Ransomware attacks can be crippling. However, businesses that have all of their data backed up can recover from an attack without paying the ransom. Covering your data security with secure backups is a good idea, but you also need to protect backups from ransomware.
Unfortunately, your backups can also be vulnerable to ransomware infection, so you can find yourself with your backup rendered unusable as well as your primary data stores. We look at strategies that can reduce your vulnerability to ransomware.
Six myths about ransomware
When you read around the topic of backups for ransomware protection, you will read some advice that is wrong or out of date. So, let’s bust some myths.
- Ransomware infection doesn’t get into backups because it activates immediately – Not true. Some ransomware acts as a timebomb, waiting before being started. This hacker strategy was created to knock out backups.
- Ransomware only infects Windows and so crossing over to backup on a different operating system strips out the threat – Infected files can be stored onto a cloud platform, and the encryption will still activate there.
- Ransomware can’t activate in encrypted backups – An executable file won’t run if its code has been altered by encryption. However, when you unbundle that backup to recover from an infection, the infection will become executable again and will activate.
- Ransomware only attacks big corporations – Unfortunately, everyone is a potential target. Even private users get attacked on their home computers.
- It’s cheaper and easier to plan to pay the ransom rather than spend money on recovery systems – Paying the ransom doesn’t always get you the decryption key. Also, those that pay the ransom mark themselves out as easy targets for reinfection.
- Ransomware attacks are revenge aimed at big corporations that screwed people over – While companies that mistreat people do attract revenge attacks, many ransomware hackers just send out phishing emails in bulk hoping that a percentage of those will work.
The reality about ransomware
Ransomware gets into your system through emails. The code for system encryption is embedded in an attachment. Another avenue comes from malicious websites that popup a notification, ironically, telling the visitor that their computer is infected and they need to download a tool to remove it.
Ransomware can be hidden in PDFs, ZIP files, RAR files, IMG, and ISO files. Of course, EXE files are also potential ransomware infections.
Initially, the ransomware only encrypts the computer that it is downloaded onto. So, if one of your users opens an email attachment or downloads a file from a website, only that device’s files will be encrypted. Therefore, user devices are the most susceptible to attack, but sophisticated ransomware packages can travel across a network. Time-delayed viruses can be uploaded onto shared drives through syncing.
It is those network-connected infections that can do severe damage. If they get onto your central servers where you host databases, you could be in serious trouble. These ransomware attacks would pass into your backup system and could cause infections there. Such attacks are the reasons that you need to protect backups from ransomware.
Protect backups from ransomware
Protect backups from ransomware by intercepting viruses before they get onto your backup server. An infected backup copy is useless. Even if the ransomware can’t or doesn’t activate on the backup drive, it will just reinfect the protected device when you restore the backup.
There are four points at which you need to prevent ransomware infections:
- Block users from downloading viruses and infected files
- Block infections from transmitting around the network
- Block ransomware from uploading to shared drives through syncing
- Block ransomware from getting onto the backup server
Focusing on removing ransomware from a backup server is the wrong approach. The only way to adequately protect backups from ransomware is to stop it from getting there.
Secure backup strategies
There is no backup strategy that will fully protect backups from ransomware. You should be applying several rules to your backup routines to ensure that your system can be restored without complications.
The Rule of 3-2-1
The traditional rule for backup is called the 3-2-1 system. You should practice this. This system requires three copies of all of the files on your system:
- The original file
- A copy on-site on a different medium
- An offsite copy
Many system administrators strongly recommend that the first backup held on-site be saved to a removable storage medium, such as DAT tape.
Full, differential, and incremental backups
The second copy held on-site and the third copy, which is stored offsite, require different strategies.
There are three ways that you can get a backup.
- Full backup – Copy everything
- Differential backup – Copy everything that has changed since the last full backup
- Incremental backup – Copy everything that has changed since the last backup of any type
Differential and incremental backups to fixed drives, either onsite or offsite, are quicker than full backups. However, they are challenging to perform on tape. Tape is better for full backups.
