Backups are an essential part of any ransomware disaster recovery plan. In the event that an organization is hit with ransomware, it can simply use its backups to recover the system without paying a cent to the bad guys.
There’s just one problem: backups are not immune to ransomware. Increasingly advanced ransomware strains contain mechanisms that are designed to seek out and encrypt backups that are stored both locally and in the cloud. And, if a company’s backups get encrypted, it may have no other choice but to pay the ransom.
In this article, we’ll show you how ransomware can affect a company’s backups and what you can do to keep your backups safe.
How does ransomware encrypt backups?
There are many ways ransomware can infect a system, including email attachments, malicious links, drive-by downloads, RDP attacks, MSP tools and other third-party software. Once it has infected an endpoint, it can potentially spread to any backups held on devices that are write-accessible via standard protocols, such as NAS devices, locally installed cloud services and USB-connected devices.
There are a few ways it can do this:
Spreading through the network
Many small business owners understand the value of backups, yet may not have the resources or expertise to create and maintain a fully-fledged continuity strategy. Instead, they may take an ad-hoc approach, which might involve manually copying critical files to an external hard drive, or automating regular backups to a network-connected file-server.
Local backups are important, but they are not an effective solution when used alone. Many ransomware variants are capable of spreading laterally to other computers on the network and mapped network drives. If the system gets infected, there’s a good chance the ransomware will propagate across the network and encrypt the drive that holds the organization’s backups.
Syncing to cloud storage
Cloud storage is a convenient way to store files, but it’s not an effective way of maintaining backups – particularly when it comes to ransomware.
Many cloud storage services such as Dropbox, OneDrive and Google Drive automatically synchronize local files with files stored in the cloud. If your business gets hit with ransomware and the files on your network are encrypted, the files will also be encrypted in the cloud.
Some cloud storage service providers offer file versioning, which means it keeps multiple versions of files. If your company’s files are encrypted, you can simply roll back the files to a previous, unencrypted version. However, this feature is not supported by all cloud storage providers and may not be enabled by default.
Deleting System Restore points
System Restore, Windows’ built-in recovery tool, allows an administrator to reverse recent changes to the operating system, and can be useful for rolling back drivers and system files to previous versions. Unfortunately, System Restore does not save copies of personal files, including documents, photos and videos, which means it can’t be used to reverse encryption.
Even if System Restore could help restore personal files, many ransomware strains – including WannaCry, Cryptolocker and Locky – are designed to deliberately sniff out and delete volume shadow copies (the snapshots System Restore uses for recovery) using command-line commands.
Ransomware-proof your backups
A multilayered approach is the best way to protect backups against ransomware.
Local backups are fast, efficient and can be easily accessed whenever required. However, as mentioned above, local backups are vulnerable to ransomware, which can potentially spread across the network.
While offsite storage solutions are generally slower and less convenient, they are more isolated from the company network, and are therefore considered more reliable. Using a blend of local and offsite backups provides the best of both worlds.
With this in mind, the easiest way to ransomware-proof backups is to apply the 3-2-1 rule, which stipulates that a business should:
- Keep at least three copies of its files.
- Store the copies on at least two different types of storage media.
- Store at least one copy offsite.
Remember to always use unique logins and passwords for all backup systems (and everything else for that matter!).
Keep at least 3 copies
The more backups a business has, the less risk there is of losing data. Companies should aim to maintain at least three copies of their data. Should one copy be lost due to ransomware, theft, technical error or natural disaster, business leaders can rest assured that there will be other copies to fall back on.
Store at least two copies on different devices
All devices fail sooner or later. Diversifying storage media minimizes the risk of backups failing at the same time. When storing backups locally, use at least two different types of storage media, such as a local drive, file server, NAS device or tape drive.
Store at least one copy offsite
For maximum protection, at least one copy of the backups should be completely isolated from the network and preferably stored offline, where it will be safe from ransomware.
There are a few different options for storing company backups offsite. Tape backup systems might seem like a somewhat outdated solution, but they remain a popular option thanks to their cost-effectiveness, scalability and archival stability. Tape backup systems are usually not connected to any network and can therefore not be affected by ransomware.
Cloud backup services offer a more modern solution for creating and maintaining offsite backups. Cloud backup servers are housed in secure, purpose-made facilities that usually include environmental controls, backup power supplies, fire suppression systems and more. If ransomware or a local disaster natural wipes out your company’s local backups, you can use cloud backups to get back up and running.
Cloud storage vs cloud backups
It’s important to note that cloud storage services and cloud backup services are not the same thing. Cloud storage services are designed to do just that – store files. They may not offer file versioning, which leaves backups vulnerable to ransomware, and they usually don’t allow you to retain your file system structure, which means if you ever need to recover your system, you’ll have to organize all your data by hand.
Cloud backup services, on the other hand, are made with disaster recovery and business continuity in mind. They allow you to retain your file system structure and usually include useful features such as file versioning, status reports, scheduling options and better encryption methods for transferring data. When it comes to ransomware-proofing your backups, cloud backup services are the superior option.
Regardless of the storage media your company chooses to use, it’s important to restrict access to only those with a legitimate business need. This involves being very selective of who has the login credentials to file servers and backup services, as well as limiting physical access to onsite backups via secure storage and access management. Limiting access to backups helps reduce the attack surface for ransomware and minimizes the chances of sensitive company information falling into the wrong hands.
Mitigating the effects of ransomware
A robust backup strategy is a critical ingredient for mitigating the effects of ransomware.
Emsisoft Enterprise Security + EDRRobust and proven endpoint security solution for organizations of all sizes. Start free trial
However, as with any data, backups can also be affected by ransomware. Using a combination of local and offsite backups will help reduce the risk of ransomware affecting your company’s backups and put your business in a stronger position to minimize downtime in the event of an infection.