Shouting from the Rooftops: Get Your Backups off the Domain

We’ve written a lot about the costs of incident response. If I could pick one piece of advice to shout from every rooftop to minimize the overall impact of ransomware, it would be:

📢GET YOUR BACKUPS OFF THE WINDOWS DOMAIN📢

Across MOXFIVE’s incident response work, almost all ransomware victims we work with have some sort of backup. This is great news – backups maybe the single strongest element to ransomware resilience. But during real cyber events, we find that backups are unusable 63% of the time. How alarming! These victims paid for a backup product – and developed a sense of confidence around that solution – only for the backups to fail when they are most needed.

The single most common reason that backups are not useful after a ransomware attack is because the victim implemented their backup service on a Microsoft Active Directory domain-joined system.

Ransomware groups know that the single biggest threat to their hopes of a juicy ransom payment is a good backup. Naturally, backups become their biggest target after critical production systems. But why specifically are domain-joined backups a problem? Because attackers use Microsoft’s domain infrastructure to explore the environment and exploit domain accounts in their attacks. Attackers can trivially query and move throughout any domain-joined system. Domain infrastructure makes backups easy hunting; domain-joined backups are just as easy to access and destroy as any other system in your network.

So, what can you do? Simple: Disjoin your backup system from the domain and use unique credentials for that system. This change is often so easy that you can do it today, and by doing so materially shift your organization’s expected business downtime losses in a ransomware event by several weeks. For many organizations, disjoining backups from the domain this is the single highest leverage task in terms of risk return on effort that they’ll ever find.

Alright! Now that your backups are off domain, here’s how to mitigate the other significant backups failings we see:

Immutable cloud backups: Disjoined backups are not a silver bullet – when we see attackers successfully hit isolated on-prem backups, the single best fallback is immutable cloud backups. Most backup systems offer this as an affordable add-on either directly or through partners. This is well worth the investment.

Deployment coverage and retention: Nothing is worse than discovering that you weren’t backing up critical data. While I wish I could say this is rare, we see this play out dozens of times each year. Luckily, the mitigation is another free-be; it costs your organization nothing to audit your backup deployment and make sure all critical systems are accounted for. We recommend regularly re-checking deployment coverage to be sure that all new systems are covered and that no existing systems fell off your configuration. While you’re at it, expand backup retention as far as your resource constraints allow. Unfortunately, we see several organizations unable to restore to a known-safe recovery point, delaying containment confidence.

Drill your restore process: You’re not in the clear just because you have good backups in hand. We’ve seen several events where the client decided to either pay decryption ransoms or manually reconstruct data because the backup system itself was prohibitively time consuming or otherwise impractical. Testing your restore process can uncover critical gaps before they bite you in a live event. For example:

• ‍Identify restore bottlenecks. The most common unmapped bottlenecks are a) compute and network throughput when restoring high data volumes, and b) the number of tape readers when dozens or hundreds of tapes need to be restored. Surprise bottlenecks routinely lead to days or weeks of avoidable business interruption.

• ‍Exercise critical processes. Unpracticed restore procedures frequently surface flawed assumptions and imperfect or incomplete results. Simply practicing the vendor motions, technical processes, and business restoration procedure will provide far greater predictability and confidence during a real event.‍

• Prevent fundamental mistakes. Drilling restores makes it impossible not to discover common backup collection failures. Examples we’ve seen:
  • Losing passwords for encrypted tapes, rendering years of backups useless
  • Overwriting backups for systems that downstream backups depend on
  • Incorrect collection policy assumptions: e.g. assuming you have snapshots when in reality only file level backups are available, or assuming you’re able to use file-level restores to find proverbial needles in the haystack

Isolating your backups from the Windows domain is not just a precaution—it’s a critical safeguard against mainstream attacks. By isolating your backups, you significantly reduce the risk of them being compromised when your network is under attack. Supplementing this strategy with immutable cloud backups, regular audits of your backup coverage, and frequent restore drills will dramatically improve your organization’s resilience to destructive ransomware attacks.

For a deeper dive, check out our blog "Backups: Ahh! to Zzz."

If you have questions about this topic or need help with a current incident, you can contact a MOXFIVE Technical Advisor at incident@moxfive.com or use our Contact form.