Why 3-2-1 Backup has Become an Ineffective Ransomware Defence
March 31st, 2020 by Kris Price
If you are familiar with data backup you are probably aware of the “3-2-1” backup process; you should have three copies of your data, on two different types of media, with one copy stored offsite or air-gapped from your primary production environment.
For a long time, the 3-2-1 backup model was considered an effective defence against viruses and ransomware. However, in recent years ransomware has become much more sophisticated in how it goes about trying to infiltrate companies’ systems. Ransomware is big business and the developers stand to make vast sums of money from successful attacks. Therefore, criminals have invested a huge amount of time and effort to make their ransomware more effective at not only infecting company production data but also the backups, even if the company thinks it is safely “air-gapped”.
There is an important difference between a ransomware infection, where ransomware is on a network, but it hasn’t started encrypting data, and detonation, when the ransomware starts encrypting data.
Initially ransomware was designed to delete backups before it detonated on the network to prevent the backups from being used to restore a healthy copy of the data. Many businesses implemented the 3-2-1 backup process to combat this type of attack. After all a tape sat on a shelf or in a safe offsite can’t be deleted by a ransomware attack, so there was always a healthy copy of the data to fall back on.
Unfortunately, the attackers have adapted and adjusted the way in which ransomware works. More recent iterations lie dormant on a network for weeks or months spreading to as many systems as possible. Most backup solutions see ransomware as a new file and back it up, and because it has been lying dormant for so long, it infects multiple generations of backups. No when the ransomware detonates it can bring a business to its knees.
The first thing a company will do, rather than pay a ransom, is recover the data from the most recent backup. The problem is that the ransomware is already inside the backup, so when it is restored it will detonate all over again. And because it could have been on the network for months, older generations will have the same issue. This is something known as the ransomware attack loop, and in this situation the 3-2-1 backup process becomes part of the problem.
There is however a solution to this, and it’s called Asigra. And the event better news is that BrightCloud use Asigra as the platform for our Backup as a Service offering. Asigra recently introduced a feature to prevent the attack loop from ever occurring. During a file backup, the backup software scans each file and compares it to a database of known ransomware types. This database is constantly being updated with new definitions all the time. During the scan if a malware file is detected, it is moved into a quarantine folder away from the backup repository. This file is compressed and encrypted and marked as a malicious file. This is reported to the backup administrator so they can deal with the situation. Conversely during a restore the files are also scanned so if an old backup has a ransomware file within it, it will not be recovered on to your network. This prevents the attack loop and maintains the data’s integrity.
For more information about the ransomware attack loop be sure to check out the ransomware attack loop video.
