With the end of 2021 less than two months away, ransomware attacks have become one of the biggest security threats to terrify the world in 2021. In this regard, South Korea recently released the “Guidelines for Safe Information System Backup in Response to Ransomware (Revised)”, which aims to help Korean companies formulate information system backup measures to deal with ransomware attacks. The 4 most common techniques used by ransomware attackers to compromise data backups are analyzed in this Guide, which deserves the attention of those in the security industry.
Ransomware attacks become the world’s biggest security threat in 2021
According to data released by the Korea Internet Agency, ransomware attacks are on the rise worldwide. The loss of ransomware attacks in 2021 increased by 102% compared with 2020, and the amount was as high as about 22 trillion won. Taking South Korea as an example, there were 39 ransomware cases reported to KISA in 2019, but in 2020 it has more than doubled to 127 cases. As of the first half of this year, 78 ransomware cases have been declared, and the losses are also on the rise. Affected industries are diversifying into energy, food, IT, manufacturing, services and transportation.
Today, ransomware is one of the most representative types of cyberattacks. Once compromised by ransomware, it is difficult to recover. Most importantly, recently, cyber attackers have used ransomware attacks to not only encrypt data, but also threaten to leak internal corporate information, and additionally conduct distributed denial of service (DDoS) attacks on companies that provide network services. In the past, ransomware was a “temporary attack” in exchange for a one-time infection and decryption of a specific computer in exchange for a ransom, but recently ransomware attacks are evolving into Advanced Persistent Threat Attacks (APTs), i.e. after a long up-front period After the work (information leakage, dissemination of malicious code, etc.), multiple attacks are carried out at the same time and the entire system is paralyzed.
Ransomware attacks have gone beyond the scope of attacking personal computers and expanded to various fields such as enterprise systems, social infrastructure, and daily necessities, and are gradually approaching areas that can be felt by ordinary people. In particular, as more and more companies back up their data in response to attacks, the phenomenon of “triple threat” through means such as information leakage and DDoS attacks has emerged.
Taking the United States as an example, this year, due to the ransomware attack on the Colonial pipeline transportation company, fuel supply was interrupted and oil prices rose in parts of the eastern United States. The attackers paid a ransom of $11 million; in the IT field, there were ransomware attacks against Kaseya, an American IT solutions company. These attacks have caused huge losses to society and the population and are therefore classified as serious security cases.
Of course, South Korea was not immune to ransomware attacks. Ransomware attacks continue to occur in various fields such as domestic vehicle parts manufacturers, distribution platforms, and mainframe computers of ships of shipping companies. In the future, if there is a ransomware attack on social infrastructure such as smart cities or smart grids, people’s daily lives may be paralyzed.
Ransomware attacks against South Korean businesses have been on the rise in recent years. In particular, the attacks on small and medium-sized enterprises whose network technology and security infrastructure are weaker than those of large enterprises are more obvious. According to the statistics of cyber-infringement incidents of enterprises of all sizes published by the Korea Internet Agency (KISA), 98% of the total number of victimized companies are small and medium-sized enterprises, which is an overwhelming 2% compared with the 2% of large enterprises. number. As a result, SMEs that lack the resources or expertise to protect their digital assets from cyber threats are more vulnerable to cyber-attacks such as ransomware.
In this context, the Ministry of Science, Technology, Information and Communications of Korea (hereinafter referred to as the Ministry of Science, Technology, Information and Communications of Korea) and the Korea Internet Promotion Institute jointly issued the “Guidelines for the Backup of Security Information Systems in Response to Ransomware (Revised Version)” (hereinafter referred to as the “Guidelines”). ), which has attracted great attention from Korean companies. Since data backup is recognized as the most effective means of minimizing ransomware losses, the guidance released this time is expected to help many businesses, especially small and medium-sized enterprises, develop information system backup measures to deal with ransomware attacks.
This guide describes how to set up and operate an information system backup system required by SMEs or small service companies. In addition, the Guidelines provide safeguards for protecting backup data from cyber-attack threats from external environments such as malicious code and ransomware, as well as guidelines for building information system backups suitable for small and medium-sized business environments.
