3 min read

Even cloud backups should have a silver lining: NCSC Principles for ransomware

Read more

By Hans Allnutt & Lara Maslowska

|

Published 07 November 2023

Overview

A recent report by NCC Group noted that September 2023 saw record levels of ransomware attacks1, with 514 victims' details being released on the dark web representing a 153% year-on-year increase.

Ransomware remains a consistent threat that is often incredibly damaging to a business's ability to trade and reputation, traumatic for individuals working in that business, and costly for business and its insurers. The more damage a threat actor can inflict on business's reliance on data, by way of encryption, the more leverage it will have over the business for a successful extortion.

The FCA's own guidance2 on reacting to ransomware refers to the National Crime Agency's (NCA) advice not to pay ransoms, but stops short of rendering payments illegal or unlawful outright.

Understandably, available guidance instead focusses on reducing the damage that can be caused by threat actors decrypting backups in order to reduce the extortion leverage and hopefully reduce the number of ransoms being paid. A critical key to ransomware recovery is the availability of backups. Even if a business has backups, we often see threat actors target those backups to affect the business's ability to recover. Cloud-based backups can be particularly vulnerable because a threat actor with network access may then obtain access to connected backups, as opposed to, physical backups.

The NCSC has released guidance on ensuring that cloud-based backups are resistant to the effects of destructive ransomware. The guidance is intended for both vendors of cloud based backup services, who can tell consumers that their product complies, and for users to understand which services will in fact protect their data in the event of an attack.

The guidance is separated into 5 key principles:

1. Backups should be resilient to destructive actions

This includes attempts to destroy, maliciously edit, overwrite or delete backup data. The following implementations are suggested to ensure such resilience:

(i) Blocking any deletion or alteration request for a backup once it is created; (ii) Offering soft-delete by default – this leaves data as recoverable from a separate storage area for a limited period so would also need regular monitoring of the system; (iii) Delaying implementation of any deletion or monitoring requests, coupled with an alert being raised; and (iv) Forbidding destructive requests from customer accounts other than by a pre-agreed method.

2. A backup system should be configured so that it isn't possible to deny all customer access.

If a threat actor is able to disable or delete all customer accounts they do not even need to destroy the data itself to wreak havoc.

3. The service allows a customer to restore from a backup version, even if later versions become corrupted.

This should be testable by the consumer as part of a regular monitoring process and a version history should be created and retained so the system owner can restore from a version of their choice. Flexible storage policies can also allow system owners to decide how many backups to keep according to their risk appetite.

4. Robust key management for data-at-rest protection is in use.

If backups no longer in regular use are encrypted for protection, an attacker can simply delete or modify the encryption key without needing to delete the data itself. Keys should therefore be protected, for example by keeping a paper version in a safe.

5. Alerts are triggered if significant changes are made or privileged actions are attempted.

The service should offer different types of alerts so they can still be received even if the customer's infrastructure is compromised and the customer must then initiate a follow-on incident management process.

Many impacted businesses are surprised to learn that backups are not safe from decryption, simply because they are "cloud-based" and off site. This guidance is intended to put the onus on vendors to provide a service which truly protects the data from encryption as far as possible and empowers consumers to ask for a service which complies with NCSC guidance. Of course, it should still be remembered that a cloud based backup service is just one part of a backup regime and preventing access to the backup is the only way to prevent data exfiltration.

 

References

1https://www.nccgroup.com/uk/resource-hub/cyber-threat-intelligence-reports/#download
2https://www.fca.org.uk/publication/documents/ransomware-infographic.pdf

Authors