Here’s an alarming statistic for you: At the time of writing this blog, over 80% of Predatar customers have discovered previously undetected malware in their backup data within a month of starting to use Predatar’s Recovery Assurance platform. So, how does it get there? And what can you do to make sure your backups are safe?
Most of Predatar’s customers are medium to large enterprises with expansive IT networks. Every one of these organisations has cyber security technologies in place, including some sort of antivirus product. In most cases it’s market-leading XDR products from vendors like Crowdstrike, Palo Alto, or Microsoft. So, how is malware getting into their backups?
How Does Malware Get into Backups?
1. Replication of zero day viruses
Typically, organisations configure their antivirus technology to run incremental scans on their production systems. Only new data or data that has changed is checked for malware. The reason for this is simple, incremental scans are more efficient – both in terms of time taken and the performance impact to the underlying disk. The reality is that checking all production data, every day, is simply not feasible.
The problem here is zero-day attacks. If a new strain of virus infiltrates your IT network before it’s known to your antivirus vendor, it will slip through the net and hide inside your network. This malware will remain undetected until the data it resides in is altered. At this point, it’s likely the virus definitions in your antivirus tools will have updated, and the malware can be flagged and removed.
But… most organisations create backups every night. So, in this scenario the malware that ‘slipped through’ will have been backed up too. Even if the virus is removed from production systems, very few organisations take the step of proactively checking and cleaning their backups.
2. Planting malware directly into backups
Cyber criminals can – and do – target backups directly. This is a common practice for ransomware gangs, who will encrypt or delete backups as part of a co-ordinated attack. By compromising the backups, they remove their victim’s ability to restore data. This gives them little option but to pay the ransom demands.
In this scenario, the criminals will gain administrator access to their victim’s backup platforms to plant malicious code directly into backup repositories. This approach completely bypasses antivirus protection on production systems.
Access is usually achieved via stolen administrator credentials, or hacking methods such as manipulating OAuth token access. In some cases, criminals will recruit an insider. For example, a Storage Administrator within the target organisation may be offered payment for planting malware in backups.
Why is Malware in Backups a Problem?
Put simply, malware in your backups will put your ability to restore at risk. Whether you need to recover an important file that was accidentally deleted, or mount a large-scale recovery of critical business systems following a cyber attack or other major data loss event – malware in your backups could be a show stopper, leaving you with no way to recover your valuable data.
At best, this will be inconvenient. At worst, business critical systems could be offline for extended periods. In some cases, loss of customer or employee data could lead to regulatory non-compliance, fines and legal action.
Does Immutability Solve the Problem?
Immutability has become a popular method to protect against the problem of malware in backups. While it offers some protection, immutability alone doesn’t solve the problem.
Essentially, immutability means that once data has been written it can’t be altered. Using immutable backups won’t stop undetected malware being replicated into your storage repositories, but it does mean that once it’s there it can’t be activated, and your data is safe from malicious encryption or deletion – while it remains in an immutable state.
The problem comes when an infected immutable backup is recovered. Restoring from an infected backup will introduce the malware to the system you are restoring to, and once the restore has taken place, the data is no longer immutable, and the malware could be activated by the criminals that created it.
How Can You Make Sure Your Backups Are Safe?
The only way to be sure your backups are safe is to check them. Best-practice dictates recovering backups to an isolated recovery environment, also known as a cleanroom, before running antivirus tools to validate them for cleanliness. This method means that if your backups are found to contain malware neither your production or backup systems will be at risk, while you take remedial action.
Today, this approach is generally used as a reactive measure in high-stakes scenarios. When a cyber attack has occurred, organisations will begin the process to validate their backups, starting with their most critical workloads, as part of a large-scale cyber recovery procedure.
What is Proactive Cyber Recovery?
Thanks to automation and artificial intelligence, products like Predatar Recovery Assurance platform can continually validate your backups to ensure they are always recoverable and free from malware. This proactive approach means that you’ll know your backups are safe before a crisis hits.
Only Predatar offers a vendor-agnostic solution that enables you to automate recovery testing and advanced malware interrogation on Veeam, Rubrik, IBM, and Cohesity backups in the same cleanroom. Predatar can also be used to validate immutable IBM and Pure snapshots too.
Want to Become Recovery Confident?
Don’t wait for a crisis to find out if you can recover. Watch this short video to learn more about Predatar and contact our team to start your journey to recovery confidence.
