Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


Attackers Use Cloud Backups Against Companies

Secure and complete backups are the primary defense once a system gets infected with ransomware. If the cloud backups are not configured properly, they can be used against the victim. Security researcher Lawrence Abrams recently reached out to the DoppelPaymer Ransomware operators after they published admin credentials to cloud backups of non-paying victims to find out more information. The leaked credentials were meant to show that the attackers had full access to their backups and to scare them into paying the ransom. Once an attacker finds a cloud backup, they try to access it and download the information. After the attacker has access to all of the victim’s sensitive information, they can delete the backups before they spread the ransomware. Threat actors typically compromise an employee workstation through phishing email to deliver malware, then steal passwords from the computer’s memory, files containing passwords, or capturing keystrokes to find the administrator and cloud backup passwords.

Analyst Notes

Several things can be done to prevent backups from being stolen and deleted. The password used to administer cloud backups should not be the same as an administrator’s Windows password, which attackers are often able to steal after compromising workstations. If the cloud backup provider has an option for two-factor authentication (2FA), enable that for the backup administrator account. Use the 3-2-1 method when configuring backups. Maintain three separate copies of your information, on two different storage systems with one of them being offsite. If a cloud backup provider has an option for “immutable” backups that cannot be changed or deleted, enable that option. Another method would be to employ a penetration service, such as TrustedSec, that can show the vulnerabilities in systems and recommend procedures to close those vulnerabilities. You can also employ a 24-hour a day managed security service provider, such as Binary Defense, that monitors endpoints and can defend them from ransomware attacks before they can spread through systems.

To read more: