Ransomware Backup Strategy Guidelines to Help Ensure Recovery

by SEP Blog Team | Backup Strategy, Ransomware

Backing up your data is the number one defense mechanism against ransomware. However, a backup solution must be implemented with a ransomware strategy in mind to ensure you can restore your organization's data. If not correctly implemented, the backups will become infected, rendering the entire backup "solution" useless.

Many organizations use backups based on changed block tracking, which is a great backup tactic to increase backup times and reduce storage space. However, when a ransomware infection occurs, the encryption process caused by the ransomware is then treated as a routine file modification, backing up the newly modified file. Thus, all connected backup copies will become encrypted. To ensure that your data is always recoverable, it is vital to have a ransomware-specific backup strategy in place to prevent this scenario.

Here are three ransomware backup strategy guidelines to help ensure recovery.

Malware software and whitelisting

The gold standard ransomware backup rule is that organizations should never treat their backups as a first and only line of defense. It is true that system backups can help you to reverse the damage incurred by ransomware, but it is far better to take measures to prevent ransomware infections from occurring in the first place.  

Running anti-malware software throughout your organization and making sure that all software is updated should be a standard in your organization. To secure your system further, you might consider using process whitelisting, which forbids any unauthorized operations from running on protected networks. Application whitelisting is when a system is set up to specify an index of approved software applications permitted to be active on the system. If something is added to your system, it can immediately be traced. The goal of whitelisting is to protect computers and networks from potentially harmful applications that are attached to operations through opening files or downloading software.

Evaluate version retention policies

Version retention policies is another crucial aspect of a ransomware backup strategy. It may seem redundant to have multiple file versions retained "just in case" because most of the backup products offered will enable you to restore an older version of a file. However, as ransomware attacks become more complex, it's worth having multiple backup types at your disposal because you might not know the exact point in time when the system was infected and, in some cases, what exactly is infected.

Let's say your assistant accidentally triggers a ransomware infection while working from their corporate desktop computer. Depending on how the hacker has designed the ransomware, the virus more than likely began by encrypting files that are residing directly on the infected device. Next, it will likely encrypt files within mapped network drives. Depending on the volume of data they manage and systems the assistant has access to, the encryption process could take a while to complete, which is not as comforting as it sounds.

The scary thing about a ransomware attack is that the user may not know that the infection has taken place on the system. Ransomware is stealth and does not tell the user about the virus until after it encrypts everything. The damage is already done by the time you realize something is wrong.

A strong ransomware backup strategy must include as many recovery points as possible to maximize recovery chances from an infection quickly and with minimal impact on your business.

Stopgap and tape-based backups

If you are performing disk-based backups and a ransomware attack manages to encrypt your entire  target, you'll quickly lose your ability to recover any data from that target. One way of mitigating these situations is to create a stopgap mechanism, i.e. a backup that the ransomware cannot touch.

Tape-based backups are an excellent stopgap to battle ransomware attacks. It is the only 100% reliable way of achieving a backup that is entirely separate from the system. Ransomware cannot infect a tape that is not inserted directly into a tape drive. The argument has been made that tape backups are outdated, but they certainly have an advantage when backups partitioned from the system are the only path to recovery. A disk-to-disk-to-tape backup architecture that will copy your data to a tape can be safely secured and stored offline.

Ransomware attacks are becoming more frequent and organizations that don't have a ransomware strategy in place should evaluate which backup practice is best for the size and needs of their data management footprint. Although a backup plan is a great start, your backups are going to be mostly ineffective against ransomware if there is no way of reverting files to their unencrypted state.