Five backup lessons learned from the UnitedHealth ransomware attack

The ransomware attack on UnitedHealth earlier this year is quickly becoming the healthcare industry’s version of Colonial Pipeline, prompting congressional testimony, lawmaker scrutiny and potential legislation. 

backup strategies

Over the past few months, there have been two congressional hearings on the attack — one in the Senate, followed by one in the House — as well as calls from multiple senators for investigations into how the government responded to the incident, not to mention the criticism against UnitedHealth’s CISO, Steven Martin, who joined the company in June 2023.

After paying a ransom of $22 million to prevent the leak of stolen data, UnitedHealth had to perform a complete rebuild on its systems, even after decrypting files.

In his testimony, UnitedHealth’s CEO Andrew Witty identified that the company’s backups weren’t sequestered with network segmentation or infrastructure gapping, so the attackers were able to lock those up too, blocking any recovery path from the initial attack.

Backups: A cybercriminal’s most lucrative target

Very few CISOs used to pay much attention to their backups. That’s no longer the case today. 

Ransomware has pushed backup and recovery back onto the IT and corporate agenda – even before the attack on UnitedHealth earlier this year.

Attackers realize that a successful breach of a backup environment is the single biggest determining factor if an organization will pay the ransom.

Some ransomware groups – BlackCat, Akira, Lockbit, Phobos, and Crypto, for example – have been bypassing production systems altogether, and going straight for the backups.

This has forced organizations to look again at potential holes in their safety nets, by reviewing their backup and recovery strategies.

backup strategies

So, how should IT infrastructure and security teams deal with this threat?

5 tips to secure your backups

1. Network segmentation and air-gapped backup

In the ransomware attack that hit UnitedHealth, the company admitted that their backups weren’t sequestered with network segmentation or infrastructure gapping, so the attackers were able to lock those up, blocking any recovery path from the initial attack.

Network segmentation is a tactic that can greatly reduce the impact of a ransomware attack. By separating the network into smaller, distinct areas, the spread of malware is minimized if one area is compromised.

2. Multi-factor authentication (MFA)

The lack of MFA was at the center of the ransomware attack at UnitedHealth.

The attack was orchestrated by hackers who leveraged stolen credentials to infiltrate the company’s systems lacking MFA. 

Solutions like StorageGuard can audit and verify that MFA is implemented and enforced across all backup systems. By ensuring MFA is consistently applied, helps to protect sensitive data from unauthorized access – even if user credentials are compromised. 

3. Restricting administrative access

Restricting administrative privileges is a vital part of a solid backup security strategy, as these privileges can be a primary target for attackers. This includes:

  • Ensuring that only those who truly need it will have admin access to the organization’s backups
  • Applying IP ACL to administrative interfaces
  • Setting up a two-person rule for critical backup changes

These recommendations can significantly help reduce the attack surface.

4. Immutable backup

Ensure at least of one of your backup copies is stored on immutable storage. This will ensure your backup data cannot be altered, deleted, or encrypted by malicious actors, including ransomware. And it guarantees the integrity and availability of backup data for cyber recovery.

5. Secure configuration baseline

As recently mandated by DORA and previously by NIST; establishing a secure configuration baseline for your backup and storage environment, and using tools to detect baseline deviations is critical. It will ensure your backup estate is adhering to the principles laid out in this recommendation section – and much more.

One recommendation is to carry out regular auditing of the security of your backup systems, to verify that backup platforms are hardened, and protected against tampering and unauthorized access.

Auditing should include:

  • Multifactor authentication
  • Immutability best practices
  • CISA #StopRansomware guidelines
  • Dual authorization for critical changes
  • Restricted administrative access
  • Logging best practices
  • Account lockout settings
  • Backup isolation
  • NAS security guidelines
  • Secure snapshots
  • Encryption
  • Adherence to NIST, ISO, NERC CIP, HIPAA and other standards
  • And more…

Implementing these strategies and leveraging a security posture management tool ensures that backup systems remain secure, reliable, and resilient against evolving cyber threats.

Don't miss