As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, 
e-discovery, and cybersecurity service provider. The Vestige team that you know and trust will
continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow
us to serve you and your clients even better.

No Need to Worry About Crypto-Virus, We Have Backups


No Need to Worry About Crypto-Virus, We Have Backups

Author photo
Senior Director, Digital Forensic & E-Discovery

A Closer Look at Data Backup Systems When it Comes to Ransomware

Another day, another new crypto-virus (aka ransomware).  You know, the type of virus initiated by going to a bad website or clicking on an attachment (or other means) which then causes all of your precious documents to become encrypted.  You get a message, a request for some amount of BitCoins and a method by which you can unencrypt your documents.  It is embarrassing and can be costly. Continue reading to learn how to combat crypto ransomware attacks in three steps.

How to Combat Crypto Ransomware Attacks

The ways to combat these crypto ransomware attacks are well documented. It starts with end-user training, getting them to keep from opening up every single attachment that comes to them.  It extends to making sure that your systems are properly up to date and patched, as many of these crypto-viruses spread via well published vulnerabilities.  But one of the best ways to combat a crypto-virus attack is to have good backups of your data.  The idea being that you can wipe clean the infected machines and data, then restore from your latest backup.  Sure you may lose some information (anything added after the last backup and before the crypto-virus attack) but it is much better than paying the ransom.

Of course, everyone knows the routine (or should if you have read past posts).  In order to insure that you can restore your data properly, it takes prior testing of your backup and restore services.  That process starts with monitoring your backup logs for errors and exceptions but extends to testing your restoration process and performing an audit to verify that you are backing up all of your data and nothing is being missed.  However, what most people are forgetting is the vulnerability created by using disk to disk backups.

Tape vs Disk Backups

Years ago all backups were done to tape.  Whether it was DLT, LTO, DAT or something else, the data was stored on a spinning disk of magnetic tape similar to the cassette tapes of the 80s and early 90s (raise your hand if you still covet your Purple Rain Soundtrack cassette tape like me).  But with the growing size of hard drives, tape manufacturers didn’t always fare well as they changed technologies, ditching older ones and not doing much for backwards compatibility.  That combined with a higher failure rate of tape drives (vs the actual tape media) and increased speed led many in IT to move towards back-up to disk.

No problem with the move, right?  Umm, maybe not.  Check out this reddit post:

The TL;DR version is that this company had good backups, but the backups were to disk.  When they got hit by a hacker spreading a crypto-virus the hacker had easy access to those backups and proceeded to delete those as well.

You can stop now and run down to your person in charge of your backups if you just broke out in a cold sweat.

Are you back?  Good.  The benefit of tape backups in warding off a crypto-virus attack is two-fold.  First, usually companies practice some type of tape rotation which means that while some of your tapes may be loaded into the tape drive and accessible, many are not.  They are likely (hopefully) in a safe or off site.  Second, deleting disk backups usually doesn’t require special software or other types of access whereas deleting tape backups requires accessing the actual backup machine and software and that tends to be “noisy” allowing a hacker to be exposed.  Finally, while automated crypto-viruses can worm their way to any disk on a network, it takes a very well-crafted one to get at a tape drive.  In fact, I’ve only heard of such a virus being spoken of, kind of in the same breath as Bigfoot.

Do not take this as a bashing of disk backups because it isn’t.  Disk backups are just as good, some may say better, than tape backups.  My point in this blog is to direct your attention to the idea that disk backups may be more susceptible to a hacker or virus than a tape backup and therefore your organization needs to consider what type of extra protection is being put on that disk backup.

IT Auditing Is Crucial

As always, when implementing a solution, audit and test, test and audit.  If you can handle it internally, great, but looking to an outside third party IT auditor, such as Vestige’s information technology audit services, might be a good idea. If you are in need of one, let me know, I may know one or two *wink, wink*.

by Greg Kelley, BS, EnCE, DFCP,
Chief Technology Officer at Vestige Digital Investigations
For more information CONTACT US.