve set up your alerting system to shout at you all the time, you will almost certainly end up with alert fatigue, where you just click through because you’ve run out of time.

But be careful not to assume that otherwise interesting warnings can be ignored if they mention a potential threat was already blocked.

Often, threats that pop up on your network aren’t just chance events, they’re evidence that crooks are already poking around cautiously to see which actions set off what alarms, in the hope of pulling off a much bigger attack later on.

5. Patch early, patch often

Don’t leave yourself exposed to potential holes for longer than necessary.

While the crooks are scanning your network for ways to get in (see 1), they can also scan for externally accessible services that aren’t patched at the same time.

This helps the crooks automatically build lists of potential victims to come back to later – so your best result is simply not to be on their list!


For more information, please refer to Naked Security by Sophos

Cohesity Expands Certified Data Protection for SAP HANA

For many large enterprises, SAP HANA is quickly becoming the de facto in-memory database management system, and for good reason. SAP HANA allows companies to rapidly process large volumes of real-time data. The in-memory computing engine allows HANA to process data stored in RAM as opposed to reading it from a disk. This distinction is profound, giving enterprises enough of a reason to rely on HANA for real-time analytics and transactions.

Given the growing emphasis on concurrency and managing data at scale, more organizations are relying on HANA for additional use cases such as monitoring networks, optimizing their supply chains, and detecting fraud.

The Need for HANA Data Protection

It’s clear that both the number of deployments and the scope of HANA will continue to grow. What’s less obvious is the imperative need for a comprehensive data protection solution. While SAP offers backup tools that save data from memory to disk at regular savepoints, a modern data protection solution is necessary to complement these native tools to address the following data protection requirements:

  • Protecting against disk corruption, logical damage, or human error
  • Storing backups efficiently
  • Recovering to an earlier point in time in the event of a disaster—and to the right location

Protecting Data Where It Counts

To allow you to bring back your database to a consistent state after a power failure, for example, SAP HANA relies on two elements: savepoints and transactional logs. HANA keeps both savepoints, or the content of database memory, as well as logs that track transactional changes in a persistent layer.

Savepoints and transactional logs are key components of HANA, but believing these components alone are enough for data protection is a fallacy. In the event of logical errors or data loss stemming from hardware failure, data loss can become a reality if the persistent layer is not backed up.

Cohesity provides the ability to back up this persistent layer, protecting the integrity of HANA’s safeguarding measures, and ultimately, your data.

Storing Backups Efficiently and Securely

For many organizations, particularly large enterprises, the key challenge is the fact that there are numerous considerations. It’s not enough to simply protect data. The questions often by organizations allude to the juggling act performed by IT teams: How can we keep guardrails on cost? How do we eliminate silos and make our infrastructure simpler to manage? 

Since SAP HANA is a system that encompasses both SAP applications—like SAP S/4HANA—and other non-SAP applications, by backing up HANA with Cohesity, you can eliminate data silos related to both SAP and non-SAP applications. This is relevant regardless of the location of HANA—in a public cloud provider or on-premises. This results in infrastructure that is simpler to manage, reducing the costs, and time that goes into management overhead. Going beyond consolidation, you can reduce the data footprint of HANA by leveraging Cohesity’s global variable-length deduplication. Large organizations consistently report data reductions rates above 26x and TCO savings of $500k, with much of the savings predicated on a differentiated approach to deduplication.

Recover Granularly, Anywhere

Flexibility is important when determining how data should be protected and recovered. Particularly for analytics, it’s necessary to have the ability to restore to a specific point in time and have granular options. To allow enterprises to meet these requirements, Cohesity supports granular and point-in-time restores. In addition, you can recover to any location, regardless of the environment. With multistreaming support, restores, as well as backups, are faster on Cohesity than other solutions.

Native Integrations—SAP Certified Across the Board

Cohesity’s data protection solution for SAP HANA is founded on a native integration. The implication is the ability to allow SAP Basis administrators to continue using their existing tools and workflows such as SAP HANA Cockpit, Studio, and HDBSQL. Backup administrators can also choose to use Cohesity to easily protect SAP HANA data. This is why having a native solution matters. It helps provide flexibility and simpler operations for users.

And Cohesity is more than a native solution. It’s certified. Cohesity is SAP Certified for:

  • Intel + SAP HANA 1.0 / 2.0 
  • IBM Power Systems + SAP HANA 2.0

SAP HANA 2.0 on IBM Power is a configuration that many enterprises rely on. Now, Cohesity is one of the few solutions that is certified for this combination. Leveraging the Backint API, Cohesity delivers a certified solution that has numerous benefits, including direct access to the HANA database through a fast pipe. This means faster backups and restores. 

Cohesity offers a comprehensive backup and recovery solution for SAP HANA by protecting nuanced layers within HANA, reducing TCO through a unique approach to data deduplication, and provides flexibility in recovery. These benefits can be attributed to a unique approach to data management and building a native solution for HANA that’s certified by SAP.