Ransomware Attackers Use Cloud Backups To Steal Information. Backups are one of the last lines of defense when it comes to protecting your network from attacks. Having a solid Backup & Disaster Recovery policy is considered one of the most important defenses when dealing or recovering from a Ransomware attack.
The DoppelPaymer Ransomware is back at it again! The operators published on their website (screenshot below) the Admin user name and password for a non-paying victim’s Veeam backup software. Veeam is a very popular Backup & Disaster recovery solution used to backup enterprise environments.
This was not intended to reveal the information to other attackers for further attack strategies, but was used as a warning to the user that the operators of the ransomware attack had full access to their network, including backups. It should be noted that we will be focusing on the Veeam Backup specifically not because it is an unsecure backup software, but because it is one of the most popular enterprise backups used today and was mentioned by the ransomware operators.
Attackers can steal your data using your cloud backups!
Ransomware Attackers Use Cloud Backups To Steal Information and can compromise an individual host during ransomware attacks by phishing, malware, or by using unsecure remote desktop services exposed to it.
They attack spreads laterally across the network after gaining access to a computer until they can gain access to administrator credentials and the domain controller.
The attackers used a tool called Mimikatz which they used to dump login credentials from the active directory. This could allow the attackers to gain access to backup software as some administrators configure Veeam to use Windows authentication. A authentication method or Two Factor Authentication is always recommended to minimize unwarranted access.
Once they gain access, the Maze Ransomware operators told BleepingComputer that if cloud backups are configured, it is very useful when stealing data from their victims.
If Maze detects backup copies stored in the cloud, they try to get passwords for the cloud storage and then use them to restore the victim’s data to servers under the control of the attacker.
“Yes, we download them. It is very useful. No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to “data breach detection software”. Clouds is about security, right?”
As the attackers are restoring directly from the cloud to their servers, it won’t raise any red flags for the victim as their servers appear to be operating normally with no logs being created in their backup software.
The Maze operators did not elaborate on how they gain access to the cloud credentials, but DoppelPaymer said they use “all possible methods”.
This could include keyloggers, phishing attacks, or by reading locally saved documentation on the backup servers – Source Bleeping Computer
Deleting backups before ransomware attacks
Regardless of whether the backups are used to steal data, before encrypting devices on the network the attackers will first delete the backups so that they cannot be used to restore encrypted files.
DoppelPaymer told BleepingComputer that even though cloud backups can be a good option to protect against ransomware, it is not 100% effective.
“Cloud backups are a very good option against ransom but do not 100% protect as cloud backups are not always good configured, offline backups often outdated – the system of backups is really nice but human factor leaves some options,” DoppelPaymer told us via email.
Unless you subscribe to service add-ons such as immutable backups, as the actors have full access to the local install of backup software, they can simply delete any backups that exist in the cloud.
With a victim’s data now stolen and their backups deleted, the attackers deploy their ransomware throughout the compromised network using PSExec or PowerShell Empire typically during off-hours.
This usually leads to a company opening the next day to an encrypted network.
Make sure to check out our 2nd Generation Antivirus services