How to protect your backups from ransomware

Ransomware attacks can be crippling. However, businesses that have all of their data backed up can recover from an attack without paying the ransom. Covering your data security with secure backups is a good idea, but you also need to protect backups from ransomware.

Unfortunately, your backups can also be vulnerable to ransomware infection, so you can find yourself with your backup rendered unusable as well as your primary data stores. We look at strategies that can reduce your vulnerability to ransomware.

Six myths about ransomware

When you read around the topic of backups for ransomware protection, you will read some advice that is wrong or out of date. So, let’s bust some myths.

  1. Ransomware infection doesn’t get into backups because it activates immediately – Not true. Some ransomware acts as a timebomb, waiting before being started. This hacker strategy was created to knock out backups.
  2. Ransomware only infects Windows and so crossing over to backup on a different operating system strips out the threat – Infected files can be stored onto a cloud platform, and the encryption will still activate there.
  3. Ransomware can’t activate in encrypted backups – An executable file won’t run if its code has been altered by encryption. However, when you unbundle that backup to recover from an infection, the infection will become executable again and will activate.
  4. Ransomware only attacks big corporations – Unfortunately, everyone is a potential target. Even private users get attacked on their home computers.
  5. It’s cheaper and easier to plan to pay the ransom rather than spend money on recovery systems – Paying the ransom doesn’t always get you the decryption key. Also, those that pay the ransom mark themselves out as easy targets for reinfection.
  6. Ransomware attacks are revenge aimed at big corporations that screwed people over – While companies that mistreat people do attract revenge attacks, many ransomware hackers just send out phishing emails in bulk hoping that a percentage of those will work.

The reality about ransomware

Ransomware gets into your system through emails. The code for system encryption is embedded in an attachment. Another avenue comes from malicious websites that popup a notification, ironically, telling the visitor that their computer is infected and they need to download a tool to remove it.

Ransomware can be hidden in PDFs, ZIP files, RAR files, IMG, and ISO files. Of course, EXE files are also potential ransomware infections.

Initially, the ransomware only encrypts the computer that it is downloaded onto. So, if one of your users opens an email attachment or downloads a file from a website, only that device’s files will be encrypted. Therefore, user devices are the most susceptible to attack, but sophisticated ransomware packages can travel across a network. Time-delayed viruses can be uploaded onto shared drives through syncing.

It is those network-connected infections that can do severe damage. If they get onto your central servers where you host databases, you could be in serious trouble. These ransomware attacks would pass into your backup system and could cause infections there. Such attacks are the reasons that you need to protect backups from ransomware.

Protect backups from ransomware

Protect backups from ransomware by intercepting viruses before they get onto your backup server. An infected backup copy is useless. Even if the ransomware can’t or doesn’t activate on the backup drive, it will just reinfect the protected device when you restore the backup.

There are four points at which you need to prevent ransomware infections:

  1. Block users from downloading viruses and infected files
  2. Block infections from transmitting around the network
  3. Block ransomware from uploading to shared drives through syncing
  4. Block ransomware from getting onto the backup server

Focusing on removing ransomware from a backup server is the wrong approach. The only way to adequately protect backups from ransomware is to stop it from getting there.

Secure backup strategies

There is no backup strategy that will fully protect backups from ransomware. You should be applying several rules to your backup routines to ensure that your system can be restored without complications.

The Rule of 3-2-1

The traditional rule for backup is called the 3-2-1 system. You should practice this. This system requires three copies of all of the files on your system:

  1. The original file
  2. A copy on-site on a different medium
  3. An offsite copy

Many system administrators strongly recommend that the first backup held on-site be saved to a removable storage medium, such as DAT tape.

Full, differential, and incremental backups

The second copy held on-site and the third copy, which is stored offsite, require different strategies.

There are three ways that you can get a backup.

  • Full backup – Copy everything
  • Differential backup – Copy everything that has changed since the last full backup
  • Incremental backup – Copy everything that has changed since the last backup of any type

Differential and incremental backups to fixed drives, either onsite or offsite, are quicker than full backups. However, they are challenging to perform on tape. Tape is better for full backups.

You don’t have to use both your onsite and offsite backups in the same way. You should also get a secure storage location for your onsite tapes, such as a fireproof safe.

Versioning and rollbacks

The perfect backup strategy for your business greatly depends on your business’s size and pace of activity. Traditionally, system managers are advised to perform a full backup once a week and an incremental or differential backup daily. This schedule might be too infrequent in fast-paced businesses where every moment of data processing is vital, such as a stock trading platform.

Versioning is a good practice to protect backups from ransomware. Rather than performing an incremental backup that wipes out earlier backup copies of specific files, the system preserves the original state and saves the new version separately. Unfortunately, as those versions are usually held on the same drive, an infection in the latest version will knock out all versions.

There is a way that you can implement versioning and allow you to roll back to a clean copy. This is just about the most substantial hope you can have of recovering from a backup that a ransomware executable file has already infected.

Considering that the 3-2-1 rule gives you two copies of every file, you can implement incremental backups on one store and versioning on another. While there are sophisticated software tools to manage versioning, there is a simple way you can implement the strategy. That is, make your onsite backup to tape a full daily backup.

Time your tape backup for when overnight batch processes have been completed. This ensures you get the most up-to-date state of data before staff turns up for work.

Ransomware attacks are most likely to hit during business hours because user actions usually kick them off. In these cases, you can shut down the system and then restore it from tape. This will temporarily wipe out all of that day’s transactions. However, this is better than nothing and will ensure that the ransomware program is wiped out.

Once the system is back, and the users have most of their data, you have time to look through the offsite incremental backup, compare file versions and see where you can provide a more up-to-date version of specific files. This strategy would be suitable for a high turnover site where incremental backups are performed at several points of the day.

Distributed backups

Protect your backups from ransomware by making it difficult for the ransomware program to spread between different types of data. Run separate backup systems for different kinds of data and even create other people responsible for backing up data.

A clear division of labor in backing up lies with DBAs. The DBA should be responsible for backing up the database separately from all other data stores. The database could be backed up to a different cloud storage account, keeping it completely separate from file server backups, which would be the system administrator’s responsibility. Back up desktops separately with a particular cloud account for each desktop. This strategy will protect your backups from ransomware by containing the outbreak to one backup location.

Remember, the ransomware infection is most likely to occur on a user endpoint. If you can contain it there, you have protected all of your other devices and backup stores.

Backup protection software

Protect backups from ransomware by spotting ransomware early before it gets onto the backup storage. Make sure that your backup software can filter out ransomware infections.

Our methodology for selecting ransomware protection for backups

We reviewed the market for backup system ransomware protection and analyzed the options based on the following criteria:

  • A pre-transfer malware scan of all files
  • Disabling of executable files in backup repositories
  • Early detection of unplanned file encryption
  • Monitoring of Docker container resource usage
  • Identification of imposter programs
  • A free trial or a demo service for a free assessment opportunity before buying
  • Value for money from a scanner that can catch ransomware before it gets uploaded to backup repositories

Look into these security systems to block ransomware from your system and protect your backups from ransomware.

  1. NinjaOne Backup EDITOR’S CHOICE A data protection service that is available for use by managed service providers to offer data backups to clients as an extra service and protect against ransomware attacks. This cloud-based system integrates well with other NinjaOne services to MSPs. Get it on a 14-day free trial.
  2. SpinOne (FREE TRIAL) A SaaS platform of data protection services that include ransomware detection, backup systems, and data loss prevention.
  3. ThreatLocker (ACCESS FREE DEMO) Use this cloud-based security platform to block all unknown programs from running. That will prevent any malware, including ransomware from activating in your backup repository.
  4. Acronis Cyber Protect (FREE TRIAL) This is a package of cloud-based services that can backup Windows, Linux, macOS, iOS, and Android and also provides anti-malware for office endpoints.
  5. CrowdStrike Falcon Prevent An extended detection and response system that watches all endpoints. This is a cloud-coordinated service.
  6. ManageEngine DataSecurity Plus A file protection system that can identify ransomware as soon as it hits an endpoint. It runs on Windows Server.
  7. BitDefender GravityZone A package of system protection and secure backup management. It runs as a virtual appliance.

The best Backup Protection software

1. NinjaOne Backup (FREE TRIAL)

NinjaOne Backup

NinjaOne Backup is organized for managed service providers (MSPs). The system has a multi-tenant structure, which enables MSPs to implement the backup system on behalf of clients. The package includes cloud storage space, which is segments for each subaccount and protected by 256-bit AES encryption. Data transfers from and to protected endpoints are also covered by that grade of cipher.

Key Features:

  • Designed for MSPs
  • Service to MSP clients
  • Encrypts data in transit
  • Encrypts backup repositories
  • Backs up PCs and Macs

The system enrolls endpoints by downloading an agent. This manages the backup strategy, which is set in the Web-based console. Backups can be full, incremental, or differential. Copies can be stored locally, on the Ninja platform, or on third-party cloud platforms. Remote workers are also covered and they get a self-service portal, through which they can get their data restored in the event of a ransomware attack.


  • Simple and easy-to-use admin dashboard
  • Can silently install and uninstall applications and patches while the user works
  • Patch management and other automated maintenance tasks can be easily scheduled
  • Platform agnostic web-based management


  • Lacks support for mobile devices

The central management console allows for bulk actions and response automation, which can kick in, should a ransomware attack occur. You can make your own investigations into the NinjaOne Backup service by accessing a 14-day free trial.


NinjaOne Backup is our top choice for a ransomware protection system because it provides managed service providers with a tool that they can use to add extra services to their menu and earn more money. This system will back up PCs and Macs and offers a self-service portal that enables users to demand an automated restore of a computer. This is a great time-saver and reduces the number of calls that MSP technicians need to field from end users. The service allows technicians to specify multiple locations for repositories that provide speedy backup from local stores and insurance against local backup corruption from a cloud-located repository. Data is protected in transit and at rest by encryption.

Official Site:

OS: Cloud based

Related: Full NinjaOne Backup Review

2. SpinOne Backup Ransomware Protection (FREE TRIAL)

SpinOne Ransomware Protection

SpinOne from protects files on cloud platforms from tampering. The system tracks file access and also scans for ransomware. Another strand of this package performs backup and recovery. When an unauthorized change is detected to a file, the system immediately disconnects all API access, blocking the source of the ransomware – programs don’t execute within the data storage itself, which makes preventing the spread of ransomware a lot easier.

Key Features:

  • Detects unauthorized encryption
  • Blocks program execution in the repository
  • Scans for malware before upload
  • Isolates discovered malware

The SpinOne system isolates infected files while it investigates the source of the attack. This prevents the damaged file from being copied over to the backup store, wiping out the original content. Once the source of the attack has been identified, the damaged files are deleted and then replaced with the backup copies.

Once a ransomware attack has been stopped and remediated, the SpinOne system generates a report, detailing what occurred and how the threat was dealt with. The SpinOne service includes the staff that manages the security software and this team includes cybersecurity analysts. The contract includes a 2-hour recovery promise in its service level agreement (SLA).


  • Specializes in protecting data stored across cloud platforms
  • Includes both backup and recovery
  • Prevents ransomware by isolating threats
  • Includes a two-hour SLA for recovery


  • Better suited for cloud-based businesses

The SpinOne service offers a range of backup strategies, which allows file copies to be held on Azure, AWS, or GCP and also on local devices. Plans offer retention periods from 6 months to an indefinite backup storage service. The system is offered in editions that protect specific platforms. These are SpinOne for G Suite (Google Workspace), SpinOne for Microsoft 365, and SpinOne for Salesforce. You can get a 15-day free trial of any of these services.

SpinOne Ransomware Protection Access 15-day FREE Trial

3. ThreatLocker (ACCESS FREE DEMO)


ThreatLocker implements a closed security stance. It doesn’t matter what software gets onto your servers, it is blocked from running. So, you don’t need to worry about the infection of your backup server – they are just dead files that will never be able to activate. This means that you should check your system for unwanted files periodically to remove the malware files and prevent them from taking up space. However, there is no risk that ransomware will destroy your data.

It’s good that ThreatLocker blocks all software by default but you are going to need to permit some software to run on your endpoints. The ThreatLocker dashboard lets you compile an “allow list.” this is a whitelisting system and it can be applied to groups of devices or individual computers. This lets you permit the software you have licenses for to run on endpoints while simultaneously blocking all other programs.


  • Implements Zero Trust Access (ZTA)
  • Lets you construct a virtual network
  • Provides security for hybrid systems


  • Doesn’t include a full access rights manager

The concepts that ThreatLocker implements are quite new, so you will need to learn about application fencing methodologies to fully understand this system. Access a demo of the ThreatLocker platform to get to know the ZTA strategy.

ThreatLocker Access FREE Demo

4. Acronis Cyber Protect (FREE TRIAL)

Acronis Cyber Protect

Acronis Cyber Protect is a package of modules that enables system administrators to manage, protect, and backup a fleet of endpoints. The key tools in the bundle are an antimalware system and a backup service – the ideal combination for protection against malware. All of these systems are delivered from the cloud.

Key Features:

  • Includes malware scanner
  • Back up and restore
  • Back up Windows, macOS, Linux, iOS, and Android

The Acronis system operates antimalware and backups separately but also uses the anti-malware to protect the backup system. All files and other data sources are scanned for infections before being added to the backup. This prevents ransomware from getting into your backup store and ruining that.

The restore process also uses malware scans. So, all data forms are checked again before being restored.


  • Can clone via scripts and automated scheduling
  • Ideal for enterprise environments
  • Is easy to use without sacrificing advanced features
  • Available for Windows and Mac, a great cross-platform solution


  • Advanced features may take time to fully learn and utilize

Acronis Cyber Protect is able to backup devices running Windows, macOS, Linux, iOS, and Android. It is available for assessment through a 30-day free trial.

Acronis Cyber Protect Start 30-day FREE Trial

5. CrowdStrike Falcon Prevent

CrowdStrike Falcon

CrowdStrike Falcon is a suite of security products. Within that line is Falcon Prevent, which is an endpoint detection and response system. It installs on each endpoint on your network and individually protects devices from ransomware infection.

Key Features:

  • Next-generation antivirus
  • Continues working when offline
  • Isolates an infected computer

The Falcon system extends to a cloud console that coordinates the actions of each endpoint. Although Falcon Prevent should detect and block ransomware as soon as it hits a device, the coordinator, called Falcon Insight alerts technicians to the attack.


  • Excels in hybrid environments (Windows, Linux, Cloud, BYOD, etc)
  • Intuitive admin console makes it easy to get started and is accessible in the cloud
  • Can track and alert anomalous behavior over time, which improves the longer it monitors the network
  • Lightweight agents take up little system resources


  • Would benefit from a longer trial period

By combining endpoint-resident antimalware and cloud-based threat detection, CrowdStrike Falcon offers complete protection for a company’s IT system. You can test CrowdStrike Prevent on a 15-day free trial.

6. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus protects files from tampering and so can spot the unauthorized changes that ransomware implements. The settings of the file monitor can be tuned to focus on mass changes. This service protects servers running Windows, which is the operating system most frequently attacked by ransomware.

Key Features:

  • Protects computers running Windows
  • Spots ransomware activity
  • Isolates an infected computer

Although a change has to occur before DataSecurity Plus can spot it, the system includes automated responses and technician alerting. The automated responses include lockdown of the infected device, which will prevent the ransomware from spreading across the network.


  • Provides a detailed account of file access, allowing sysadmin to understand the context of the file change
  • The platform can track access trends over time, allowing for better malicious behavior detection
  • Supports built-in compliance reporting for popular standards such as HIPAA, PCI DSS, and FISMA
  • Can integrate with numerous helpdesk solutions, notification platforms, and backup systems


  • Requires a sizable time investment to fully explore all the platforms features and tools

ManageEngine DataSecurity Plus installs on Windows Server, and it is available for a 30-day free trial for assessment.

7. BitDefender GravityZone

Bitdefender GravityZone

BitDefender GravityZone is a complete cybersecurity system that includes anti-malware and backup management. This tool will spot ransomware as soon as it downloads on an endpoint, and it will also scan files before transferring them to backup.

Key Features:

  • Malware scanning
  • Backup and recovery management
  • Choice of backup strategy

The GravityZone package searches for ransomware on endpoints and the network. It can manage backups to local devices and remote servers and also implement file restore actions. The system can also reinstall entire servers on a new site for disaster recovery as part of a business continuity plan.


  • Simple UI reduces the learning curve and helps users gain insights faster
  • Uses both signature-based detection and behavior analysis to identify threats
  • Offers disc encryption on top of endpoint protection
  • Includes device control options for locking down USB ports


  • Could use more documentation to help users get started quicker

The GravityZone system also includes vulnerability scanning, automated patching, file integrity management, configuration management, and IP address blacklisting. This BitDefender product runs on top of a hypervisor, and it is available for a one-month free trial.