How to protect your backups from ransomware

Ransomware attacks can be crippling. However, businesses that have all of their data backed up can recover from an attack without paying the ransom. Covering your data security with secure backups is a good idea, but you also need to protect backups from ransomware.

Unfortunately, your backups can also be vulnerable to ransomware infection, so you can find yourself with your backup rendered unusable as well as your primary data stores. We look at strategies that can reduce your vulnerability to ransomware.

Six myths about ransomware

When you read around the topic of backups for ransomware protection, you will read some advice that is wrong or out of date. So, let’s bust some myths.

  1. Ransomware infection doesn’t get into backups because it activates immediately – Not true. Some ransomware acts as a timebomb, waiting before being started. This hacker strategy was created to knock out backups.
  2. Ransomware only infects Windows and so crossing over to backup on a different operating system strips out the threat – Infected files can be stored onto a cloud platform, and the encryption will still activate there.
  3. Ransomware can’t activate in encrypted backups – An executable file won’t run if its code has been altered by encryption. However, when you unbundle that backup to recover from an infection, the infection will become executable again and will activate.
  4. Ransomware only attacks big corporations – Unfortunately, everyone is a potential target. Even private users get attacked on their home computers.
  5. It’s cheaper and easier to plan to pay the ransom rather than spend money on recovery systems – Paying the ransom doesn’t always get you the decryption key. Also, those that pay the ransom mark themselves out as easy targets for reinfection.
  6. Ransomware attacks are revenge aimed at big corporations that screwed people over – While companies that mistreat people do attract revenge attacks, many ransomware hackers just send out phishing emails in bulk hoping that a percentage of those will work.

The reality about ransomware

Ransomware gets into your system through emails. The code for system encryption is embedded in an attachment. Another avenue comes from malicious websites that popup a notification, ironically, telling the visitor that their computer is infected and they need to download a tool to remove it.

Ransomware can be hidden in PDFs, ZIP files, RAR files, IMG, and ISO files. Of course, EXE files are also potential ransomware infections.

Initially, the ransomware only encrypts the computer that it is downloaded onto. So, if one of your users opens an email attachment or downloads a file from a website, only that device’s files will be encrypted. Therefore, user devices are the most susceptible to attack, but sophisticated ransomware packages can travel across a network. Time-delayed viruses can be uploaded onto shared drives through syncing.

It is those network-connected infections that can do severe damage. If they get onto your central servers where you host databases, you could be in serious trouble. These ransomware attacks would pass into your backup system and could cause infections there. Such attacks are the reasons that you need to protect backups from ransomware.

Protect backups from ransomware

Protect backups from ransomware by intercepting viruses before they get onto your backup server. An infected backup copy is useless. Even if the ransomware can’t or doesn’t activate on the backup drive, it will just reinfect the protected device when you restore the backup.

There are four points at which you need to prevent ransomware infections:

  1. Block users from downloading viruses and infected files
  2. Block infections from transmitting around the network
  3. Block ransomware from uploading to shared drives through syncing
  4. Block ransomware from getting onto the backup server

Focusing on removing ransomware from a backup server is the wrong approach. The only way to adequately protect backups from ransomware is to stop it from getting there.

Secure backup strategies

There is no backup strategy that will fully protect backups from ransomware. You should be applying several rules to your backup routines to ensure that your system can be restored without complications.

The Rule of 3-2-1

The traditional rule for backup is called the 3-2-1 system. You should practice this. This system requires three copies of all of the files on your system:

  1. The original file
  2. A copy on-site on a different medium
  3. An offsite copy

Many system administrators strongly recommend that the first backup held on-site be saved to a removable storage medium, such as DAT tape.

Full, differential, and incremental backups

The second copy held on-site and the third copy, which is stored offsite, require different strategies.

There are three ways that you can get a backup.

  • Full backup – Copy everything
  • Differential backup – Copy everything that has changed since the last full backup
  • Incremental backup – Copy everything that has changed since the last backup of any type

Differential and incremental backups to fixed drives, either onsite or offsite, are quicker than full backups. However, they are challenging to perform on tape. Tape is better for full backups.

You don’t have to use both your onsite and offsite backups in the same way. You should also get a secure storage location for your onsite tapes, such as a fireproof safe.

Versioning and rollbacks

The perfect backup strategy for your business greatly depends on your business’s size and pace of activity. Traditionally, system managers are advised to perform a full backup once a week and an incremental or differential backup daily. This schedule might be too infrequent in fast-paced businesses where every moment of data processing is vital, such as a stock trading platform.

Versioning is a good practice to protect backups from ransomware. Rather than performing an incremental backup that wipes out earlier backup copies of specific files, the system preserves the original state and saves the new version separately. Unfortunately, as those versions are usually held on the same drive, an infection in the latest version will knock out all versions.

