Posey's Tips & Tricks

How To Ransomware-Proof Your Backups: 4 Key Best Practices

Backups are the only guaranteed way to save your data after a ransomware attack. Here's how to make sure your backup strategy has ransomware mitigation built right in.

• By Brien Posey
• 10/22/2019

One of the things I've always found interesting about working in tech is that, sometimes, enterprise IT and home users really aren't all that different from one another.

For example, I regularly have IT pros ask me how they can best protect their organizations against ransomware. At the same time, I often have friends and family (who are not involved in IT) ask me how they can protect themselves against that same enemy.

What I find interesting about this is that it shows that there is widespread awareness of ransomware, and that IT pros and laypersons alike find it to be a credible threat. It also shows, however, that many people are unsure of how to protect themselves against ransomware.

The advice I always give is that your backups are your most important defense against ransomware. At the same time, backups should be regarded as the last line of defense -- not the first. After all, it's better to prevent a ransomware infection from happening in the first place than to have to restore your backups in response to an infection that has already occurred.

Unfortunately, there is no magical silver bullet that can prevent all ransomware attacks. As such, it is important to practice defense-in-depth. Some of the defense mechanisms that you might consider include end user education (such as explaining to users why they shouldn't open suspicious e-mail attachments), application whitelisting, restrictive user permissions and aggressive malware scanning.

As important as these defense-in-depth techniques might be, backups are ultimately the only thing that can save an organization's data after a ransomware attack has already occurred. This, however, raises the question of how best to incorporate ransomware mitigation into an organization's backup strategy.

Once again, there is no single decisive thing you can do to ensure that your backups will protect you against a ransomware attack. However, there are a number of best practices that you can use to improve your odds of recovering your data after an attack.

1. Keep an Offline Backup
First, maintain a secondary offline backup copy. When a ransomware attack occurs, the ransomware could potentially attack anything that the user who accidentally triggered the attack has access to. Even though your end users probably aren't backup administrators, there are indirect methods through which backups can become infected. At that point, it's game over: Both the primary data and the backups have been compromised and there may not be another way to recover from the attack.

Having an offline backup copy acts as a stopgap. Ransomware cannot touch a backup that is disconnected from the system. As such, I strongly recommend regularly creating secondary backup copies to tape or to some other form of removable media. In my own organization, I use external hard drives for this purpose. These backups should be kept in a safe place and only brought online in a dire emergency.

2. Use Immutable Storage
Another best practice is to use immutable backup storage if at all possible. Most disk-based backup systems protect data at the block level and use changed block tracking to protect files as they are modified. The problem with this is that ransomware changes lots of storage blocks, and your backup system will actually end up backing up the now-encrypted files.

In theory, your backup software should be able to restore the data to its state just before the infection happened. In order to do that, however, it needs to be able to maintain a sufficient number of recovery points, and it needs to be able to protect the existing storage blocks from being modified. Using immutable storage can help to protect your backups against a ransomware attack.

3. Tap Anti-Malware Apps
Another thing you can do is incorporate anti-malware protection into your backup server. Obviously, every organization has its own unique backup architecture. However, some of the newer storage arrays have the ability to run apps directly on the array hardware. Vendors that enable such capabilities often provide access to an appliance-specific app store where you can probably find anti-malware applications. Capabilities vary widely, of course, but it is conceivable that such an app might be able to detect a ransomware attack in progress and stop it before it can do extensive damage.

4. Up the Frequency
Finally, take a look at how frequently you are backing up your data (the recovery point objective I mentioned in No. 2). The backup frequency is the primary factor that will determine how much data could be potentially lost in a ransomware attack, even if you are able to fully restore your backups.

If, for example, you are backing up data every 15 minutes, then you could potentially lose up to 15 minutes' worth of data in an attack because that data has not yet been backed up and therefore cannot be restored.