How to Protect your Backups from Ransomware in 2021

Ransomware attacks can be crippling. However, businesses that have all of their data backed up can recover from an attack without paying the ransom. Covering your data security with secure backups is a good idea, but you also need to protect backups from ransomware.

Unfortunately, your backups can also be vulnerable to ransomware infection, so you can find yourself with your backup rendered unusable as well as your primary data stores. We look at strategies that can reduce your vulnerability to ransomware.

Six myths about ransomware

When you read around the topic of backups for ransomware protection, you will read some advice that is wrong or out of date. So, let’s bust some myths.

1. Ransomware infection doesn’t get into backups because it activates immediately – Not true. Some ransomware acts as a timebomb, waiting before being started. This hacker strategy was created to knock out backups.
2. Ransomware only infects Windows and so crossing over to backup on a different operating system strips out the threat – Infected files can be stored onto a cloud platform, and the encryption will still activate there.
3. Ransomware can’t activate in encrypted backups – An executable file won’t run if its code has been altered by encryption. However, when you unbundle that backup to recover from an infection, the infection will become executable again and will activate.
4. Ransomware only attacks big corporations – Unfortunately, everyone is a potential target. Even private users get attacked on their home computers.
5. It’s cheaper and easier to plan to pay the ransom rather than spend money on recovery systems – Paying the ransom doesn’t always get you the decryption key. Also, those that pay the ransom mark themselves out as easy targets for reinfection.
6. Ransomware attacks are revenge aimed at big corporations that screwed people over – While companies that mistreat people do attract revenge attacks, many ransomware hackers just send out phishing emails in bulk hoping that a percentage of those will work.

The reality about ransomware

Ransomware gets into your system through emails. The code for system encryption is embedded in an attachment. Another avenue comes from malicious websites that popup a notification, ironically, telling the visitor that their computer is infected and they need to download a tool to remove it.

Ransomware can be hidden in PDFs, ZIP files, RAR files, IMG, and ISO files. Of course, EXE files are also potential ransomware infections.

Initially, the ransomware only encrypts the computer that it is downloaded onto. So, if one of your users opens an email attachment or downloads a file from a website, only that device’s files will be encrypted. Therefore, user devices are the most susceptible to attack, but sophisticated ransomware packages can travel across a network. Time-delayed viruses can be uploaded onto shared drives through syncing.

It is those network-connected infections that can do severe damage. If they get onto your central servers where you host databases, you could be in serious trouble. These ransomware attacks would pass into your backup system and could cause infections there. Such attacks are the reasons that you need to protect backups from ransomware.

Protect backups from ransomware

Protect backups from ransomware by intercepting viruses before they get onto your backup server. An infected backup copy is useless. Even if the ransomware can’t or doesn’t activate on the backup drive, it will just reinfect the protected device when you restore the backup.

There are four points at which you need to prevent ransomware infections:

1. Block users from downloading viruses and infected files
2. Block infections from transmitting around the network
3. Block ransomware from uploading to shared drives through syncing
4. Block ransomware from getting onto the backup server

Focusing on removing ransomware from a backup server is the wrong approach. The only way to adequately protect backups from ransomware is to stop it from getting there.

Secure backup strategies

There is no backup strategy that will fully protect backups from ransomware. You should be applying several rules to your backup routines to ensure that your system can be restored without complications.

The Rule of 3-2-1

The traditional rule for backup is called the 3-2-1 system. You should practice this. This system requires three copies of all of the files on your system:

1. The original file
2. A copy on-site on a different medium
3. An offsite copy

Many system administrators strongly recommend that the first backup held on-site be saved to a removable storage medium, such as DAT tape.

Full, differential, and incremental backups

The second copy held on-site and the third copy, which is stored offsite, require different strategies.

There are three ways that you can get a backup.

• Full backup – Copy everything
• Differential backup – Copy everything that has changed since the last full backup
• Incremental backup – Copy everything that has changed since the last backup of any type

Differential and incremental backups to fixed drives, either onsite or offsite, are quicker than full backups. However, they are challenging to perform on tape. Tape is better for full backups.

You don’t have to use both your onsite and offsite backups in the same way. You should also get a secure storage location for your onsite tapes, such as a fireproof safe.

Versioning and rollbacks

The perfect backup strategy for your business greatly depends on your business’s size and pace of activity. Traditionally, system managers are advised to perform a full backup once a week and an incremental or differential backup daily. This schedule might be too infrequent in fast-paced businesses where every moment of data processing is vital, such as a stock trading platform.

Versioning is a good practice to protect backups from ransomware. Rather than performing an incremental backup that wipes out earlier backup copies of specific files, the system preserves the original state and saves the new version separately. Unfortunately, as those versions are usually held on the same drive, an infection in the latest version will knock out all versions.

There is a way that you can implement versioning and allow you to roll back to a clean copy. This is just about the most substantial hope you can have of recovering from a backup that a ransomware executable file has already infected.

