Ransomware: Will your backup protect you?

Time to resurrect some old disciplines

Published/updated: June 2017

By Bryan Betts

If there is one thing that the recent ransomware epidemic should do itís to focus attention on backup, and in particular on the kind of backup that was once synonymous with the term, but which has gone a bit out of fashion lately. Iím talking about the kind of backup where you take the tape out each evening. Whether itís just in the IT managerís car boot or locked in a vault inside a mountain somewhere, the key thing is that itís off-site, and is air-gapped from your systems.

Now, Iím not saying we need to go back to exactly that process Ė although if you never moved away from it, you might be feeling a bit smug now Ė but we do need something that is equally air-gapped. This matters because the cleverest modern ransomware doesnít just encrypt your primary files, it reaches out to your network shares and encrypts those too. If it can get to your cloud folders and your backups, it will try to encrypt those too. So the only backup you can rely on is one that was not online at the time of the attack.

There are exceptions: for instance, if you use a cloud storage provider they may be able to recover old versions of your files. And thereís those companies which specialise in archiving and write-once backups. This kind of technology exists in part because there are regulated industries which must be able to demonstrate that their backups have not been tampered with or rewritten, but a write-once backup could also be just what you need to recover from a ransomware infection.

And of course you need to try to keep ransomware out of your network in the first place. That might mean subscribing to an anti-phishing service, because phishing is one of the infection vectors, or using network behaviour analysis to watch for the tell-tale signs of an infection spreading. But while those might alert you to the attack, by then thereís a fair chance some systems will already have been encrypted, so youíll need backups too.

Oh, and when you restore, donít forget to scan the backup for malware. The last thing you want is to restore the ransomware for someone to activate all over again!

Featured Content