Five Backup Lessons Learned – From The UnitedHealth Ransomware Attack
Continuity’s Doron Youngerwood offers insights on backup lessons learned from the UnitedHealth ransomware attack. This article originally appeared on Solutions Review’s Insight Jam, an enterprise IT community enabling the human conversation on AI.
UnitedHealth Congressional Testimony Reveals Failed Backup Strategy
The ransomware attack on UnitedHealth earlier this year is quickly becoming the healthcare industry’s version of Colonial Pipeline, prompting congressional testimony, lawmaker scrutiny, and potential legislation.
Over the past few months, there have been two congressional hearings on the attack — one in the Senate, followed by one in the House — as well as calls from multiple senators for investigations into how the government responded to the incident, not to mention the criticism against UnitedHealth’s CISO, Steven Martin, who joined the company in June 2023.
After paying a ransom of $22 million to prevent the leak of stolen data, UnitedHealth had to perform a complete rebuild on its systems, even after decrypting files.
In his testimony, UnitedHealth’s CEO Andrew Witty identified that the company’s backups weren’t sequestered with network segmentation or infrastructure gapping, so the attackers were able to lock those up too, blocking any recovery path from the initial attack.
Backups – A Cybercriminals Most Lucrative Target
Very few CISOs used to pay much attention to their backups. That’s no longer the case today.
Ransomware has pushed backup and recovery back onto the IT and corporate agenda – even before the attack on UnitedHealth earlier this year.
Attackers realize that a successful breach of a backup environment is the single biggest determining factor if an organization will pay the ransom.
Some #ransomware groups – BlackCat, Akira, Lockbit, Phobos, and Crypto, for example – have been bypassing production systems altogether and going straight for the backups.
This has forced organizations to look again at potential holes in their safety nets by reviewing their backup and data recovery strategies.
So, how should IT Infrastructure and Security teams deal with this threat?
5 Tips To Secure Your Backups
-
Network Segmentation and Air-Gapped Backup
In the ransomware attack that hit UnitedHealth, the company admitted that their backups weren’t sequestered with network segmentation or infrastructure gapping, so the attackers were able to lock those up, blocking any recovery path from the initial attack.
Network segmentation is a tactic that can greatly reduce the impact of a ransomware attack. By separating the network into smaller, distinct areas, the spread of malware is minimized if one area is compromised.
-
Multi-Factor Authentication (MFA)
The lack of multi-factor authentication (MFA) was at the center of the ransomware attack at UnitedHealth.
The attack was orchestrated by hackers who leveraged stolen credentials to infiltrate the company’s systems, which lacked MFA.
Solutions like StorageGuard can audit and verify that MFA is implemented and enforced across all backup systems. Ensuring MFA is consistently applied helps to protect sensitive data from unauthorized access – even if user credentials are compromised.
-
Restricting Administrative Access
Restricting administrative privileges is a vital part of a solid backup security strategy, as these privileges can be a primary target for attackers. This includes:
- Ensuring that only those who truly need it will have admin access to the organization’s backups
- Applying IP ACL to administrative interfaces
- Setting up a two-person rule for critical backup changes
These recommendations can significantly help reduce the attack surface.
-
Immutable Backup
Ensure at least of one of your backup copies is stored on immutable storage. This will ensure your backup data cannot be altered, deleted, or encrypted by malicious actors, including ransomware. And it guarantees the integrity and availability of backup data for cyber recovery.
-
Secure Configuration Baseline
As recently mandated by DORA and previously by NIST, establishing a secure configuration baseline for your backup and storage environment and using tools to detect baseline deviations is critical. It will ensure your backup estate is adhering to the principles laid out in this recommendation section – and much more.
One recommendation is to carry out regular auditing of the security of your backup systems to verify that backup platforms are hardened and protected against tampering and unauthorized access.
Auditing should include:
- Multifactor Authentication
- Immutability best practices
- CISA Stop Ransomware Guidelines
- Dual Authorization for Critical Changes
- Restricted Administrative Access
- Logging Best Practices
- Account Lockout Settings
- Backup Isolation
- NAS Security Guidelines
- Secure Snapshots
- Encryption
- Adherence to NIST, ISO, NERC CIP, HIPAA and other standards
- And more…
Implementing these strategies and leveraging a security posture management tool ensures that backup systems remain secure, reliable, and resilient against evolving cyber threats.