The main content of the “Guide” includes ten chapters:
Chapter 1 Overview
Chapter 2 Composition and Scope of Pointers
Chapter 3 Definition of Backup Terms
Chapter 4 Backup Organization and Function
Chapter 5 Backup Procedures and Safety Management Procedures
Chapter 6 Building a Backup System
Chapter 7 Backup Strategy
Chapter 8 Backup System Security Policy
Chapter 9 Backup System Structure Diagram
Chapter 10 Backup Management Styles
In terms of content, the “Guide” first defines the organization and role of backup, and explains the procedures and safety management of backup. procedures so that the backup organization can systematically progress? Backup and security management? . In addition, the Guide outlines the necessary response procedures so that businesses can respond quickly when infected with malicious code and ransomware attacks.
In the chapter of building a backup system, the configuration methods of backup systems commonly used by enterprises and the configuration methods to prevent ransomware attacks are introduced. In backup policy? chapter, which introduces various backup methods and backup strategies for small and medium-sized enterprises? . Finally, in the chapter on the backup system security policy, the security precautions of the backup system required to prevent network attacks such as ransomware are also explained.
(The original PDF and full text of the “Security Information System Backup Guidelines for Response to Ransomware (Revised)” jointly issued by the Ministry of Science, Technology and Information Communications of the Republic of Korea and the Korea Internet Promotion Institute have been uploaded to Sanzheng Knowledge Planet and can be obtained by following the instructions at the end of the article. )
4 techniques ransomware hackers use to compromise data backups
In the past, ransomware attacks have mostly targeted unspecified personal computers by encrypting data and demanding a ransom payment. However, recently, ransomware has mainly targeted large enterprises that can pay high ransoms. The attack method is not limited to encrypted data, but also threatens to make the data leaked to the Internet, forcing the victim to pay the ransom. , and its attack methods are constantly evolving. The change in this attack method is because individuals or enterprises have strengthened data backup as a response strategy to ransomware, and it is difficult to obtain benefits through data encryption.
If you are not 100% protected against ransomware attacks, data backup may be the most effective response strategy. As a result of this coping strategy, ransomware attackers are working tirelessly to compromise data backups. According to the Korea Internet Promotion Agency, recently ransomware attackers not only encrypt backup data on local or shared drives, but even disable them by locating and infecting backup data based on specific systems (such as targeted attacks). Backup system.
Therefore, it is very important to study and analyze the data backup destruction techniques mainly used by ransomware attackers, and to formulate strategies for each enterprise to deal with this attack technique. Chapter 1 of the Guide provides an overview of the four most common techniques used by ransomware attackers to compromise data backups, which are summarized as follows:
One is to delete shadow copies. Ransomware prevents the recovery of previous data files by removing the Windows system’s own backup feature, Volume Shadow Copy (VSC, or Volume Shadow Copy).
The second is encrypted network share backup. Some backup solutions use the solution’s default folder name to back up data on a network share path. Ransomware attackers look for these backup folders on corporate networks and encrypt them together.
The third is malicious use of backup solutions. Backup solutions typically use their own application programming interfaces (APIs) to manage data backup within the enterprise. Attackers use stolen credentials or vulnerabilities to access the backup management API and exploit it to delete or encrypt backups.
The fourth is to induce backup of damaged data. Ordinary ransomware encrypts data immediately after the initial breach, but recently some ransomware secretly infiltrated internal networks and corrupted data, waiting until the incomplete data was backed up before encrypting the original data. In this way, since the backup data has been damaged, the data cannot be restored to normal.
Regarding data backup, the Korean Ministry of Science, Technology and Information Communications and the Korea Internet Promotion Agency emphasized: “Ransomware appears for the purpose of seeking monetary benefits, and the possibility of generating revenue has been proven. It is expected that ransomware attacks will continue to occur in the future. And the attack methods will continue to improve. The most effective response to this is data backup, especially if enterprises need to consider a data backup strategy that will not fail.”
Postscript: Backups have always been considered the last line of defense against ransomware. If backups are compromised, the entire security line of defense will lose its ability to recover and may fall completely.