Top 5 steps to using backup to protect against ransomware
- Review and update backup policies
The best defense against malware is being able to restore data from clean backups. Even when an organization pays a ransom, there is no guarantee that the attackers will hand over the decryption key. Restoring from backups is more reliable, cheaper, and does not involve handing money to criminals.
However, backups will only work if they are robust and comprehensive. Businesses should order a thorough audit of all business data locations. It is all too easy to miss critical data off a backup plan, whether they are held on local systems or in the cloud.
This is especially important now, given the move towards remote working during the Covid-19 pandemic.
Questions to ask include:
- Are end-user systems being backed up?
- Does the backup plan cover temporary or consumer-focused cloud data stores? Cloud storage should be resilient against physical failure, but this will not protect against ransomware that infects files.
Best practice for backup remains the 3-2-1 rule: make three copies of data, store across two different forms of media and keep one copy off-site. To protect against ransomware, the offsite backup should be isolated from the business network.
- Air gap business data
Cloud storage is an attractive technology to store long-term data backups, and in some quarters, it has replaced physical backup media such as optical disks, portable hard drives and tape.
Cloud storage protects data from physical disruption, such as hardware or power failures, or fire and flood, but it will not automatically protect against ransomware. Cloud storage is vulnerable on two fronts: through connections to customer networks, and because it is shared infrastructure.
Cloud providers themselves are at risk of ransomware attacks, warns analyst Fred Moore of Horison Information Strategies.
“Attackers now specifically target cloud services as they no longer need a password to get access to cloud data,” he says. “They simply steal the credentials and delete or encrypt an organization’s cloud backups using a man-in-the-middle-attack.”
The solution is for CISOs to supplement cloud backups with tape or other mechanical backup media. Cloud can be the offsite copy, but keeping another dataset on tape, and keeping those tapes strictly offline, is the most reliable way to “air gap” data from a ransomware attack.
- Make regular backups and review retention policies
It should go without saying that organizations should back up their data regularly.
Again, Businesses should review policies for frequency of backups, especially how often data is backed up to off-site locations (including the cloud) and mechanically separated media, such as tape. It might be that more frequent backups are needed.
IT teams should also review how long they keep backups, especially their air-gapped media. Ransomware often uses time delays to avoid detection, or “attack loops” to target apparently clean systems.
Organizations might need to go back through several generations of backups to find clean copies, requiring longer retention and, possibly, more copies. Keeping separate backups for critical business systems should also make recovery easier.
- Ensure backups are clean and robust
Ensuring backups are free of malware is hard, but organizations should do as much as they can to make sure their backups are not infected.
As well as strict air-gap policies – such as taking media offline as quickly as possible – up-to-date malware detection tools are essential, as is system patching.
For extra protection, companies should consider write once read many (WORM) media such as optical disks, or tape configured as WORM. Some suppliers now market WORM-format cloud storage.
Data access controls are a further safeguard. Using tools such as Windows 10 Controlled Folder Access and limiting user access to critical data stores can stop the spread of ransomware in the first place and add security to backups.
- Test and plan
All backup and recovery plans need to be tested. This is critical to calculate recovery times – and establishing whether data can be recovered at all.
Using air-gapped, off-site media is best practice, but how long will it take to restore systems? Which systems are the priority for recovery? And will firms need separated, clean networks for recovery purposes?
Businesses should test all phases of the recovery plan, ideally using duplicate media. The worst scenario would be for a recovery exercise to contaminate existing, clean backups.
We are here to help if you need us to help consistently verify backups or help implement a plan to keep your Business running should an attack occur.