Having backups is a critical part of any ransomware disaster recovery plan. In the event that your company is hit with ransomware, you can simply use your company backups to recover your systems without paying a cent to the bad guys.
There’s just one problem: your backups are not immune to ransomware. Cyber-criminals are using increasingly advanced ransomware strains that contain mechanisms that are designed to seek out and encrypt or destroy backups that are stored both locally and in the cloud. And, if your company’s backups get encrypted or deleted, you may have no other choice but to pay the ransom.
How does ransomware encrypt backups?
There are many ways ransomware can infect a system, including email attachments, malicious links, drive-by downloads, RDP attacks, MSP tools and other third-party software. Once it has infected an endpoint, it can potentially spread to any backups held on devices that are write-accessible via standard protocols, such as NAS devices, locally installed cloud services and USB-connected devices.
There are a few ways it can do this:
Spreading through the network
Many small business owners (such as yourself) understand the value of backups, yet may not have the resources or expertise to create and maintain a fully-fledged continuity strategy. Instead, you may take an ad-hoc approach, which might involve manually copying critical files to an external hard drive, or automating regular backups to a network-connected file-server.
Local backups are important, but they are not an effective solution when used alone. Today’s ransomware variants are capable of spreading laterally to other computers on the network and mapped network drives. If your system gets infected, there’s a good chance the ransomware will propagate across your network and encrypt the drive that holds your company’s backups.
Syncing to cloud storage
Cloud storage is a convenient way to store files, but it’s not an effective way of maintaining backups – particularly when it comes to ransomware.
The problem is that many cloud storage services such as Dropbox, OneDrive and Google Drive automatically synchronize local files with files stored in the cloud. If your business gets hit with ransomware and the files on your network are encrypted, the files will also be encrypted in the cloud.
Now there are some cloud storage service providers that offer file versioning, which means it keeps multiple versions of files. If your company’s files are encrypted, you can simply roll back the files to a previous, unencrypted version. However, this feature is not supported by all cloud storage providers and may not be enabled by default.
Deleting System Restore points
System Restore, Windows’ built-in recovery tool, allows an administrator to reverse recent changes to the operating system, and can be useful for rolling back drivers and system files to previous versions. Unfortunately, System Restore does not save copies of personal files, including documents, photos and videos, which means it can’t be used to reverse encryption.
Even if System Restore could help restore personal files, many ransomware strains – including WannaCry, Cryptolocker and Locky – are designed to deliberately sniff out and delete volume shadow copies (the snapshots System Restore uses for recovery) using command-line commands.
Ransomware-proof your backups
A multilayered approach is the best way to protect backups against ransomware.
Local backups are fast, efficient and can be easily accessed whenever required. However, as mentioned above, local backups are vulnerable to ransomware, which can potentially spread across the network.
While offsite storage solutions are generally slower and less convenient, they are more isolated from your company network, and are therefore considered more reliable. Using a blend of local and offsite backups provides the best of both worlds.
With this in mind, the easiest way to ransomware-proof backups is to apply the 3-2-1 rule, which stipulates that a business should:
1. Keep at least three copies of its files
The more backups your business has, the less risk there is of losing data. You should aim to maintain at least three copies of your data. Should one copy be lost due to ransomware, theft, technical error or natural disaster, you can rest assured that there will be other copies to fall back on.
2. Store the copies on at least two different types of storage media
All devices fail sooner or later. Diversifying storage media minimizes the risk of backups failing at the same time. When storing backups locally, use at least two different types of storage media, such as a local drive, file server, NAS device or even a tape drive.
3. Store at least one copy offsite
For maximum protection, at least one copy of your company’s backups should be completely isolated from the network and preferably stored offline, where it will be safe from ransomware.