How to protect backups from ransomware

Ransomware is becoming the number one threat to data, which makes it essential to ensure that bad actors don’t encrypt your backup data along with your primary data when they execute ransomware attacks. If they succeed at that, you will have no choice but to pay the ransom, and that will encourage them to try it again.

The key to not having to pay ransom is having the backups to restore systems that ransomware has encrypted. And the key to protecting those backups from ransomware is to put as many barriers as you can between production systems and backup systems. Whatever you do, make sure that the only copy of your backups is not simply sitting in a directory on a Windows server in the same data center you are trying to protect. Let’s take a closer look at a few key elements of that sentence: “Windows”, “same data center”, and “sitting in a directory”.

Protect Windows

The majority of ransomware attacks are against Windows hosts, and they spread to other Windows hosts in your computing environment once a single host is infected. Once the ransomware has spread to enough hosts, the attacker activates the encryption program and suddenly your entire world is shut down. Therefore, the most obvious thing to do would be to use something other than Windows for your backup server.

Unfortunately, many popular backup products run primarily on Windows. The good news is that many of them also offer a Linux alternative. Even if the main backup software must run on Windows, it might also have a Linux media-server option. The media servers are the key because that is where the data is that you are trying to protect. If your backups are only accessible via Linux-based media servers, ransomware attacks against Windows-based servers will not be able to attack them.

In addition to storing your regular backups behind a Linux-based media server, make sure the backups of your main backup server are stored there as well. It doesn’t do any good to have your backups unencrypted if the database needed to access those backups is encrypted by the ransomware.

You should also harden Windows-based backup servers as much as possible. Learn the services ransomware uses to attack servers (such as RDP) and turn off as many of them as possible. Remember this server is your last line of defense, so think security, not convenience.

Get backups out of the data center

Whatever backup solution you choose, copies of backups should be stored in a different location. This means more than simply putting your backup server in a virtual machine in the cloud. If the VM is just as accessible from an electronic perspective as it would be if it were in the data center, it’s just as easy to attack. You need to configure things in such a way that attacks on systems in your data center cannot propagate to your backup systems in the cloud. This can be done in a variety of ways, including firewall rules, changing operating systems and storage protocols.

For example, most cloud vendors offer object storage and most backup software products and services are capable of writing to it. Ransomware attackers may be sophisticated, but so far have not figured out how to attack backups stored on object-based storage. In addition, such providers often offer a write-once, read-many option, meaning that you can specify a period during which backups cannot be modified or deleted, even by authorized personnel.

There are also backup services that can write data to their storage that isn’t accessible except via their user interface. If you can’t directly see your backups, then neither can the ransomware.

The idea is to get your backups—or at least one copy of your backups—as many hops away from an infected Windows system as they can be. Put them in a provider’s cloud protected by firewall rules, use a different operating system for your backup servers, and write your backups to a different kind of storage.

Remove file-system access to backups

If your backup system is writing backups to disk, do your best to make sure they are not accessible via a standard file-system directory. For example, the worst possible place to put your backup data is E:backups. Ransomware products specifically target directories with names like that and will encrypt your backups.

This means that you need to figure out a way to store those backups on disk in such a way that the operating system doesn’t see those backups as files. For example, one of the most common backup configurations is a backup server writing its backup data to a target deduplication array that is mounted to the backup server via server message block (SMB) or network file system (NFS). If a ransomware product infects that server, it will be able to encrypt those backups on that target deduplication system because those backups are accessible via a directory. You need to investigate ways to allow your backup product to write to your target deduplication array without using SMB or NFS. All popular backup products have such options.

What about tape?

Of course, there is always our old friend tape. One thing tape is really good at is copying last night’s or last week’s backup to another medium that can then be sent off-site for safekeeping against ransomware attacks. Even the best ransomware product would be completely unable to infect your backups if you take them out of the tape library and hand them to an Iron Mountain driver. Sometimes the old ways are the best ways.

Put in some roadblocks

Don’t make it easy for ransomware to see and encrypt your backups. Don’t store them on a Windows server if possible and have at least one copy stored somewhere that is not electronically accessible from your data center. Finally, configure your backup system in such a way that backups can’t be seen as files on your backup server. Give yourself at least a fighting chance in the case of a ransomware attack.