There is a way that you can implement versioning and allow you to roll back to a clean copy. This is just about the most substantial hope you can have of recovering from a backup that a ransomware executable file has already infected.

Considering that the 3-2-1 rule gives you two copies of every file, you can implement incremental backups on one store and versioning on another. While there are sophisticated software tools to manage versioning, there is a simple way you can implement the strategy. That is, make your onsite backup to tape a full daily backup.

Time your tape backup for when overnight batch processes have been completed. This ensures you get the most up-to-date state of data before staff turns up for work.

Ransomware attacks are most likely to hit during business hours because user actions usually kick them off. In these cases, you can shut down the system and then restore it from tape. This will temporarily wipe out all of that day’s transactions. However, this is better than nothing and will ensure that the ransomware program is wiped out.

Once the system is back, and the users have most of their data, you have time to look through the offsite incremental backup, compare file versions and see where you can provide a more up-to-date version of specific files. This strategy would be suitable for a high turnover site where incremental backups are performed at several points of the day.

Distributed backups

Protect your backups from ransomware by making it difficult for the ransomware program to spread between different types of data. Run separate backup systems for different kinds of data and even create other people responsible for backing up data.

A clear division of labor in backing up lies with DBAs. The DBA should be responsible for backing up the database separately from all other data stores. The database could be backed up to a different cloud storage account, keeping it completely separate from file server backups, which would be the system administrator’s responsibility. Back up desktops separately with a particular cloud account for each desktop. This strategy will protect your backups from ransomware by containing the outbreak to one backup location.

Remember, the ransomware infection is most likely to occur on a user endpoint. If you can contain it there, you have protected all of your other devices and backup stores.

Backup protection software

Protect backups from ransomware by spotting ransomware early before it gets onto the backup storage. Make sure that your backup software can filter out ransomware infections.

Our methodology for selecting ransomware protection for backups

We reviewed the market for backup system ransomware protection and analyzed the options based on the following criteria:

  • A pre-transfer malware scan of all files
  • Disabling of executable files in backup repositories
  • Early detection of unplanned file encryption
  • Monitoring of Docker container resource usage
  • Identification of imposter programs
  • A free trial or a demo service for a free assessment opportunity before buying
  • Value for money from a scanner that can catch ransomware before it gets uploaded to backup repositories

Look into these security systems to block ransomware from your system and protect your backups from ransomware.

  1. ThreatLocker EDITOR’S CHOICE This cloud-resident system provides a straightforward block on all malware, including ransomware, by blocking all software from running unless it is on a list of approved systems. So, programs hidden in document files are just extra text and can do no harm to your backup repositories. Access a free demo.
  2. NinjaOne Backup (FREE TRIAL) A data protection service that is available for use by managed service providers to offer data backups to clients as an extra service and protect against ransomware attacks. This cloud-based system integrates well with other NinjaOne services to MSPs. Get it on a 14-day free trial.
  3. Acronis Cyber Protect (FREE TRIAL) This is a package of cloud-based services that can backup Windows, Linux, macOS, iOS, and Android and also provides anti-malware for office endpoints.
  4. CrowdStrike Falcon Prevent An extended detection and response system that watches all endpoints. This is a cloud-coordinated service.
  5. ManageEngine DataSecurity Plus A file protection system that can identify ransomware as soon as it hits an endpoint. It runs on Windows Server.
  6. BitDefender GravityZone A package of system protection and secure backup management. It runs as a virtual appliance.

The best Backup Protection software

1. ThreatLocker (ACCESS FREE DEMO)


ThreatLocker implements a closed security stance. It doesn’t matter what software gets onto your servers, it is blocked from running. So, you don’t need to worry about the infection of your backup server – they are just dead files that will never be able to activate. This means that you should check your system for unwanted files periodically to remove the malware files and prevent them from taking up space. However, there is no risk that ransomware will destroy your data.

Key Features:

  • Easy to implement
  • USB port controls
  • Secure by default
  • Blocks all programs
  • Administrator approval

Why do we recommend it?

ThreatLocker provides an “allow listing” system. This blocks all programs from running on a protected device and then the administrator sets up a list of known software that will be allowed to run. Thus, even if ransomware gets onto a computer, it is a dead file and cannot execute because it isn’t on the list.

It’s good that ThreatLocker blocks all software by default but you are going to need to permit some software to run on your endpoints. The ThreatLocker dashboard lets you compile an “allow list”. This is a whitelisting system and it can be applied to groups of devices or individual computers. This lets you permit the software you have licenses for to run on endpoints while simultaneously blocking all other programs.

Who is it recommended for?

ThreatLocker is a good choice for any business because its strategy is really easy to understand and comprehension is half the battle when implementing IT systems. Other tools in the platform provide access controls and connection security, but the jewel in the crown as far as ransomware protection is concerned is its allow listing system.


