If there is one thing that the recent ransomware epidemic should do it’s to focus attention on backup, and in particular on the kind of backup that was once synonymous with the term, but which has gone a bit out of fashion lately. I’m talking about the kind of backup where you take the tape out each evening. Whether it’s just in the IT manager’s car boot or locked in a vault inside a mountain somewhere, the key thing is that it’s off-site, and is air-gapped from your systems.
Now, I’m not saying we need to go back to exactly that process – although if you never moved away from it, you might be feeling a bit smug now – but we do need something that is equally air-gapped. This matters because the cleverest modern ransomware doesn’t just encrypt your primary files, it reaches out to your network shares and encrypts those too. If it can get to your cloud folders and your backups, it will try to encrypt those too. So the only backup you can rely on is one that was not online at the time of the attack.
There are exceptions: for instance, if you use a cloud storage provider they may be able to recover old versions of your files. And there’s those companies which specialise in archiving and write-once backups. This kind of technology exists in part because there are regulated industries which must be able to demonstrate that their backups have not been tampered with or rewritten, but a write-once backup could also be just what you need to recover from a ransomware infection.
And of course you need to try to keep ransomware out of your network in the first place. That might mean subscribing to an anti-phishing service, because phishing is one of the infection vectors, or using network behaviour analysis to watch for the tell-tale signs of an infection spreading. But while those might alert you to the attack, by then there’s a fair chance some systems will already have been encrypted, so you’ll need backups too.
Oh, and when you restore, don’t forget to scan the backup for malware. The last thing you want is to restore the ransomware for someone to activate all over again!
Bryan is a technology enthusiast and industry veteran. He has been analysing, explaining and writing about IT and business in a highly engaging manner for around three decades. His experience spans the early days of minicomputers and PC technology, through the emergence of cellular data and smart mobile devices, to the latest developments of the software-defined age in which we all live today. Over his career, Bryan has seen at first-hand how IT changes the world – and how the world changes IT – and he brings that extensive insight to his role as an industry analyst.