As devastating as a ransomware attack can be, if you back up your data — and protect your backups from ransomware — you can recover from an attack and shorten your recovery time and save yourself the ransom payment.
Establishing regular, secure backups will help you safeguard your data, but the next important step is to protect backups from ransomware. Keep in mind that even your backups can be subject to infection, and that you could end up with both your production and backup data unusable. This post illustrates that, when you protect backups from ransomware, you improve your changes of ransomware recovery and enable yourself to get right back to business after an attack.
What is a ransomware attack?
Ransomware is a form of malicious code engineered to block your access to data and systems, usually by encrypting data. The attackers then claim to hold the encryption key for ransom. They often extend the attack by threatening to publish your data if you don’t pay the ransom (although there is, of course, no guarantee they will cease their threats if you pay).
The scope of ransomware goes beyond individual files like databases, documents and spreadsheets. Attacks can corrupt applications and operating systems, too. In enterprises, targets include the authorization and authentication capabilities of Active Directory running on your domain controllers, which can bring all of your IT-dependent activity to a halt.
To get their ransomware into networks, cybercriminals usually send out phishing emails with malicious attachments or links to malicious websites. Or they may try to exploit vulnerabilities in operating systems or software applications, as they did during the WannaCry attack of 2017. And in a recent, particularly perverse twist, cybercriminals now seek out employees willing to release ransomware into their own organization’s network, in return for a portion of the payout.
Ransomware and backups
It’s essential to shield your backup and recovery systems and safeguard them from attacker’s attempts to corrupt, delete or encrypt your data. While you can restrict the network associations with backup storage repositories if you create a subnet intruders can’t see and place repositories there, it’s worth noting that encrypting your backups will make your data worthless to any bad actor who may access it.
Tactics to protect backups from ransomware
1. Maintain multiple copies of your data
One IT rule of thumb suggests that if you think you have two backups, you really have one — because one will fail. And, if you have one backup, you really have zero — for the same reason. From that rule comes the 3-2-1 strategy, in which you:
- always maintain 3 copies of your data
- store 2 of them locally, using different types of media
- store 1 copy off site (for example, in the cloud, at a remote site, or even on tape)
Why 3-2-1? Because it ensures that, in the face of any kind of disaster, you’ll be able to get your hands on and restore from multiple redundant copies of your data. The 3-2-1 strategy is part of a sound data protection architecture.
Your company may save money by not implementing 3-2-1, but only at the cost of a valuable, spare backup when disaster strikes.
2. Use full, differential and incremental backups
Since backups are your last line of defense, they are often the only way to restore information that has been altered, lost or destroyed due to an emergency or deliberate strike. Beyond maintaining the 3-2-1 rule, it’s prudent to further mitigate risk by diversifying your data backup techniques.
The act of making a duplicate of all your company’s data for protection in a single backup session is referred to as a full backup. This method makes sure you have an exact copy of every piece of data and eliminates the need to manage versions, hastening the process of recovery.
However, it is also the slowest method because of the sheer volume of information, and it also requires more disk space and network bandwidth. Advanced technologies such as data deduplication and compression can help you cut down on the storage space required and possibly speed up the entire procedure. If you have the backup time and storage capacity, then using a full backup yields the most reliable results.
Nevertheless, be sure to encrypt your full backup; otherwise, all the data can be exposed.
A type of data backup that captures only the files modified since the last full backup is called a differential backup. It includes data that was added or modified in any way, but does not involve copying all data each time.
As a result, it requires less storage space than a full backup, which is beneficial cost-wise. However, it can be slower to restore than a full backup, and more complicated to manage because restoring involves two different sources. Differential backups may be able to provide faster recovery time compared to incremental backups, depending on the type and medium of data storage you use. Also, differential backups create a dependency on the full backups they’re based on. Care must be taken to ensure that replicated differential backups always include the full they’re based on.
Differential backups can help simplify recovery with shorter backup time frames; however, as they progress towards the next full backup, they grow larger. Again, storage reduction through technologies like deduplication can help reduce their size.
A full backup is always the initial step when it comes to incremental backups. In an incremental backup, only changes and additions since the previous backup are saved. In that regard, it resembles a differential backup. In contrast, though, the differential backup is based on changes to the last full backup, while incremental backups following the original one are based on changes to the most recent incremental backup.
Typically, this kind of method requires less storage space than either of the other two alternatives. To make use of even less storage space, consider doing byte-level rather than block-level incremental backups.
Incremental backup save sets are dependent on each incremental backup in the chain, all the way back to and including the full backup they’re based on. A backup strategy with long incremental chains can increase overall required retention, since a full backup may not be expired until all of its incremental dependents also expire.
Restores take longer with incremental backups. Also, they can require effort to manage because all files in the entire backup chain are needed at the time of restoring.
Incremental backup moves a relatively small amount of data from source to target, so it is ideal if time and network bandwidth are at a premium.
