How to protect backups from ransomware

We’ve often said there are only two ways to recover from a ransomware attack:

  1. Pay the ransom
  2. Recover from backups

Cyber criminals also know that. They therefore need to compromise your backups, leaving you with no alternative but to pay.

So how can you protect your backups to stop them being encrypted along with your production data?

Immutable storage

Immutable storage is the simplest way to protect your backup data. Data is stored in a Write Once Read Many (WORM) state and cannot be deleted for a pre-specified period. You can set policies in backup software or at the storage level. It means backups can’t be changed or encrypted.

The only downside that it will increase your storage. You define how long to retain the data for, and then you are committed to (or stuck with) that policy.

Add an ‘air-gap’

An ‘air-gap’ means separating backups your production data so there is no way for an attack to spread from one to the other.

Traditionally, that means keeping a copy of your data physically separate, often on tape. If you don’t want to keep backups on tape (as many don’t), you can create a logical air-gap, and there are several ways to do that.

Backups should sit outside the domain of the organisation they are protecting. If the production environment is breached, attackers don’t immediately have access to backups.

You can also keep storage accounts separate. Using a backup service provider improves security and increases separation. Using third parties changes your risk profile. Every additional supplier introduces an increased  chance of supply-chain attacks, but it adds diversity and separation. And that’s a very good thing to do for your backups.

Restricting access

To protect your backups, you need to prevent unauthorised access to your backup software.

In a successful ransomware attack, your production environment has been compromised. It is therefore possible that key-loggers may have been used to gain access to other systems, like your backups accounts.  Multi-factor authentication for your Backup Administrator accounts helps keep them ring-fenced.

It also helps to protect against a subtle technique attackers use on backups. Rather than deleting backups or doing something that might alert you to their presence, attackers simply change your backup policies. Instead of keeping 30 backups, they can reduce to just 1. These changes are much harder to detect. They then simply wait for your older backups to expire before launching the attack.

Restricting access, strong passwords and MFA all reduce the chance of attackers accessing your backups.

Using backups to detect attacks

Backup vendors are now adding innovative features to detect and help prevent attacks.

Monitoring backups

Daily, incremental backups are usually consistent in size. A sudden, very large incremental backup tells you that a lot of data has changed and should be investigated as a potential ransomware attack. The problem with this kind of alert is that it will only tell you after your data has been encrypted. The benefit of these alerts is that it will identify when the ransomware attack occurred, to help quickly find the most recent, clean backup, prior to the infection for recovery.

Storage monitoring

Rather than finding out data has been encrypted several hours after the fact, backup software is also well-placed to monitor production storage too.

One method is to closely monitor honeypot files and provide alerts if ransomware encrypts those files.

Another method is to monitor your entire storage environment for spikes in I/O activity, indicative major changes to your data. This is more intensive, but the benefit is that it can detect infections faster. Faster detection and identification translates into reduced damage and accelerated recovery.