Ransomware Backup Best Practices
According to Security Intelligence, hackers target backup data in around 93% of ransomware attacks. This has led to backup data being lost and unusable for recovery and organizations becoming more likely to pay the ransom in the hope of restoring access to systems.
Implementing cybersecurity measures and backing up data to ensure recovery after ransomware incidents is no longer enough. Antivirus can protect computers and their data at the first stage, but if viruses and ransomware have infected computers and destroyed data, the only method to restore data is using a data backup. With backup repositories in the cloud accessible over the internet, backups are at an even higher risk of ransomware. That’s why additional measures should be taken to protect backups in addition to primary data.
This blog post explains how to create an effective ransomware defense strategy.
Can You Restore from Backup after a Ransomware Attack?
The research conducted by Sophos shows that data recovery after a ransomware incident using backups is faster than going down the ransom payment path. Properly configured backups can be used to recover data and machines after a ransomware attack. If you have a reliable and uninfected backup copy, you can restore the data and minimize incident-related downtime.
Consider the following actions to restore systems after a ransomware incident:
- Isolate the infected system. As soon as you detect a ransomware infection, disconnect the infected machine from the network to prevent further spread of the malware.
- Remove the ransomware. Use reputable antivirus or anti-malware software to remove the ransomware from your system. Ensure that your antivirus definitions are up-to-date for the best chance of success. The alternative is formatting disk drives affected by ransomware and restoring data from backups to these drives (backups must be unaffected).
- Assess backup availability. Check your backup systems to ensure that they are unaffected by the ransomware attack.
- Restore data. You can initiate the data restoration process with your data backup solution. This might involve selecting specific files, folders, or system images to restore. Follow the instructions provided by your backup software or service provider.
- Test restored data. After the restoration is complete, test the recovered data to ensure the data is accessible and intact. This is crucial to verify that the backup copies were not compromised by the ransomware.
- Patch and secure. Before reconnecting the infected computer to the network, apply any necessary security patches, updates, and improvements to enhance the system’s security and reduce the risk of another attack.
- Investigate and report. Investigate how the ransomware entered your system to prevent future attacks. Report the incident to authorities, for example, law enforcement agencies or cybersecurity organizations.
Remember that the effectiveness of your recovery depends on having regularly updated and secure backups. If your backups are compromised or outdated, you may not be able to fully recover your data. It’s crucial to maintain a robust ransomware protection strategy built around backup as part of your overall cybersecurity measures to mitigate the impact of ransomware incidents.
Can Ransomware Attack a Backup?
Backups are not immune to malware infections. Ransomware can potentially attack and encrypt (destroy) backup files if the backups are directly accessible from the infected system or if the ransomware is specifically designed to target backup systems.
Ransomware criminal groups know that organizations rely on backups to restore systems instead of paying ransoms. For this reason, backups can be one of the primary targets for ransomware.
Backups stored on the following resources accessible from an infected computer are at risk:
- Shared drives
- Network Attached Storage (NAS)
- External disk drives connected to an infected machine
- Cloud storage accessible from infected machines
While it is possible for ransomware to target backups, there are proactive measures that you can take as part of your ransomware protection strategy to secure and protect backup data. This way, you ensure that you have a reliable recovery option in case of an attack.
Ransomware Backup Best Practices
Ransomware backup best practices are designed to ensure data integrity and recoverability in the event of a ransomware attack. They cover backup approaches as well as strategies to protect those backups from being compromised in case your primary systems are infected.
3-2-1 backup strategy
The backbone of your ransomware defense strategy is the 3-2-1 backup rule. It is a robust approach to data backup that can help protect against ransomware attacks by ensuring redundancy, diversity, and isolation of backup copies. The rule dictates that you should have at least 3 copies of data, 2 of which are located on different media, with 1 stored offsite. The 3-2-1 ransomware backup strategy can be further expanded to 3-2-1-1 to include air-gapped or immutable copies.
Below, you can see how a 3-2-1 backup strategy can safeguard your data against ransomware:
- 3 copies of data:
- Primary copy. This is your live data, the original files, and the data that you work with daily.
- Local backup. Create a second copy of your data stored locally, such as on an external hard drive, backup server, or network-attached storage (NAS) device. This provides quick and convenient access to your backups in case of data loss or corruption.
- Offsite backup. The third copy should be stored offsite, away from your primary location. This can be in a different physical location, typically achieved by using cloud storage, copying data backup to the secondary location via the network or by physically transporting backups to an offsite location regularly.
- 2 different media. Different storage media used for each backup copy can improve resiliency. For example, if you have a local backup on a physical hard disk drive, use a different type of media for your offsite backup, such as cloud storage or another physical device. This diversity helps protect against the same type of ransomware affecting both your local and offsite backups simultaneously.