You don’t have to use both your onsite and offsite backups in the same way. You should also get a secure storage location for your onsite tapes, such as a fireproof safe.
Versioning and rollbacks
The perfect backup strategy for your business greatly depends on your business’s size and pace of activity. Traditionally, system managers are advised to perform a full backup once a week and an incremental or differential backup daily. This schedule might be too infrequent in fast-paced businesses where every moment of data processing is vital, such as a stock trading platform.
Versioning is a good practice to protect backups from ransomware. Rather than performing an incremental backup that wipes out earlier backup copies of specific files, the system preserves the original state and saves the new version separately. Unfortunately, as those versions are usually held on the same drive, an infection in the latest version will knock out all versions.
There is a way that you can implement versioning and allow you to roll back to a clean copy. This is just about the most substantial hope you can have of recovering from a backup that a ransomware executable file has already infected.
Considering that the 3-2-1 rule gives you two copies of every file, you can implement incremental backups on one store and versioning on another. While there are sophisticated software tools to manage versioning, there is a simple way you can implement the strategy. That is, make your onsite backup to tape a full daily backup.
Time your tape backup for when overnight batch processes have been completed. This ensures you get the most up-to-date state of data before staff turns up for work.
Ransomware attacks are most likely to hit during business hours because user actions usually kick them off. In these cases, you can shut down the system and then restore it from tape. This will temporarily wipe out all of that day’s transactions. However, this is better than nothing and will ensure that the ransomware program is wiped out.
Once the system is back, and the users have most of their data, you have time to look through the offsite incremental backup, compare file versions and see where you can provide a more up-to-date version of specific files. This strategy would be suitable for a high turnover site where incremental backups are performed at several points of the day.
Protect your backups from ransomware by making it difficult for the ransomware program to spread between different types of data. Run separate backup systems for different kinds of data and even create other people responsible for backing up data.
A clear division of labor in backing up lies with DBAs. The DBA should be responsible for backing up the database separately from all other data stores. The database could be backed up to a different cloud storage account, keeping it completely separate from file server backups, which would be the system administrator’s responsibility. Back up desktops separately with a particular cloud account for each desktop. This strategy will protect your backups from ransomware by containing the outbreak to one backup location.
Remember, the ransomware infection is most likely to occur on a user endpoint. If you can contain it there, you have protected all of your other devices and backup stores.
Backup protection software
Protect backups from ransomware by spotting ransomware early before it gets onto the backup storage. Make sure that your backup software can filter out ransomware infections.
Look into these security systems to block ransomware from your system and protect your backups from ransomware.
- CrowdStrike Falcon Prevent (FREE TRIAL) An extended detection and response system that watches all endpoints. This is a cloud-coordinated service.
- NinjaOne Backup (FREE TRIAL) A data protection service that is structured for managed service providers and is ideal for ransomware protection for multiple sites and remote workers.
- SpinOne (FREE TRIAL) A SaaS platform of data protection services that include ransomware detection, backup systems, and data loss prevention.
- Acronis Cyber Protect (FREE TRIAL) This is a package of cloud-based services that can backup Windows, Linux, macOS, iOS, and Android and also provides anti-malware for office endpoints.
- ManageEngine DataSecurity Plus A file protection system that can identify ransomware as soon as it hits an endpoint. It runs on Windows Server.
- BitDefender GravityZone A package of system protection and secure backup management. It runs as a virtual appliance.
The best Backup Protection software
CrowdStrike Falcon is a suite of security products. Within that line is Falcon Prevent, which is an endpoint detection and response system. It installs on each endpoint on your network and individually protects devices from ransomware infection.
The Falcon system extends to a cloud console that coordinates the actions of each endpoint. Although Falcon Prevent should detect and block ransomware as soon as it hits a device, the coordinator, called Falcon Insight alerts technicians to the attack.
By combining endpoint-resident antimalware and cloud-based threat detection, CrowdStrike Falcon offers complete protection for a company’s IT system. You can test CrowdStrike Prevent on a 15-day free trial.
NinjaOne Backup is organized for managed service providers (MSPs). The system has a multi-tenant structure, which enables MSPs to implement the backup system on behalf of clients. The package includes cloud storage space, which is segments for each subaccount and protected by 256-bit AES encryption. Data transfers from and to protected endpoints are also covered by that grade of cipher.
The system enrolls endpoints by downloading an agent. This manages the backup strategy, which is set in the Web-based console. Backups can be full, incremental, or differential. Copies can be stored locally, on the Ninja platform, or on third-party cloud platforms. Remote workers are also covered and they get a self-service portal, through which they can get their data restored in the event of a ransomware attack.
The central management console allows for bulk actions and response automation, which can kick in, should a ransomware attack occur. You can make your own investigations into the NinjaOne Backup service by accessing a 14-day free trial.
Related: Full NinjaOne Backup Review
SpinOne from Spin.ai protects files on cloud platforms from tampering. The system tracks file access and also scans for ransomware. Another strand of this package performs backup and recovery. When an unauthorized change is detected to a file, the system immediately disconnects all API access, blocking the source of the ransomware – programs don’t execute within the data storage itself, which makes preventing the spread of ransomware a lot easier.
The SpinOne system isolates infected files while it investigates the source of the attack. This prevents the damaged file from being copied over to the backup store, wiping out the original content. Once the source of the attack has been identified, the damaged files are deleted and then replaced with the backup copies.
Once a ransomware attack has been stopped and remediated, the SpinOne system generates a report, detailing what occurred and how the threat was dealt with. The SpinOne service includes the staff that manages the security software and this team includes cybersecurity analysts. The Spin.ai contract includes a 2-hour recovery promise in its service level agreement (SLA).
The SpinOne service offers a range of backup strategies, which allows file copies to be held on Azure, AWS, or GCP and also on local devices. Plans offer retention periods from 6 months to an indefinite backup storage service. The system is offered in editions that protect specific platforms. These are SpinOne for G Suite (Google Workspace), SpinOne for Microsoft 365, and SpinOne for Salesforce. You can get a 15-day free trial of any of these services.
Acronis Cyber Protect is a package of modules that enables system administrators to manage, protect, and backup a fleet of endpoints. The key tools in the bundle are an antimalware system and a backup service – the ideal combination for protection against malware. All of these systems are delivered from the cloud.
The Acronis system operates antimalware and backups separately but also uses the anti-malware to protect the backup system. All files and other data sources are scanned for infections before being added to the backup. This prevents ransomware from getting into your backup store and ruining that.
The restore process also uses malware scans. So, all data forms are checked again before being restored.
Acronis Cyber Protect is able to backup devices running Windows, macOS, Linux, iOS, and Android. It is available for assessment through a 30-day free trial.
ManageEngine DataSecurity Plus protects files from tampering and so can spot the unauthorized changes that ransomware implements. The settings of the file monitor can be tuned to focus on mass changes. This service protects servers running Windows, which is the operating system most frequently attacked by ransomware.
Although a change has to occur before DataSecurity Plus can spot it, the system includes automated responses and technician alerting. The automated responses include lockdown of the infected device, which will prevent the ransomware from spreading across the network.
ManageEngine DataSecurity Plus installs on Windows Server, and it is available for a 30-day free trial for assessment.
BitDefender GravityZone is a complete cybersecurity system that includes anti-malware and backup management. This tool will spot ransomware as soon as it downloads on an endpoint, and it will also scan files before transferring them to backup.
The GravityZone package searches for ransomware on endpoints and the network. It can manage backups to local devices and remote servers and also implement file restore actions. The system can also reinstall entire servers on a new site for disaster recovery as part of a business continuity plan.
The GravityZone system also includes vulnerability scanning, automated patching, file integrity management, configuration management, and IP address blacklisting. This BitDefender product runs on top of a hypervisor, and it is available for a one-month free trial.