Considering that the 3-2-1 rule gives you two copies of every file, you can implement incremental backups on one store and versioning on another. While there are sophisticated software tools to manage versioning, there is a simple way you can implement the strategy. That is, make your onsite backup to tape a full daily backup.

Time your tape backup for when overnight batch processes have been completed. This ensures you get the most up-to-date state of data before staff turns up for work.

Ransomware attacks are most likely to hit during business hours because user actions usually kick them off. In these cases, you can shut down the system and then restore it from tape. This will temporarily wipe out all of that day’s transactions. However, this is better than nothing and will ensure that the ransomware program is wiped out.

Once the system is back, and the users have most of their data, you have time to look through the offsite incremental backup, compare file versions and see where you can provide a more up-to-date version of specific files. This strategy would be suitable for a high turnover site where incremental backups are performed at several points of the day.

Distributed backups

Protect your backups from ransomware by making it difficult for the ransomware program to spread between different types of data. Run separate backup systems for different kinds of data and even create other people responsible for backing up data.

A clear division of labor in backing up lies with DBAs. The DBA should be responsible for backing up the database separately from all other data stores. The database could be backed up to a different cloud storage account, keeping it completely separate from file server backups, which would be the system administrator’s responsibility. Back up desktops separately with a particular cloud account for each desktop. This strategy will protect your backups from ransomware by containing the outbreak to one backup location.

Remember, the ransomware infection is most likely to occur on a user endpoint. If you can contain it there, you have protected all of your other devices and backup stores.

Backup protection software

Protect backups from ransomware by spotting ransomware early before it gets onto the backup storage. Make sure that your backup software can filter out ransomware infections.

Look into these security systems to block ransomware from your system and protect your backups from ransomware.

1. CrowdStrike Falcon Prevent (FREE TRIAL) An extended detection and response system that watches all endpoints. This is a cloud-coordinated service.
2. ManageEngine DataSecurity Plus A file protection system that can identify ransomware as soon as it hits an endpoint. It runs on Windows Server.
3. BitDefender GravityZone A package of system protection and secure backup management. It runs as a virtual appliance.
4. Acronis Cyber Backup A backup management system that scans for malware during file transfers. This is a cloud platform.

The best Backup Protection software

1.CrowdStrike Falcon Prevent (FREE TRIAL) 

CrowdStrike Falcon is a suite of security products. Within that line is Falcon Prevent, which is an endpoint detection and response system. It installs on each endpoint on your network and individually protects devices from ransomware infection.

The Falcon system extends to a cloud console that coordinates the actions of each endpoint. Although Falcon Prevent should detect and block ransomware as soon as it hits a device, the coordinator, called Falcon Insight alerts technicians to the attack.

By combining endpoint-resident antimalware and cloud-based threat detection, CrowdStrike Falcon offers complete protection for a company’s IT system. You can test CrowdStrike Prevent on a 15-day free trial.

CrowdStrike Falcon Prevent Start 15-day FREE Trial

2. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus protects files from tampering and so can spot the unauthorized changes that ransomware implements. The settings of the file monitor can be tuned to focus on mass changes. This service protects servers running Windows, which is the operating system most frequently attacked by ransomware.

Although a change has to occur before DataSecurity Plus can spot it, the system includes automated responses and technician alerting. The automated responses include lockdown of the infected device, which will prevent the ransomware from spreading across the network.

ManageEngine DataSecurity Plus installs on Windows Server, and it is available for a 30-day free trial for assessment.

3. BitDefender GravityZone

BitDefender GravityZone is a complete cybersecurity system that includes anti-malware and backup management. This tool will spot ransomware as soon as it downloads on an endpoint, and it will also scan files before transferring them to backup.

The GravityZone package searches for ransomware on endpoints and the network. It can manage backups to local devices and remote servers and also implement file restore actions. The system can also reinstall entire servers on a new site for disaster recovery as part of a business continuity plan.

The GravityZone system also includes vulnerability scanning, automated patching, file integrity management, configuration management, and IP address blacklisting. This BitDefender product runs on top of a hypervisor, and it is available for a one-month free trial.

4. Acronis Cyber Backup

Acronis Cyber Backup manages full, differential, and incremental backups of physical and virtual servers. The system can also selectively back up specific systems, such as email, Web, and file servers. The backup system can also be used to backup SQL Server instances separately.

This system will backup hosts using Windows Server, macOS, and Linux. According to user preferences, it will backup right down to the operating system. The backup system includes a service called Active Protection. This scours all files on a drive covered by the backup service and spots malware activity, including activated ransomware. Acronis raises an alert and then kicks in automated responses, including file replacement for backup and system lockdown.

You can assess Acronis Cyber Backup on a 30-day free trial.

L’article How to Protect your Backups from Ransomware in 2021 est apparu en premier sur Comparitech.