- 1 media is stored offsite. Storing one backup copy offsite allows you to restore data if the primary site is destroyed by a disaster such as fire, flood, hurricane, etc.
- 1 air-gapped or immutable copy. An air-gapped backup is isolated from the network and not directly accessible through the internet or connected to your primary system. While an immutable backup is stored in immutable repositories that can be modified or deleted. This means that even if ransomware infiltrates your network, it can’t encrypt those backups.
Ensure that your air-gapped backup (offline backup) is updated periodically, but disconnect this backup from the network or remove it from the physical location when not in use. This isolation makes the backup highly resistant to ransomware attacks.
The 3-2-1 ransomware backup strategy protects against ransomware in the following way:
- Data redundancy. In the event of a ransomware attack that targets your primary data, you have two additional copies (local and offsite) to restore data from without paying the ransom.
- Diversity. Using different storage media ensures that if ransomware compromises one type of backup, the others remain unaffected. This diversity makes it more challenging for ransomware to corrupt all copies of your data.
- Isolation. The air-gapped copy, stored offline or in an isolated environment, serves as a last line of defense. Even if ransomware gains access to your network or local backups, it won’t be able to reach the air-gapped copy.
- Recovery flexibility. You can quickly restore from the local copy for minor data losses, and if a severe ransomware attack occurs, you have the offsite and air-gapped copies to fall back on.
The 3-2-1-1 data protection approach is a good data backup strategy against ransomware if complemented with other security measures and implemented properly.
DR planning and testing
Disaster recovery planning and testing play a critical role in protecting against ransomware attacks by ensuring preparedness, minimizing downtime, and facilitating efficient data recovery in case of ransomware attacks. Disaster recovery planning considers not only data recovery but also the business continuity of essential operations. This means having backup systems and processes in place to keep the business running even during a ransomware incident. A well-tested disaster recovery plan allows for quicker recovery of critical systems and data.
Create a disaster recovery plan:
- Identify critical systems and data. This helps in prioritizing what needs protection in case of a ransomware attack.
- Develop a backup and recovery strategy. This includes implementing the 3-2-1 backup strategy, ensuring data redundancy, and having offsite backups.
- Incident response. Include ransomware-specific incident response procedures in your disaster recovery plan. This ensures that your team knows how to respond effectively in case of an attack.
Test and improve a disaster recovery plan by:
- Conducting regular testing. Conduct regular disaster recovery tests and simulations that include ransomware scenarios. Testing helps identify weaknesses in your plan and allows you to make necessary improvements.
- Verifying backup data integrity by testing the data recovery process. Ensuring that backups are not compromised is crucial in the fight against ransomware.
- Scenario-based training. Training staff on ransomware-specific scenarios ensures they are prepared to respond effectively when an attack occurs.
Don’t forget about documentation and compliance:
- Documentation. Disaster recovery plans should be well-documented and regularly updated. This documentation helps ensure that everyone knows their roles and responsibilities during an incident.
- Regulatory compliance. Compliance with data protection regulations often requires having a robust disaster recovery plan. This can help avoid legal issues and penalties in the event of a ransomware attack.
Using immutable storage
Immutable storage is a type of storage in which data cannot be modified after being written. The immutable storage technology prevents any modification, deletion, or encryption of stored data for a specified retention period. Use immutable storage to store backups and increase the probability of successful data recovery in case of ransomware attacks.
Immutable storage can leverage different mechanisms:
- Write once, read Many (WORM): Data can be written once, and after that, it can only be read but not modified or deleted.
- Cryptographic hashing. Data can be hashed using cryptographic algorithms, and the hash values are stored separately. Any change to the data will result in a different hash, alerting to potential tampering.
- Versioning. Data versions are stored, and previous versions can be restored if the current version is compromised.
- Access controls. Immutable storage systems typically have strict access controls to prevent unauthorized changes to data.
Ransomware typically works by encrypting files and demanding a ransom for the decryption key. Immutable storage can protect against ransomware in several ways:
- Prevents modification. Since data in immutable storage cannot be altered, ransomware’s attempts to encrypt or modify files will fail.
- Provides rapid recovery. Even if ransomware encrypts your primary data, you can rely on immutable storage to recover clean copies of your files. You can easily restore your data to its unencrypted state because the original data remains intact.
- Tamper alerts. Immutable storage systems can generate alerts when unauthorized attempts to modify data are detected, allowing for a swift response to potential ransomware attacks.
Using data encryption
Data encryption can help reduce the negative consequences of ransomware attacks. Note that encryption alone doesn’t protect against ransomware attacks. Ransomware can still encrypt/destroy the files it accesses, regardless of whether this file is encrypted or not. However, encryption ensures that your data is confidential and cannot be understood by unauthorized individuals, including ransomware attackers.
