What is Ransomware?
The term ransomware refers to malicious software developed to prevent its victims from accessing their own critical business resources until they pay a fee.
Ransomware usually infiltrates systems much like other forms of malware - involving the privileged execution of untrusted code delivered via email attachments, infected websites, instant messaging, and more. Once established, ransomware seeks to discover and prevent access to resources of value while also spreading itself to other vulnerable systems.
Unfortunately, there's no guarantee that access to these resources will be restored even if the victim decides to pay.
The potential impact of ransomware cannot be overstated. Infection can potentially result in temporary or permanent data loss, operational disruption, considerable expense, liability exposure, and reputation damage.
How is SQL Server Affected?
One common ransomware attack vector is the file system. Crypto ransomware will seek to encrypt files so they can only be accessed again through a decryption key (ostensibly) provided once the ransomware author's demands are met.
Although SQL Server write-locks its database files while running, ransomware may attempt to halt associated system services to release those locks - or even reboot the machine in order to run before locks can be established.
Once database files are encrypted by ransomware, any attempts by SQL Server to attach to them will fail. The resulting error logs are often the first indication the victim receives that their database server has been compromised.
Backup File Storage
Most organizations understand the importance of having database backups. Unfortunately, those backups are commonly stored in file system locations vulnerable to ransomware attacks.
If SQL Server itself is used to create backups, the resulting backup files will usually be retained locally or on network-attached storage. Competent ransomware authors understand this and will aggressively seek out such file system locations to encrypt the backup files they contain.
The Value of Off-Site Backups
Storing SQL Server backups off-site can provide a robust additional layer of security against database ransomware attacks.
Cloud data storage services, for example, will usually not be discoverable by ransomware running on-premises unless there's a file system mapping that exposes them directly. This point is discussed further below.
Importantly, off-site storage services generally require an additional level of authentication and authorization which ransomware cannot circumvent.
How SQL Backup Master Can Help
SQL Backup Master is a software tool created by Key Metric Software to make off-site SQL Server database backups accessible to organizations of all sizes.
SQL Backup Master makes it easy to create database backups, optionally compress and encrypt them, and then store them off-site. It includes support for popular cloud storage services such as Amazon S3, Google Drive, Azure, FTP, etc.
SQL Backup Master can also store database backups in multiple off-site locations for additional redundancy and security.
We recommend organizations store their SQL Server database backup files in redudant off-site locations. Doing so decreases the likelihood that malware will somehow discover and infiltrate all such sites.
Businesses should also avoid installing software products on-premises that provide direct, unchallenged access to cloud storage locations in ways discoverable by ransomware. For example, installing a client application that maps a local drive or folder to an off-site storage service will be easily discovered by malware and should be avoided. Critical database backups should be isolated from on-premises networks as much as possible.
For additional security, create cloud service accounts that will be used exclusively for database backup purposes and restrict their access accordingly. Apply the priciple of "Least Privilege" wherever possible.
These best practices should then be integrated with your broader ransomware mitigation strategy. For more information, we recommend reviewing UC Berkey's Ransomware FAQ.