Are Your Backups Safe From Ransomware Attacks?

Backups are the last line of defense against ransomware attacks. It would be better if ransomware never found its way onto servers in the first place, but once it has, victims have only three options: accept that their data is gone for good, suffer the indignity of paying a ransom, or restore the servers from a backup.

In fact, even those who pay can’t guarantee that they will get their data back. Recent attacks have encrypted the data, taken the money, and run. There was no code in the malware capable of decrypting the data. That makes backups even more vital — it’s best to assume that a backup is the only way to save data from a ransomware attack.

But not all backups are good backups, and ransomware authors are creating more sophisticated software that is capable of finding local and remote backups and encrypting that data too. On many occasions, I’ve spoken to server hosting clients who keep backups of critical data on the same drive as their production data. At best, they keep it on another drive in the same machine.

A backup on the same disk might help if something goes awry with a production database. A backup on a second disk attached to the same server protects against the consequences of a drive failure. Neither protect against smart ransomware capable of combing through every drive on the machine.

What about a remote backup to a different server? It’s better than a local backup, but it won’t necessarily stymie sophisticated ransomware. If the backup volume is mounted on the local server’s file system, ransomware can find and encrypt it. It’s common to back up to network file servers, but if ransomware can find the volumes, the data is at risk.

The best solution is offsite backups to servers that don’t remain constantly connected to production servers. Backup servers should not be easily reachable from front-line servers and credentials for connecting to backup servers should not be easily discoverable.

It’s important to make sure that backups are comprehensive. Many of the victims of the Petya ransomware had backups of critical data. It would be grossly incompetent for them not to have planned for just such an emergency. But critical data may not be enough to get services up-and-running quickly. Comprehensive server backups that allow for a quick restoration of the data and its environment may have allowed victims to be up and running in hours, not days or weeks.

Once a solid off-site backup strategy is in place, it should be regularly tested. There are many reasons a backup might silently fail. The only way to know for sure that data is backed up and safe is to regularly check it and run test restores. The worst situation is to think you’re safe, only to find out that your backups don’t exist when you need them the most.

Backups are the best way to guarantee that ransomware doesn’t deprive your business of its data, but the only effective backups are remote, comprehensive, and up-to-date.