fbpx
Doron Youngerwood

Five Backup Lessons Learned – From The UnitedHealth Ransomware Attack

  • September 30, 2024
  • 5 min read

About Continuity™

StorageGuard - by Continuity™ - is the ONLY Security Posture Management solution for Storage & Backups, helping to ensure these systems are securely configured, and compliant with industry & security standards.

Read more

The ransomware attack on UnitedHealth earlier this year is quickly becoming the healthcare industry’s version of Colonial Pipeline, prompting congressional testimony, lawmaker scrutiny and potential legislation.  

Over the past few months, there have been two congressional hearings on the attack — one in the Senate, followed by one in the House — as well as calls from multiple senators for investigations into how the government responded to the incident, not to mention the criticism against UnitedHealth’s CISO, Steven Martin, who joined the company in June 2023. 

After paying a ransom of $22 million to prevent the leak of stolen data, UnitedHealth had to perform a complete rebuild on its systems, even after decrypting files.  

In his testimony, UnitedHealth’s CEO Andrew Witty identified that the company’s backups weren’t sequestered with network segmentation or infrastructure gapping, so the attackers were able to lock those up too, blocking any recovery path from the initial attack. 

Very few CISOs used to pay much attention to their backups. That’s no longer the case today.  

Ransomware has pushed backup and recovery back onto the IT and corporate agenda – even before the attack on UnitedHealth earlier this year. 

Attackers realize that a successful breach of a backup environment is the single biggest determining factor if an organization will pay the ransom. 

Some ransomware groups – BlackCat, Akira, Lockbit, Phobos, and Crypto, for example – have been bypassing production systems altogether, and going straight for the backups. 

This has forced organizations to look again at potential holes in their safety nets, by reviewing their backup and recovery strategies. 

So, how should IT Infrastructure and Security teams deal with this threat?  

  1. Network Segmentation and Air-Gapped Backup 

In the ransomware attack that hit UnitedHealth, the company admitted that their backups weren’t sequestered with network segmentation or infrastructure gapping, so the attackers were able to lock those up, blocking any recovery path from the initial attack. 

Network segmentation is a tactic that can greatly reduce the impact of a ransomware attack. By separating the network into smaller, distinct areas, the spread of malware is minimized if one area is compromised. 

  1. Multi-Factor Authentication (MFA)  

The lack of multi-factor authentication (MFA) was at the center of the ransomware attack at UnitedHealth. 

The attack was orchestrated by hackers who leveraged stolen credentials to infiltrate the company’s systems lacking MFA.  

Solutions like StorageGuard can audit and verify that MFA is implemented and enforced across all backup systems. By ensuring MFA is consistently applied, StorageGuard helps to protect sensitive data from unauthorized access – even if user credentials are compromised.  

  1. Restricting Administrative Access 

Lastly, restricting administrative privileges is a vital part of a solid backup security strategy, as these privileges can be a primary target for attackers. This includes: 

  • Ensuring that only those who truly need it will have admin access to the organization’s backups 
  • Applying IP ACL to administrative interfaces 
  • Setting up a two-person rule for critical backup changes 

These recommendations can significantly help reduce the attack surface.  

StorageGuard can help you by auditing and enforcing strict controls over administrative access for backup platforms.   

By ensuring that only authorized personnel have the necessary privileges and that these privileges are regularly reviewed and adjusted as needed, StorageGuard helps minimize the risk of privilege misuse and potential insider threats.  

  1. Immutable Backup 

Ensure at least of one of your backup copies is stored on immutable storage. This will ensure your backup data cannot be altered, deleted, or encrypted by malicious actors, including ransomware. And it guarantees the integrity and availability of backup data for cyber recovery. 

  1. Secure Configuration Baseline 

As recently mandated by DORA and previously by NIST; establishing a secure configuration baseline for your backup and storage environment, and using tools to detect baseline deviations is critical. It will ensure your backup estate is adhering to the principles laid out in this recommendation section – and much more. 

StorageGuard can assist with continuous security posture for your backup and storage environment. StorageGuard automatically verifies that backup platforms are hardened, and protected against tampering and unauthorized access.  By auditing the security of your backup systems, StorageGuard guarantees that you can reliably restore your data when needed – without the risk of backup data being compromised.   

Auditing includes: 

  • Multifactor Authentication 
  • Immutability best practices 
  • CISA #StopRansomware Guidelines 
  • Dual Authorization for Critical Changes 
  • Restricted Administrative Access 
  • Logging Best Practices 
  • Account Lockout Settings 
  • Backup Isolation 
  • NAS Security Guidelines 
  • Secure Snapshots 
  • Encryption 
  • Adherence to NIST, ISO, NERC CIP, HIPAA and other standards 
  • And more… 

Implementing these strategies and leveraging tools like StorageGuard ensures that backup systems remain secure, reliable, and resilient against evolving cyber threats.  

Take the 2-minuteRansomware Resiliency Assessmentfor Backups, to receive your maturity score and practical recommendations.  

Talk To An Expert

It’s time to automate the secure configuration of your storage & backup systems.

On October 29, join Dell-Continuity Webinar: 4 Fundamental Strategies To Secure Your Storage & Backup

Register
We use cookies to enable website functionality, understand the performance of our site, provide social media features, and serve more relevant content to you.
We may also place cookies on our and our partners’ behalf to help us deliver more targeted ads and assess the performance of these campaigns. You may review our
Privacy Policy I Agree