Your Cloud Backups Could Be the Target of Ransomware Operators

We've mentioned before that people and organizations are now much more aware of the ransomware threat than they used to be. This is part of the reason why, at least as far as the stats are concerned, file-encrypting malware is no longer the biggest cybersecurity problem for home users. It is still alive and kicking, though, and that's because people continue to think that as long as they have backups, they are safe. Security news outlet Bleeping Computer noted recently that this sort of thinking could put both end users and large organizations in a very bad situation.

Ransomware operators are meddling with victims’ cloud backups

Bleeping Computer has been following the developments around enterprise-targeting ransomware families like DoppelPaymer and Maze for a while now. Last month, the news website saw the appearance of "Dopple leaks" – an online portal run and maintained by the DopplePaymer gang that is used to expose the sensitive information of organizations that have been hit by the ransomware but are refusing to pay the ransom.

Shortly after Dopple leaks' launch, the crooks published the location and login credentials of a Veeam cloud backup that belongs to one of the victims. This was a curious move on the crooks' part, and Bleeping Computer decided to contact them to find out what's going on.

Ransomware attacks give cybercriminals complete access to a company’s data, including its backups

The news outlet got in touch with the gangs operating the DoppplePaymer and Maze ransomware families and asked them how they get their hands on such login data and why they sometimes decide to publish it. Not surprisingly, the crooks didn't want to give away too many details, but they did provide enough information to give us an insight into how ransomware attacks aimed at enterprises work these days.

The hackers start by compromising a single endpoint using phishing, malware, or a poorly configured Remote Desktop Protocol service. Locking the data on a single computer can be pretty devastating sometimes, but the crooks want to ensure maximum damage, which is why they then try to move laterally within the network. The ultimate goal is to extract administrator credentials that give them full control over the victim's IT infrastructure. To get these credentials, the crooks use keyloggers, phishing attacks, and penetration testing kits like Mimikatz. Even after they assume control over the victim's network, the crooks don't immediately proceed with the file-encryption stage.

Modern ransomware attacks involve tools that look for local and cloud backups. If backups are present, the ransomware operators can copy the data to servers controlled by them and use it for other attacks later on. They can also delete it in order to ensure that the victim has no other option but to pay the ransom. In many cases, backups stored in the cloud are protected by usernames and passwords, but often, they are accessible with the administrative credentials the crooks have already stolen, so getting to them is not a problem.

Ransomware operators want to show the world how dangerous they could be

We shouldn't really be surprised by the fact that ransomware operators can get access to victims' backups. A few months ago, security experts noticed that cybercriminals started stealing sensitive company data before encrypting it, and it was only normal to assume that sooner or later, they'll get their hands on some backups.

The attack Bleeping Computer wrote about was a bit strange, however, because during it, the crooks decided not to delete the backups and leave their victim with no way of restoring the data for free. They also made no attempts to monetize the backed up information by selling it on the underground markets. Instead, they just put it on a public website where anyone could access it.

DopplePaymer's operators told Bleeping Computer that they did this in order to show the world how much control they have over the victims' networks. In other words, they are telling everybody how dangerous their attacks can be, and if we have to look for the silver lining in the whole incident, we'd probably say that it has increased the chances of companies re-thinking their backup policies.

People must stop assuming that a single backup is enough to ensure seamless recovery in the wake of a ransomware attack. You could even argue that, especially when it comes to business organizations, there's no such thing as a seamless recovery. This doesn't mean that backups aren't important, though. In fact, if anything, incidents such as the one described above show that securely backing up data is a lengthy process that involves a lot of decision making and a high level of attention to detail.