Backups are a mandatory part of any ransomware disaster recovery plan. In the event that a company is affected with ransomware, it can use its backups to recover the system without paying a percentage of the bad ones.
There is only one problem: backups are not prevented from ransomware. Increasingly sophisticated ransomware breeds have mechanisms designed to search and encrypt backups stored locally and in the cloud. And, if a company’s backups are encrypted, there is no option but to pay the ransom.
In this article, we will show you how ransomware affects a company’s backups and what you can do to secure your backups.
How does ransomware encrypt backups?
Ransomware affects a system, including email attachments, malicious links, drive-by downloads, RDP attacks, MSP tools, and other third-party software. Once it infects the endpoint, it spreads to any backups on devices that have access to write via standard protocols such as NAS devices, locally installed cloud services, and USB-connected devices.
Here are some ways to do this:
Expanding through the network
Most small business owners understand the value of backups, though they may lack the resources or expertise to create and maintain a full-fledged continuity strategy. Instead, they may take a temporary approach, such as manually copying critical files to an external hard drive, or automating regular backups to a network-connected file-server.
Local backups are important, but they are not an effective solution when used alone. Many ransomware variants can spread laterally to other computers on the network and to mapped network drives. If the system is infected, ransomware has a good chance of spreading across the network and encrypting the drive containing the company’s backups.
Syncing cloud storage
Cloud storage is a convenient way to store files, but it is not an effective way to manage backups – especially when it comes to ransomware.
Many cloud storage services, such as Dropbox, OneDrive and Google Drive, synchronize local files with files stored in the cloud or Online Backup. If your business is damaged by ransomware and the files on your network are encrypted, the files can also be encrypted in the cloud.
Some cloud storage service providers offer file versions, which means multiple versions of files. If your company’s files are encrypted, you can go back to the previous, unencrypted version of the files. However, not all cloud storage providers support this feature and may not be enabled by default.
Deleting system restore points
System Restore, a Windows built-in recovery tool, allows the administrator to reverse the most recent changes to the operating system, and to reverse drivers and system files to previous versions. Unfortunately, the system does not save copies of individual files, including restoration documents, photos, and videos, which means it cannot be used to reverse the encryption.
Although system restore can help restore individual files, many ransomware species, including WannaCry, Cryptolocker, and Locky, have been created to deliberately remove and remove volume shadow copies (snapshots for recovery are a system restore uses) using command-line commands.
Ransomware proof your backups
A multilevel approach is the best way to protect backups from ransomware.
Local backups are fast, efficient and easily accessible when needed. However, as mentioned above, local backups can infect ransomware, which can spread over the network.
Offsite storage solutions are generally slower and less convenient, more isolated from the company’s network, and are therefore considered more reliable. Using a mix of local and offsite backups provides the best of both worlds.
With this in mind, the easiest way for ransomware-proof backups is to apply the 3-2-1 rule, which a business must specify:
- Keep at least three copies of it in its files.
- Store copies in at least two different types of storage media.
- Store at least one copy offsite.
Remember to always use special logins and passwords for all backup systems (and everything else for that matter!)
Keep at least 3 copies
The more backups a business has the less risk of losing data. Organizations should plan to maintain at least three copies of their data. If a copy is lost due to ransomware, theft, technical error, or natural disaster, business leaders can rest assured that there will be other copies to be returned.
Store at least two copies on different devices
All devices fail sooner or later. Diversifying storage media at the same time reduces the risk of backups failing. When storing backups locally, use at least two types of storage media, such as a local drive, file server, NAS device, or hard drive.
Store at least one copy offsite
For maximum protection, at least one copy of the backups must be completely isolated from the network and stored offline, where it is safe from ransomware.
There are a few different options for storing company backups offsite. Tape backup systems may seem like an outdated solution, but they are not, thanks to their cost-effectiveness, scalability and archival stability. Tape backup systems are usually not connected to any network and are therefore not affected by ransomware.
Cloud backup services provide a more advanced solution for creating and managing offsite backups. Cloud backup servers are located in secure, purpose-built facilities that typically include environmental controls, backup power supplies, fire suppression systems and more. If ransomware or a local disaster naturally wipe out your company’s local backups, you can use cloud backups to recover and run it.
If you find any unwanted & unknown backup software on your computer which is installed without your permissions. Uninstall online backup software which is found on your computer immediately.
Cloud storage vs cloud backup
It is important to note that cloud storage services and cloud backup services are not the same things. Cloud storage services are designed to do that – store files. They may not provide a file version, which can infect backups with ransomware, and they usually don’t allow you to retain your file system structure, which means that if you ever need to recover your system, you have to manage all your data.
Cloud backup services, on the other hand, are designed to focus on disaster recovery and business continuity. They allow you to maintain your file system structure and generally have useful features such as file version, status reports, scheduling options, and improved encryption methods for transferring data. When it comes to ransomware-proofing your backups, cloud backup services are a superior option.
Regardless of what storage media your company chooses to use, it is important to restrict access to only those with legitimate business needs. It is quite an option to limit those who have login credentials to files, servers and backup services, as well as physical access to onsite backups through secure storage and access management. Limiting access to backups helps reduce the attack surface for ransomware and reduces the chances of sensitive company information getting into the wrong hands.
Minimizing the effects of a ransomware
A robust backup strategy is a critical element to minimize the effects of ransomware.
However, as with any data, backups are also affected by ransomware. Using a combination of local and offsite backups can help reduce the risk of ransomware affecting your company’s backups and keep your business in a strong position to minimize the time-lapse in the event of an infection.