Backups are often thought of as being a defense mechanism against ransomware. If not properly implemented, the backups themselves can become infected, thereby rendering your backups useless. To prevent this from happening, it's vital to have a ransomware backup strategy in place.
Most organizations today use backups that are based on changed block tracking. If a storage block is modified, then the block is backed up. If a ransomware infection occurs, then the encryption process caused by the ransomware will be treated as a routine file modification and the newly modified file will be backed up.
By following a few best practices guidelines, you can help to keep ransomware out of your backups.
Backups aren't your first line of defense
The cardinal ransomware backup rule is that you should never treat your backups as a first line of defense. While it is true that your backups can help you to reverse the damage that has been caused by ransomware, it is far better to take measures to prevent ransomware infections from occurring in the first place rather than counting on your backups after an infection has already occurred.
At the very least, this means running antimalware software throughout your organization and keeping that software updated. Even antimalware software, however, is not perfect. There have been numerous cases over the years of infections occurring even though the system was being protected by antimalware software. That being the case, you might consider using process whitelisting, which forbids any unauthorized process from running on protected systems.
Review your version retention policies
A review of your version retention policies is another important aspect of a ransomware backup strategy. After all, your backups are going to be largely ineffective against ransomware if you do not have a way of reverting files back to their unencrypted state.
On the surface, making sure that multiple file versions are being retained probably sounds ridiculous. After all, pretty much any modern backup product will enable you to restore an older version of a file. Even so, it is worth considering the number of file versions retained and the length of time for which those versions are retained. The reason for this is that you may not know right away that an infection has occurred.
Suppose, for a moment, that a user accidentally triggers a ransomware infection while working from a corporate desktop. Depending on how the ransomware is designed, the infection will probably start out by encrypting files residing directly on the infected device, but will probably then begin encrypting files within mapped network drives. Depending on the volume of data that a user has access to, the encryption process could take a while to complete.
The interesting thing about this situation is that the user may not know right away that the infection has occurred. Think about it from a malware author's standpoint: If the ransomware were to tell the user about the infection before or during the encryption process, then the user may be able to take some sort of action to limit the impact of the infection. If, on the other hand, the ransomware does not tell the user about the infection until after it encrypts everything, then the damage is already done.
It is also possible that even more time could elapse before the IT department finds out about the infection. Imagine what might happen, for instance, if the user tried to cover up the fact that they infected the system. IT might not realize that an infection occurred until others started reporting problems.
The point is that you may not always know about ransomware infections right away, so backup retention policies that only save previous file versions for a matter of hours or days may be ineffective. Ideally, a ransomware backup strategy should include as many recovery points as possible in order to maximize the chances of being able to recover from an infection.
Be sure to use a stopgap
If you are performing disk-based backups and ransomware somehow manages to encrypt your entire backup target, then you will lose your ability to recover from the ransomware attack. One way of defending against such a situation is to put in place a stopgap mechanism. In other words, you need a backup that the ransomware cannot touch. The only 100% reliable way of achieving this is to have a backup that remains completely disconnected from the system.
Tape-based backups can be an excellent stopgap against ransomware attacks because ransomware cannot infect a tape that is not inserted into a tape drive. Obviously, tape-based backups do not offer the advantages of a disk-based backup, but there is no reason why you have to abandon disk-based backups in favor of tape. Instead, you can implement a disk-to-disk-to-tape backup architecture that will periodically copy the contents of your disk-based backup target to a tape that can be safely stored offline.
When an attack occurs, the ransomware could potentially encrypt the contents of your backup storage array. Even if that doesn't happen, you will almost certainly end up backing up infected files. As such, it is critically important to keep ransomware off of your systems, and to have a ransomware backup plan in place to recover your data if an attack does occur.
The value of backups against ransomware
Involve the cloud in your ransomware strategy
How an offline backup can help with ransomware recovery