pixel_dreams - Fotolia

Can you provide some ransomware backup dos and don'ts?

A layered protection strategy works best against ransomware. Organizations must be diligent about backing up data, monitoring suspicious activity and testing restores.

Ransomware is a new phenomenon that has developed from the exposure of IT environments to the public internet. Hackers gain access to computer systems and encrypt data, only providing the encryption keys or unlocking the data after a ransom has been paid.

Even with the most stringent security rules, there is always a risk that systems can be compromised using genuine credentials acquired through other routes (usually social engineering). This means additional protection layers are needed to ensure data can be recovered rather than paying out to get data back.

With that in mind, here are some dos and don'ts regarding ransomware backup.

  • Back up all of your data regularly. Any backup regime should be based on business requirements. It should also ensure that the amount of data lost after a ransomware attack is minimized as much as possible.
  • Check the status of backups. Ensure backups are completed successfully, and resolve any issues as soon as possible. Don't wait to rerun a ransomware backup after a failure.
  • Have some offline backup copies. Data stored on tape or other offline media isn't as easy to compromise as online backups. If primary data is corrupted, hackers may also try and compromise the ransomware backup system to prevent restores. Offline copies reduce that risk.
  • Perform regular restore tests. Knowing data is backed up is great, but you should verify that restores work. Don't wait until the restore is needed to see if it works.
  • Build in data validation tests to restore checking. How can you ensure data is still valid after the restore? One approach is to create dummy or proxy data that sits in the file system and acts as a control for checking content. If the dummy files have changed compared to a known good value, you should suspect data has been compromised.
  • Don't use the same credentials for everything. Backup credentials should be used only for that purpose. The more people who have access to the credentials, the more likely it is they will be compromised.
  • Look into tracking suspicious behavior. This is in addition to validating restores. For example, if data is encrypted, incremental backup sizes will increase dramatically. This may indicate that data has been compromised.

Design resiliency into your ransomware backup and restore process and remain vigilant to changes in the environment, as early detection is key.

Next Steps

Take these important ransomware protection measures

Aid the ransomware fight with access control and endpoint backups

Explore how organizations recover from ransomware

Dig Deeper on Data backup security