What are “Good Backups” when it comes to Ransomware?

I’ve been responding to multiple ransomware outbreaks for clients, and there’s something I’ve been noticing: having backups isn’t enough. They have to be “good” and that deserves some explaining.

– A domain joined system with a “backup” share isn’t going to cut it. It will quickly be compromised.

– An external drive that remains attached to the server for a couple of months at a time isn’t helpful. We are seeing connected external drives regularly being encrypted. Cycling them offsite weekly is still a great practice, and saved one small firm we worked with last week.

– A 1.3 TB cloud backup may take you a week to download, which may exceed your recovery time agreements. Make sure you are also keeping a local, protected backup of your customer data. One client we worked with ended up paying the ransom rather than waiting for their cloud backup to be downloaded.

Some good backup options (using more than one is even better):

– Continuing the practice of regularly rotated physical media if you aren’t doing cloud backups.

– Having a NAS with its public shares disabled, and creating only a single backup user (with a complex password) on it that is only used with the backup software. That will keep it from being accessed and having its data compromised, even by a domain admin account. There are other ways to create this arrangement, but the key is having the backups be somewhere that a rogue account (even a domain admin) can’t reach. Lately we’re seeing hackers take more time to prepare an internal environment for thorough infection–many of these attacks are not automated!

– Separately doing a regular cloud sync of the primary file shares, so that individual folders can be retrieved as needed, instead of an entire backup base image needing to be downloaded.

– Having your backup software run on your non-domain joined virtualization host, so that a compromised domain account can’t affect how the backups are being done or access the backup software that contains the authentication creds for your NAS or backup target.

– Have a NAS/BDR or backup target that can also sync to the cloud on its own.

– Be disciplined and strict about correcting issues with backups immediately as they come up. If you have multiple people in your consulting firm, assign the person with the personality best suited for this sort of careful work. Doing this well could make or break your firm.

There are a lot of good products out there to help accomplish this kind of security. Lately I’ve been using either of two solutions: Altaro Ultimate running on HyperV hosts and backing up to a secured share on a Synology NAS. From there I’ve configured additional cloud sync to Amazon S3 storage. Alternately (particularly if the client has usable server hardware they recently moved off of), I’m using eFolder’s Replibit BDR product, which runs on an open-source OS and synchronizes to an additional eFolder-hosted cloud vault.

Leave a comment

Your email address will not be published. Required fields are marked *