Even if ransomware infiltrates your system, it may not have the necessary permissions or encryption keys to access encrypted sensitive data. This means that it won’t be able to make sense of the encrypted data. As a result, ransomware attackers cannot extort a victim by uploading the stolen data to the internet. This is also the advantage in terms of compliance to avoid penalties.
Encrypting data in transit, such as during network transmission or when stored in cloud services, ensures that intercepted data is useless to cybercriminals. Encrypted communication channels, such as VPN (virtual private networks) and secure socket layer (SSL) connections, protect against ransomware attempting to intercept data during transmission.
Proper key management is essential for the effectiveness of encryption. Store encryption keys securely and separately from the data they protect to prevent ransomware from gaining access to both the data and the keys.
Set permissions to data backup
Setting permissions for backup data helps prevent ransomware from compromising or destroying your backup copies. Properly configured permissions ensure that only authorized users or systems can access backup data.
By restricting access to backup data, you reduce the attack surface for ransomware. If ransomware infiltrates your network, this ransomware may attempt to target multiple systems in the network. If ransomware infects a system with limited permissions, the ransomware will have a harder time spreading to backup locations and compromising those backups.
Setting permissions aligns with the principle of least privilege and segregation of duties. It ensures that no single user or system has excessive control over backup data, reducing the risk of insider threats.
Permission settings enable auditing and monitoring of backup data access. If ransomware attempts to compromise backups, auditing can generate alerts and provide a record of unauthorized access attempts for investigation. Unauthorized access or modifications to backup data can be detected quickly through monitoring and alerting systems. This allows for a swift response to potential ransomware attacks, minimizing data loss.
Other recommendations
Here are some additional recommendations to help you improve the ransomware backup strategy:
- Back up data regularly. Set up a regular backup schedule that suits your organization’s needs. Frequent backups, such as daily or hourly, help minimize data loss in case of an attack by cutting down the RPO.
- Automate backups. Use backup solutions that automate the process to reduce the risk of human error and avoid retention gaps.
- Use versioned backups. Choose backup solutions that offer versioning or flexible retention settings, allowing you to access and restore previous versions of files. This is helpful with point-in-time restores if ransomware goes undetected for some time.
- Monitor the environment. Implement monitoring systems to detect any unusual or suspicious activity on your systems. Set up alerts for any unauthorized access attempts, changes to backup configurations, or just unusual resource consumption.
- Secure backup servers. Apply security best practices to the backup server itself, including regular security updates and strong password policies. Minimize internet-facing access to your backup server to reduce the risk of remote attacks. Regularly update backup software and systems to address vulnerabilities that could be exploited by ransomware.
- Choose a trusted backup provider. If you use cloud-based backup services, select a reputable and security-conscious provider with a track record of safeguarding data.
- Educate workers. Train employees or users to recognize phishing attempts and other social engineering tactics that can lead to ransomware attacks. In the process of disaster recovery planning and testing, employees become more aware of the risks associated with ransomware. This heightened awareness can lead to better cybersecurity practices and incident reporting.
Using NAKIVO’s Ransomware-Resilient Backup Capabilities
NAKIVO Backup & Replication is a fast, reliable, and affordable data protection solution that can back up data effectively and protect against ransomware. Below are some of the features to protect data and enable recovery after ransomware in NAKIVO Backup & Replication:
- Immutable backups. Backups can be made immutable on local storage, NAS, public cloud platforms (Amazon S3, Azure Blob Storage, Wasabi, and BackBlaze B2, etc.), and private clouds. Set the period of immutability for backups, and backup data cannot be edited or deleted until this period expires. This feature protects backup data from being changed by ransomware.
- Backup to tape. Tape cartridges are a type of air-gapped backup storage medium. After recording a backup to tape and ejecting the tape cartridge, the data recorded on this cartridge cannot be accessed by ransomware.
- Flexible retention settings. You cannot predict the exact time of a ransomware attack. Having backups for different dates allows you to restore data in the needed state before the data was corrupted by ransomware. Support for incremental backup and frequent recovery points help recover more data in the actual state before a ransomware attack happens.
- Data encryption. Data encryption in a backup repository and during transmission over the network increases the security level and avoids intercepting data during transmission over the network. An encrypted backup repository avoids decrypting and uploading data from this repository by ransomware attackers to the internet for dangerous extortion.
- Backup copy. Follow the 3-2-1 backup rule and copy backup data to other storage mediums and offsite with backup copy jobs. Job chaining is a useful feature of a backup copy that allows you to start creating a backup copy automatically once a backup job is finished.
- Backup malware scan. Scanning backups during the recovery process prevents users from recovering infected files to their systems which could potentially lead to viruses spreading in the production environment.
- Site Recovery. Disaster recovery with the Site Recovery feature is fast and effective. You can test disaster recovery scenarios with Site Recovery. You can attach/detach backup repositories because a detached repository is less vulnerable to ransomware.
