Introduction
Ransomware and malware attacks are becoming increasingly common, making backups more important than ever. However, backups can also become infected if proper precautions are not taken. In this article, I will provide an in-depth guide on how to prevent ransomware and other malware from infecting your backups.
Keep backups disconnected from network
One of the most important things you can do is keep your backups physically disconnected from your network. Ransomware typically spreads through network connections, so maintaining an “air gap” between your backups and other systems is crucial.
Here are some ways to keep backups disconnected:
-
Use external hard drives – Store backup images on external hard drives that are only connected to the network when doing backups. Disconnect them immediately after.
-
Leverage cloud storage – Cloud backup services like AWS S3 Glacier allow you to store backup copies offline. Just be sure access keys are protected.
-
Utilize removable media – Tapes, DVDs, Blu-Ray discs all allow you to maintain offline copies of backups that can’t be reached through the network.
Maintaining offline backups makes it far more unlikely malware can reach and infect them. Just be sure to scan backup media before restoration.
Implement proper backup privileges
Backup platforms should be configured to use a privileged account with read-only access to data sources. Never backup data using an account with broad admin privileges.
This containment strategy limits what backups can access and helps prevent malware from exploiting backups to spread more widely. All major backup software supports configuring custom accounts and privileges.
Immunize backup platforms
The servers hosting backup software and repositories should be as hardened as possible against intrusion and malware:
-
Install only necessary software required for backups. Remove any other apps.
-
Disable unneeded services & ports to minimize attack surface.
-
Harden the OS through custom configuration and Group Policy.
-
Use antivirus, endpoint detection, and file integrity monitoring tools.
-
Employ strict file/folder permissions on repositories.
Treating backup platforms like production servers simplifies immunization against ransomware and malware.
Test backup recoverability
While regular backup jobs help create restore points, you should also routinely verify backup integrity and test actual recoverability.
Attempt to restore specific files, folders, system states to a test environment. This will uncover any backup corruptions before an outage.
Test disaster recovery plans by simulating emergency scenarios that force restoration from backups. Doing this annually at minimum is recommended.
Implement immutable backups
An emerging best practice is using immutable backups – snapshots that cannot be altered or deleted for a set period of time. This protects against malware trying to damage or encrypt backups.
Object storage platforms like S3 Glacier, as well as newer backup tools leverage this capability. For example, Veeam has their immutable repository feature.
Immutable backups provide an added layer of protection against ransomware compromise. Just be sure to have multiple snapshots so malware can’t delete everything.
Conclusion
Protecting backups from ransomware and malware requires layers of precautions around disconnected storage, access controls, platform security, recoverability testing, and immutability.
Following these best practices will ensure your backups remain a trusted, viable recovery asset even in the face of active attacks. Take steps to harden your backup infrastructure today.
