Ransomware Attackers Use Your Cloud Backups Against You

By 

Backups are one the most, if not the most, important defense against ransomware, but if not configured properly, attackers will use it against you.

Recently the DoppelPaymer Ransomware operators published on their leak site the Admin user name and password for a non-paying victim’s Veeam backup software.

This was not meant to expose the information to others for further attacks but was used as a warning to the victim that the ransomware operators had full access to their network, including the backups.

After seeing this information, I reached out to the operators of the DoppelPaymer and Maze Ransomware families to learn how they target victim’s backups and was surprised by what I learned.

It should be noted that in this article we will be focusing on the Veeam backup software. Not because it is less secure than other software, but simply because it is one of the most popular enterprise backup products and was mentioned by the ransomware operators.

Attackers first use your cloud backups to steal your data

During ransomware attacks, attackers will compromise an individual host through phishing, malware, or exposed remote desktop services.

Once they gain access to a machine, they spread laterally throughout the network until they gain access to administrator credentials and the domain controller.

Using tools such as Mimikatz they proceed to dump credentials from the active directory.

According to Nero Consulting, an MSP and IT Consulting company based out of New York City who assisted me with this article, this could allow the attackers to gain access to backup software as some administrators configure Veeam to use Windows authentication.

Once they gain access, the Maze Ransomware operators told BleepingComputer that if cloud backups are configured, it is very useful when stealing data from their victims.

When Maze finds backups stored in the cloud, they attempt to obtain the cloud storage credentials and then use them to restore the victim’s data to servers under the attacker’s control.

“Yes, we download them. It is very useful. No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to “data breach detection software”. Clouds is about security, right?”

As the attackers are restoring directly from the cloud to their servers, it won’t raise any red flags for the victim as their servers appear to be operating normally with no logs being created in their backup software.

The Maze operators did not elaborate on how they gain access to the cloud credentials, but DoppelPaymer told us they use “all possible methods”.

This could include keyloggers, phishing attacks, or by reading locally saved documentation on the backup servers.

Deleting backups before ransomware attacks

Regardless of whether the backups are used to steal data, before encrypting devices on the network the attackers will first delete the backups so that they cannot be used to restore encrypted files.

DoppelPaymer told BleepingComputer that even though cloud backups can be a good option to protect against ransomware, it is not 100% effective.

“Cloud backups are a very good option against ransom but do not 100% protect as cloud backups are not always good configured, offline backups often outdated – the system of backups is really nice but human factor leaves some options,” DoppelPaymer told us via email.

Unless you subscribe to service add-ons such as immutable backups, as the actors have full access to the local install of backup software, they can simply delete any backups that exist in the cloud.

Deleting a cloud backup in Veeam

With a victim’s data now stolen and their backups deleted, the attackers deploy their ransomware throughout the compromised network using PSExec or PowerShell Empire typically during off-hours.

This usually leads to a company opening the next day to an encrypted network.

Protecting your backups

In emails with Rick Vanover, Senior Director, Product Strategy at Veeam Software, we were told that it does not matter what software you use, once an attacker gains privileged access to the network, everything is at risk.

“We have advocated, even in a published 2017 whitepaper that I wrote I’ve recommended separate accounts for Veeam installations and components. Additionally, I recommend Veeam installations to use non-domain accounts for components as well to add more account-based layers of resiliency. Additionally, Veeam has recommended that the Veeam deployment not have Internet access or otherwise be on an isolated management network,” Vanover told BleepingComputer.

To prevent ransomware attackers from gaining complete leverage over a victim, Veeam recommends that companies follow a 3-2-1 Rule when configuring backups.

“Whether it is ultra-resilient backup data like S3-immutable backups in the cloud, encrypted backups on tape or encrypted backups on removable offline storage; customers need to have multiple copies of data. We have advocated for a long time the 3-2-1 Rule, which advocates having 3 different copies of data on 2 different media with one of them being off-site. Couple in 1 copy being on an ultra-resilient technique such as an immutable backup, offline backup or otherwise air-gapped; data can be protected against nearly any failure scenario – including ransomware. Additionally, Veeam also has a technology called Secure Restore; which will perform a threat scan with almost any tool to ensure that a restored system or data does not re-introduce a threat,” Vanover continued.

Like Veeam, Nero Consulting also strongly recommends users should purchase the immutable storage or redundant storage protection options if available when using cloud services.

Using this option, even if the data is deleted from the cloud storage provider, the immutable storage service will make the data recoverable for a certain amount of time.

As for protecting a network from data exfiltration, the best solution is to prevent the attackers from gaining access to your network in the first place and to monitor for suspicious activity.

This would include utilizing network monitoring software, intrusion detection systems, and geographic and IP access control for cloud storage providers if available.