Five backup lessons from the UnitedHealth ransomware attack

UnitedHealth Congressional Testimony Reveals Failed Backup Strategy

The ransomware attack on UnitedHealth earlier this year is quickly becoming the healthcare industry’s version of Colonial Pipeline, leading to congressional testimony, legislative scrutiny and possible legislation.

In recent months, there have been two congressional hearings on the attack – one in the Senate, followed by one in the House – as well as calls from several senators for investigations into how the government responded to the incident, not to mention … criticism of UnitedHealth’s CISO, Steven Martin, who joined the company in June 2023.

After UnitedHealth paid a $22 million ransom to prevent the loss of stolen data, the company had to perform a complete rebuild of its systems, even after decrypting the files.

UnitedHealth CEO Andrew Witty made this clear in his statement The company’s backups were not isolated by network segmentation or infrastructure gapsso that the attackers could lock these too, blocking any recovery path from the first attack.

Backups – the most lucrative target for cybercriminals

Previously, very few CISOs paid much attention to their backups. That is no longer the case today.

Ransomware has pushed backup and recovery back onto the IT and business agenda – even before the attack on UnitedHealth earlier this year.

Attackers realize that a successful attack on a backup environment is the deciding factor in whether a company pays the ransom.

Some ransomware groups – BlackCat, Akira, Lockbit, Phobos and Crypto, for example – have bypassed production systems entirely and focused directly on backups.

This has forced organizations to re-examine potential gaps in their safety nets and review their backup and recovery strategies.

So how should IT infrastructure and security teams deal with this threat?

5 tips for securing your backups

1. Network segmentation and air-gapped backup

In the ransomware attack that hit UnitedHealth, the company admitted that its backups were not isolated by network segmentation or infrastructure holes, allowing the attackers to lock them down, blocking any recovery path from the initial attack.

Network segmentation is a tactic that can significantly reduce the impact of a ransomware attack. By dividing the network into smaller, distinct areas, the spread of malware is minimized if one area is compromised.

2. Multi-factor authentication (MFA)

The lack of multi-factor authentication (MFA) was at the heart of the UnitedHealth ransomware attack.

The attack was orchestrated by hackers who used stolen credentials to break into the company’s systems that lacked MFA.

Solutions like StorageGuard can audit and verify that MFA is implemented and enforced across all backup systems. By consistently applying MFA, StorageGuard helps protect sensitive data from unauthorized access – even if user credentials are compromised.

3. Restrict administrator access

Finally, limiting administrative privileges is an essential part of a solid backup security strategy, as these privileges can be a prime target for attackers. This includes:

• Ensure that only those who truly need it have administrative access to the organization’s backups

• Apply IP ACL to management interfaces

• Set up a two-person rule for critical backup changes

These recommendations can significantly help reduce the attack surface.

StorageGuard can help you by auditing and enforcing strict controls over administrative access to backup platforms.

By ensuring that only authorized personnel have the necessary permissions and that these permissions are regularly reviewed and adjusted as necessary, StorageGuard helps minimize the risk of permission abuse and potential insider threats.

4. Immutable backup

Make sure at least one of your backup copies is stored on immutable storage. This ensures that your backup data cannot be altered, deleted, or encrypted by malicious actors, including ransomware. And it guarantees the integrity and availability of backup data for cyber recovery.

5. Secure configuration baseline

As recently mandated by DORA and previously by NIST; It is critical to establish a secure configuration baseline for your backup and storage environment and use tools to detect baseline deviations. This ensures that your backup inventory adheres to the principles outlined in this recommendations section – and more.

StorageGuard can help you continually secure your backup and storage environment. StorageGuard automatically checks whether backup platforms are stable and protected from tampering and unauthorized access. By testing the security of your backup systems, StorageGuard guarantees that you can reliably restore your data when needed – without the risk of compromising the backup data.

The exam includes:

• Multifactor authentication

• Immutability best practices

• CISA #StopRansomware Guidelines

• Double authorization for critical changes

• Limited administrator access

• Account lockout settings

• NAS security guidelines

• Compliance with NIST, ISO, NERC CIP, HIPAA and other standards

Implementing these strategies and using tools like StorageGuard ensures backup systems remain secure, reliable and resilient to evolving cyber threats.

Take the 2 minutes time Ransomware Resilience Assessment for backupsto get your level of maturity and practical recommendations.

The post Five Backup Lessons From the UnitedHealth Ransomware Attack appeared first on Continuity™.

*** This is a syndicated blog from Continuity™’s Security Bloggers Network, written by Doron Youngerwood. Read the original post at: