Backup and recovery systems are at risk for two types of ransomware attacks: encryption and exfiltration \u2013\u00a0and most on-premises backup servers are wide open to both. This makes backup systems themselves the primary target of some ransomware groups, and warrants special attention.\nHackers understand that backup servers are often under-protected and administered by junior personnel that are less well versed in information security. And it seems no one wants to do something about it lest they become the new backup expert responsible for the server. This is an age-old problem that can allow backup systems to pass under the radar of sound processes that protect most servers.\nIt should be just the opposite. Backup server should be the most updated and secure systems in the data center. They should be the hardest to login to as Administrator or root.\u00a0 And they should require jumping through the most hoops to login remotely.\nAn important role backup servers play is providing the means to recover from a ransomware attack without paying the ransom. They contain the data needed to rebuild the machines that have been encrypted by the ransomware, so ransomware groups try to encrypt the backups, too. The saddest line in any ransomware story is, \u201cand the backups were also encrypted.\u201d They are your last line of defense, and you must hold the line.\nThat\u2019s the traditional ransomware attack, but data exfiltration is fast becoming a primary motivation for ransomware attackers who target backup servers. If bad actors can exfiltrate and decrypt your company\u2019s secrets via the backup server, they can extort you in a way that you cannot defend against: \u201cPay up or your company\u2019s most important (or worst) secrets will become public knowledge.\u201d Then they give you access to a web page where you can see the data they have, and your organization has little choice but to pay the ransom and hope they keep their promise.\u00a0\nThis strategy makes sense for ransomware groups. It\u2019s easier to go after the one server that definitely holds all of an organization\u2019s sensitive data than to successfully attack many servers that may hold some sensitive data.\nFollowing this logic, once a piece of malware gets into your data center, it immediately contacts its command-and-control server to find out what it should do next. Increasingly, the next step is to identify what type of backup system is being used and once they figure that out, to begin directly attacking that system.\nThe attackers might try to directly access your backup data over the network via NFS or SMB, and if they can\u2014and it's unencrypted\u2014their job is done.\u00a0 If they can\u2019t, they go directly at the operating system of the backup server using a system exploit or compromised credentials to gain Administrator\/root access. Gaining access to the machine key used for basic encryption gives them the keys to the backup kingdom, and all bets are off.\u00a0\nThe best way to defend against this scenario is to keep ransomware organizations from compromising your backup servers. Here\u2019s how:\n\nKeep OS and application patches up to date\nShut off all inbound ports except those required by backup software\nEnable necessary management ports (e.g. SSH, RDP) via a private VPN\nUse a local host file to prevent malware from contacting command-and-control servers\nMaintain a separate password-management system for backup and application servers (i.e. no LDAP)\nEnforce the use of multi-factor authentication\nLimit the use of root\/Administrator; set off alarms when you do\nUse SaaS backup as an alternative to managing your own backup server\nUse least privilege wherever possible, giving each person privileges they need to do their job and nothing more\n\nTo protect the backup data itself from extortion or encryption, you should configure your backup system like this:\n\nEncrypt all backup data wherever it is stored\nUse third parties to manage encryption keys\nDo not store backups as files via DAS or NAS. Ask your vendor for more secure methods.\nStore backups on a different operating system than your backup server.\nUse on-premises storage with immutable features (e.g. Linux)\nCreate a copy on tape\/RDX and send it offsite\nCreate a copy on immutable cloud storage.\n\nThis will be a lot of work for most environments but worth it if you recognize how much danger your backup server is in.