The recent joint cybersecurity advisory issued by the FBI, CISA, and MS-ISAC on the surge of (Cring) ransomware attacks reinforces why data backups have become an executive level concern. Emphasized in the advisory is the critical role backups play in mitigating the impact of ransomware attacks — a point echoed in a recent report from Coveware by Veeam and Chainalysis. The report shows a sharp decline in ransomware payments in Q4 2024, driven by stronger federal regulations, major cybercriminal takedowns, and improved organizational resilience in responding to and recovering from encryption-based malware attacks.
Ghost, a China-based threat group, have compromised organizations in 70+ countries for financial gain. Targets include critical infrastructure, healthcare, and businesses. They frequently rotate ransomware payloads, file extensions, and ransom notes, making attribution difficult. Known aliases include Ghost, Cring, and Phantom, using malware like Cring.exe and Ghost.exe.
The FBI’s recent guidance comes from critical Ghost ransomware security advisory, whose common tactics and techniques are to exploit known vulnerabilities to gain initial access (mostly in Fortinet FortiOS, Adobe Coldfusion, Microsoft SharePoint, and Microsoft Exchange). All of these vulnerabilities have been fixed, in some cases for years, yet unpatched systems remain an easy target. Installing up-to-date patches are always your first line of defense to protect vulnerability exploits.
CISA’s Recommendations
CISA’s #StopRansomware Guide provides exhaustive recommendations on how to reinforce your system defenses, minimize attack vectors, and put a stop to attacks before they begin. Below are CISA’s key strategies as it relates to backup:
- Maintain immutable, encrypted, offline backups: Many threat actors attempt to delete or encrypt backups to make avoiding their demands nearly impossible.
- Test backups: Regularly test backups to ensure they can be restored in a manner that meets the business recovery time objections (RTO) not only in a natural disaster, but also a cyber disaster.
- Implement a multi-cloud solution: Avoiding vendor lock-in in case all accounts under the same vendor are compromised.
- Use cloud immutable storage with caution: It is easy to misconfigure immutable storage and human error can lead to sizeable costs if setup incorrectly.
- Backup SaaS workloads such as Microsoft 365: Review the shared responsibility model when it comes to asset protection for any third party that will manage your data.
- Do not reinfect production: Dropper malware can be used to reinfect the environment during recovery operations after the victim thinks they’ve properly eradicated the threat actor.
How Veeam Helps
The importance of backups is well known, and anyone is able to create them. So, what makes Veeam the best solution for clients to meet CISA’s stop ransomware guidance?
- Layered Immutability: Immutability is king! There is no excuse anymore. Veeam’s hardened repository provides that primary backups are immutable, credentials are never stored, and SSH is disabled by default. Secondary offsite copies are stored in Veeam Vault, granting immutable, encrypted, Veeam-managed storage by default.
- Orchestrated Recovery: You will never rise to the occasion of a ransomware attack. You will fall to your level of preparation. Have a plan in place that defines the criticality of your assets, recovery location, and a runbook of events with Veeam Orchestrator.
- Data Portability: Veeam’s ability to move data cross-cloud isn’t only great for risk mitigation, but also a key ticket for our clients to reduce cloud spend.
- Operational Simplicity: Veeam Vault is the easy and economical option for offsite cloud immutable storage.
- SaaS Protection: Whether it is Microsoft 365, Salesforce, Entra ID, or many more, Veeam has your BaaS for SaaS.
- Cyber Recovery with Confidence: Veeam Threat Hunter and YARA rules ensure clean data is restored to production to avoid reinfection from dropper malware.
Stay Vigilant. Strengthen Defenses.
Both CISA and the FBI underscore the importance of backups as a fundamental defense against ransomware. By following their guidelines, organizations can significantly reduce the risk of data loss and avoid the financial and operational impacts of paying ransoms. Implementing a robust backup strategy is not just a best practice; it’s a critical component of a comprehensive cybersecurity plan.