  • Implements Zero Trust Access (ZTA)
  • Lets you construct a virtual network
  • Provides security for hybrid systems
  • Generates Access Control Lists for networks
  • Blocks all software by default


  • Doesn’t include a full access rights manager

The concepts that ThreatLocker implements are quite new, so you will need to learn about application fencing methodologies to fully understand this system. Access a demo of the ThreatLocker platform to get to know the ZTA strategy.


ThreatLocker is our top pick for a system to protect your backups from ransomware because it identifies the major problem that backup repositories face, which is that ransomware hides in document files. Backup systems don’t copy over software – these can just be reinstalled and don’t need to be preserved. Text files, Word documents, and PDFs do need to be backed up and these files don’t present a problem unless a hacker has hidden ransomware inside a typical document format. ThreatLocker prevents unauthorized software from executing, so those hidden hacker programs are just extra text – they are rendered harmless.

Official Site:

OS: Cloud-based

2. NinjaOne Backup (FREE TRIAL)

NinjaOne Backup

NinjaOne Backup is organized for managed service providers (MSPs). The system has a multi-tenant structure, which enables MSPs to implement the backup system on behalf of clients. The package includes cloud storage space, which is segments for each subaccount and protected by 256-bit AES encryption. Data transfers from and to protected endpoints are also covered by that grade of cipher.

Key Features:

  • Designed for MSPs
  • Service to MSP clients
  • Encrypts data in transit
  • Encrypts backup repositories
  • Backs up PCs and Macs

Why do we recommend it?

NinjaOne Backup is an automated backup service that is delivered from the cloud. Bsvkups are protected from direct access by outsiders through account credentials and encryption for transfers and storage. If you only backup data, there is no way that a ransomware program could activate in your backup storage.

The system enrolls endpoints by downloading an agent. This manages the backup strategy, which is set in the Web-based console. Backups can be full, incremental, or differential. Copies can be stored locally, on the Ninja platform, or on third-party cloud platforms. Remote workers are also covered and they get a self-service portal, through which they can get their data restored in the event of a ransomware attack.

NinjaOne Backup provides managed service providers with a tool that they can use to add extra services to their menu and earn more money. This system will back up PCs and Macs and offers a self-service portal that enables users to demand an automated restore of a computer. This is a great time-saver and reduces the number of calls that MSP technicians need to field from end users. The service allows technicians to specify multiple locations for repositories that provide speedy backup from local stores and insurance against local backup corruption from a cloud-located repository. Data is protected in transit and at rest by encryption.

Who is it recommended for?

This system is multi-tenanted for use by managed service providers when protecting the data of their clients. The cloud storage space for repositories is included in the package and the MSP can also choose to store a copy on its premises or on the client site.


  • Simple and easy-to-use admin dashboard
  • Can silently install and uninstall applications and patches while the user works
  • Patch management and other automated maintenance tasks can be easily scheduled
  • Platform agnostic web-based management


  • Lacks support for mobile devices

The central management console allows for bulk actions and response automation, which can kick in, should a ransomware attack occur. You can make your own investigations into the NinjaOne Backup service by accessing a 14-day free trial.

NinjaOne Backup Start 14-day FREE Trial

Related: Full NinjaOne Backup Review

3. Acronis Cyber Protect (FREE TRIAL)

Acronis Cyber Protect

Acronis Cyber Protect is a package of modules that enables system administrators to manage, protect, and backup a fleet of endpoints. The key tools in the bundle are an antimalware system and a backup service – the ideal combination for protection against malware. All of these systems are delivered from the cloud.

Key Features:

  • Includes malware scanner
  • Back up and restore
  • Back up Windows, macOS, Linux, iOS, and Android

Why do we recommend it?

Acronis Cyber Protect provides the ideal combination of services for ransomware protection. It includes a malware package and a backup system. The system scans all files before uploading them to the backup repository, thus, protecting the store from ransomware infection. When files are restored, they are scanned again for malware.

The Acronis system operates antimalware and backups separately but also uses the anti-malware to protect the backup system. All files and other data sources are scanned for infections before being added to the backup. This prevents ransomware from getting into your backup store and ruining that.

The restore process also uses malware scans. So, all data forms are checked again before being restored.

Who is it recommended for?

Acronis produces the Cyber Protect system in a number of editions that cater to different markets. There is a version for individuals and another for home offices. Corporate systems include a business plan and a package for managed service providers. The system can protect computers and mobile devices.


  • Can clone via scripts and automated scheduling
  • Ideal for enterprise environments
  • Is easy to use without sacrificing advanced features
  • Available for Windows and Mac, a great cross-platform solution


  • Advanced features may take time to fully learn and utilize

Acronis Cyber Protect is able to backup devices running Windows, macOS, Linux, iOS, and Android. It is available for assessment through a 30-day free trial.