3. Distribute backup tasks and access
One way to keep ransomware away from your backups is to impede its movement across different types of data. Consider distributing backup tasks among separate backup systems for different kinds of data. Also, distribute the role of backup administrator among different IT staff members so that no single admin has access to all backups. For example:
- Database administrators (DBAs) are responsible for backing up only databases.
- Databases are backed up separately from all other data stores.
- Databases are backed up to a given site or cloud storage account.
- System administrators back up file servers to a different site or cloud account.
- Each desktop and laptop is backed up separately, to its own cloud account.
A distributed scheme helps protect your backups from ransomware by restricting the outbreak to fewer sites and accounts. Keeping any single user from having access to all backups mitigates the risk that a ransomware attack will poison all your backups.
4. Limit access to the backup software and repositories
Similarly, limit access to your backup console and repositories. The tactic is to create multiple backup admin roles, then grant privileges and assign responsibilities to each role that do not overlap one another.
An example is to assign to different roles the main responsibilities, including:
- Backup job creation
- Retention policies
5. Air-gap your backups — and your backup plan
If you suffer a ransomware attack, you’ll naturally turn to restore from your uninfected backups. Unfortunately, ransomware actors know that you’re going to do that and they write their code to find and destroy all the backups they can reach. They want to keep you from being able to restore your data yourself so that you’ll have to pay the ransom.
That’s why a big part of protecting backups from ransomware is to keep them where they can’t be affected by an attack. That means someplace that’s offline, disconnected and inaccessible from your internal networks and the internet.
Air-gapping backups stores data on a removable media like disks and backups can allow data to be stored off site; allowing for a literal air gap between your network and your backups. Of course, air gapping backups is not elegant or cheap for either backup or recovery. In fact, it can greatly slow your recovery from a ransomware attack because it takes a long time to retrieve, transport, mount and read data.
What’s an alternative? You can store your backups in the cloud with a trusted provider. It’s an easier method that still allows for an off-site method. Additionally, cloud backups can allow you the option of recovering to different locations and speeding up ransomware recovery, if need be.
Note that, if you decide to use cloud storage, you should encrypt your backup data before it leaves your network.
6. Harden the data backup with immutable storage
Keep a copy of your backup data in WORM (Write-Once Read-Many) storage, otherwise known as immutable backup storage. This type of storage media plays a role in your ransomware recovery efforts by preventing the data from modification or deletion. You can, of course set a date for deletion in your data retention scheme. Once your data is written to WORM media, even ransomware cannot edit, delete or encrypt it.
Whether in creating backups or restoring from them, manual procedures can be time-consuming, imprecise and flawed. Backups must be done correctly and on a regular basis, no matter who is on holiday or whatever else the IT team is focused on.
Automating processes is especially important for disaster recovery. especially when a business loses money for each second systems are not functioning properly. According to Gartner in Restore vs. Rebuild— Strategies for Recovering Applications After a Ransomware Attack, “Prompt recovery of affected systems will be impossible if organizations have to rely on manual processes and procedures.”
8. Increase backup frequency
Making full backups frequently is the key to getting back up and running quickly after a ransomware attack. For the fullest protection, it’s best to back up everything every day so you catch all changes, updates and additions. If you don’t perform full backups often enough, you’ll take longer to recover your data and fall short of your recovery point objectives (RPO).
Successful recovery requires a full backup performed relatively recently, enabling you to restore to a point where your systems were safe.
9. Monitor continuously
Through continuous monitoring, you have a better chance of identifying small changes in a system as soon as they take place. That makes it easier to isolate, contain and remedy infected devices before the ransomware has a chance to get into your network. If you scan your systems infrequently, you increase the risk of discovering ransomware after it is too late.
10. Use multifactor authentication
Multifactor authentication (MFA) is essential for your admin accounts. MFA makes users — authorized and illegitimate — enter an additional credential besides username and password. It can be a substantial obstacle to an attacker trying to breach the backup console to modify your policies and jobs, or even delete your existing backups.
If your backup repositories reside on systems that are run from other consoles, MFA is valuable there, too.
11. Extend your backup strategy to Active Directory
Being able to back up and recover data like your file systems and databases is one thing. But on a Windows network you’ll need your Active Directory (AD) instance to make use of it all after a disaster. For example, when Maersk, the worldwide shipping company, was infected by NotPetya malware, it had backups of much of its data, but it had no recent backup of AD. Faced with rebuilding its AD from scratch, it was fortunate to discover an offline domain controller in another region, which it used as a backup.
AD backup and recovery are non-trivial processes, so the software you choose should offer control, flexibility and automation. To prevent reintroducing the infection when bringing domain controllers back, you should limit places where malware can hide.
The question isn’t if ransomware will strike, but when. Often the only thing standing between you and a ransomware attack is your eternal vigilance. And, the only thing you can do to prevent an attack from becoming a catastrophe is to protect your backups from ransomware.
These techniques are in the toolkit of every smart IT group. Following these tactics for protecting backups from ransomware you’ll have done almost everything possible to keep threats of ransomware at bay.