If there is one thing that the recent ransomware epidemic should do it’s to focus attention on backup, and in particular on the kind of backup that was once synonymous with the term, but which has gone a bit out of fashion lately. I’m talking about the kind of backup where you take the tape out each evening. Whether it’s just in the IT manager’s car boot or locked in a vault inside a mountain somewhere, the key thing is that it’s off-site, and is air-gapped from your systems.
Now, I’m not saying we need to go back to exactly that process – although if you never moved away from it, you might be feeling a bit smug now – but we do need something that is equally air-gapped. This matters because the cleverest modern ransomware doesn’t just encrypt your primary files, it reaches out to your network shares and encrypts those too. If it can get to your cloud folders and your backups, it will try to encrypt those too. So the only backup you can rely on is one that was not online at the time of the attack.
There are exceptions: for instance, if you use a cloud storage provider they may be able to recover old versions of your files. And there’s those companies which specialise in archiving and write-once backups. This kind of technology exists in part because there are regulated industries which must be able to demonstrate that their backups have not been tampered with or rewritten, but a write-once backup could also be just what you need to recover from a ransomware infection.
And of course you need to try to keep ransomware out of your network in the first place. That might mean subscribing to an anti-phishing service, because phishing is one of the infection vectors, or using network behaviour analysis to watch for the tell-tale signs of an infection spreading. But while those might alert you to the attack, by then there’s a fair chance some systems will already have been encrypted, so you’ll need backups too.
Oh, and when you restore, don’t forget to scan the backup for malware. The last thing you want is to restore the ransomware for someone to activate all over again!