Acronis Cyber Protect Start 30-day FREE Trial

4. CrowdStrike Falcon Prevent

CrowdStrike Falcon

CrowdStrike Falcon is a suite of security products. Within that line is Falcon Prevent, which is an endpoint detection and response system. It installs on each endpoint on your network and individually protects devices from ransomware infection.

Key Features:

  • Next-generation antivirus
  • Continues working when offline
  • Isolates an infected computer

Why do we recommend it?

CrowdStrike Falcon Prevent is an on-device antimalware system. This tool deploys user and entity behavior analysis (UEBA) to establish a baseline of regular activity and then looks for deviations from that standard. Anomalous activities, such as ransomware activation will trigger an alert and remediation actions.

The Falcon system extends to a cloud console that coordinates the actions of each endpoint. Although Falcon Prevent should detect and block ransomware as soon as it hits a device, the coordinator, called Falcon Insight alerts technicians to the attack.

Who is it recommended for?

This package is suitable for use by large organizations. Although this is a system for a single device, its greatest power is its ability to be networked. So, you get the most out of the Prevent system if you add on a cloud-based coordinating threat-hunting service, such as CrowdStirke Falcon Insight.


  • Excels in hybrid environments (Windows, Linux, Cloud, BYOD, etc.)
  • Intuitive admin console makes it easy to get started and is accessible in the cloud
  • Can track and alert anomalous behavior over time, which improves the longer it monitors the network
  • Lightweight agents take up little system resources


  • Would benefit from a longer trial period

By combining endpoint-resident antimalware and cloud-based threat detection, CrowdStrike Falcon offers complete protection for a company’s IT system. You can test CrowdStrike Prevent on a 15-day free trial.

5. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus protects files from tampering and so can spot the unauthorized changes that ransomware implements. The settings of the file monitor can be tuned to focus on mass changes. This service protects servers running Windows, which is the operating system most frequently attacked by ransomware.

Key Features:

  • Protects computers running Windows
  • Spots ransomware activity
  • Isolates an infected computer

Why do we recommend it?

ManageEngine DataSecurity Plus provides many mechanisms to protect data, although it doesn’t include a backup system. You could use this tool to monitor repository files created by other backup services. The tool looks for file copy activity and unexpected file changes, such as an encryption process, which could signify a ransomware attack.

Although a change has to occur before DataSecurity Plus can spot it, the system includes automated responses and technician alerting. The automated responses include lockdown of the infected device, which will prevent the ransomware from spreading across the network.

Who is it recommended for?

The main focus of the DataSecurity Plus package is to provide a sensitive data protection service. So, businesses that handle PII and other important data will be particularly interested in this package. The service is currently in use by some very large organizations, including Xerox, Isuzu, and Toyota.


  • Provides a detailed account of file access, allowing sysadmin to understand the context of the file change
  • The platform can track access trends over time, allowing for better malicious behavior detection
  • Supports built-in compliance reporting for popular standards such as HIPAA, PCI DSS, and FISMA
  • Can integrate with numerous helpdesk solutions, notification platforms, and backup systems


  • Requires a sizable time investment to fully explore all the platforms features and tools

ManageEngine DataSecurity Plus installs on Windows Server, and it is available for a 30-day free trial for assessment.

6. BitDefender GravityZone

Bitdefender GravityZone

BitDefender GravityZone is a complete cybersecurity system that includes anti-malware and backup management. This tool will spot ransomware as soon as it downloads on an endpoint, and it will also scan files before transferring them to backup.

Key Features:

  • Malware scanning
  • Backup and recovery management
  • Choice of backup strategy

Why do we recommend it?

Bitdefender GravityZone provides the perfect combination of services for protecting backups from ransomware because as well as including a backup and recovery system, this package has an antivirus module. The AV scans all files before they are moved into the backup repository and also scans them when they are extracted.

The GravityZone package searches for ransomware on endpoints and the network. It can manage backups to local devices and remote servers and also implement file restore actions. The system can also reinstall entire servers on a new site for disaster recovery as part of a business continuity plan.

Who is it recommended for?

Bitdefender produces GravityZone in a number of packages that suit businesses of different types and sizes. These range from a plan for home businesses to one for managed service providers. The core units of these editions are the AV and the backup and recovery system. Other options include a patch manager.


  • Simple UI reduces the learning curve and helps users gain insights faster
  • Uses both signature-based detection and behavior analysis to identify threats
  • Offers disc encryption on top of endpoint protection
  • Includes device control options for locking down USB ports


  • Could use more documentation to help users get started quicker

The GravityZone system also includes vulnerability scanning, automated patching, file integrity management, configuration management, and IP address blacklisting. This BitDefender product runs on top of a hypervisor, and it is available for a one-month free trial.