Get in Touch


Protecting backups from ransomware is as easy as 3-2-1

Published 4th May, 2022

Ransomware attackers will attempt to locate your backups, steal the data from them, and then delete them. If you can prevent this, you can recover from an attack without giving in to blackmail.

Other News

Ransomware has been a red-hot problem for some time now. As they usually do with important events, ransomware attackers have been setting traps using the COVID-19 pandemic as a lure. That makes this a time for special alertness and a review of whether existing procedures are adequate enough to prevent or mitigate an attack.

Backing up your data is a key part of the defense against ransomware and other malware. If the backups are wiped out by ransomware, this defense is rendered useless. Ransomware attackers often try to find and delete or encrypt backups, many of which are accessible through compromised accounts. The loss of backups, even just recent backups, makes an attack a much more costly event and limits your ability to resist the attacker. What are practical ways to ensure this does not happen?

As with most security precautions, there is no 100% guaranteed way to protect your backups. But by following best practices, you can significantly increase your chances of being able to use backups for recovery from the attack with minimal losses of time and business. Having backups available won’t remove the need for an organized response to the attack run by incident response professionals, but it will make the recovery process quicker and easier.

The best backup practices can involve nontrivial cost and diligence by IT personnel. The methods used, mostly involving the 3-2-1 rule, are the right way to protect your organization—not just from ransomware but from myriad other problems that over the years have brought companies to their knees and ruined careers. But, even if you’re not going to go to the lengths you should in backup, there are actions you can take to lessen the vulnerability of your backups in the event of an attack.

Follow the 3-2-1 rule of backup

The 3-2-1 rule of backups:

  • Three copies of the data are backed up
  • Two different storage media are used for the backup
  • One copy of the data is kept off site

The goal of the 3-2-1 rule is to increase the chances that a backup will be available. Keeping a copy remote protects you even in case of a fire or natural disaster. Backup strategists keep adding numbers to make corollaries of the rule. For instance, to find out what the 3-2-1-1-0 rule is, read this Vembu blog.

Enterprise backup software is generally designed to facilitate this approach as a best practice. Typically, one copy will be kept on an on-site storage device like a deduplicating backup appliance or high-density disk storage system. At least one of the others is written to an off-site deduplicating backup appliance or tape. But a cloud storage service is a candidate for one of the copies as well.

A good data protection setup will set the backup frequency, retention, and number of copies in relation to the value of the data, as not all organizational data has the same value. You really need to think the strategy through with respect to your own organization’s needs and capabilities, not to mention regulatory requirements. For some data, a 3-2-1+1 rule may be appropriate (regular 3-2-1, plus one copy offline). For others, a 2+1 (2 copies, one offline) rule may suffice.

Other rules follow from the 3-2-1 rule and from common sense: An on-site copy should be available for quick, operational recoveries. It should be in separate hardware so that it can’t be taken down by a problem in the devices it is backing up. The second copy doesn’t need to be as instantly accessible, but it should be available if needed.

Historically, the off-site copy has been a tape made on site and shipped to another location, probably a tape vaulting service like Iron Mountain. (Of course, you can archive non-tape media, or even paper, with such services.) A large enough company might use remote company facilities for this purpose.

The many problems with physical tapes stored off site—they get lost, they degrade from improper storage, and they are (deliberately) inconvenient—has led many companies to switch to disk storage or a cloud storage service as the off-site option.

One of the critical characteristics of the one off-site backup in the 3-2-1 rule above is that it is also, or at least should be, offline. This makes it inaccessible to the attacker. But the benefits of being offline mean that cloud storage isn’t necessarily appropriate for the off-site copy. If the attacker, through stolen credentials, can gain privileges sufficient to delete cloud storage, the whole point of off-site storage is lost.

One possible barrier you could place in the way of attackers attempting to reach your cloud-based backup is to use unique credentials, not from your company network, along with a separate second authentication factor to access and manage the backups. Even if the attacker completely compromises your network, the cloud backups may still be protected. Backup software vendor Veeam specifically recommends using different credentials for backup repositories in a paper about protecting backups from ransomware.

In fact, you need to be specifically careful with cloud backups, because ransomware attackers will use them to steal your data before they lock your data and blackmail you. This story tells of a victim whose online backups were compromised because their Active Directory was compromised and the service was set up to use Windows authentication. Because you are sure to back up your most sensitive data, the attacker is sure to have it. Preserving the backups is not your only big problem. The ways to prevent this situation are discussed below.

The same Veeam paper makes another recommendation that would tend to smooth the process of recovery from ransomware: Make backups more frequent and back up more types of things, like virtual machines.

But, for the most part, backups are just for data. If you only ever write data to them, you should be safe restoring them. If you are also backing up executable code, which theoretically could even be a Microsoft Office macro, then the backups themselves are compromised if the attacker infects your network and waits long enough before springing the trap. The answer to this problem is that you need to work with professional security people during the incident recovery, where your backups will be malware-scanned and otherwise scrutinized before being restored. They need to determine when the attacker gained control and to treat network data accordingly as of that point.

It is important to note that there’s a difference between what is possible for the attacker, with enough time and privilege, and what is typically done. Consider this detailed description of Ryuk, one of the most prevalent and successful ransomware strains. It attempts to stop backup processes and then delete backups available in the Windows file space. Here’s an example command:

del /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk

Ryuk also attempts to shut down Windows volume shadow copying and delete all the copies. It does not seek out high-end backup servers and tape drives in an attempt to delete them. But a sophisticated attacker could.

Prevent the attack

There are a small number of ways ransomware attackers get a foothold in your network: phishing for credentials, running malware to gain access, and connecting through unsecured RDP ports, which may be the most popular one.

These methods point to a series of well-understood best practices, including but not limited to:

  • Apply security updates to software promptly.
  • Use role-based authentication and apply least-privilege rules to these roles.
  • Enforce strong authentication rules, including two-factor authentication.
  • Run updated malware scanning software, intrusion detection, firewalls, and other standard security products.
  • Use an SIEM (security information and event management) solution to keep up with developments on your network.
  • Lock down services (such as RDP) where they are not necessary, and enforce authentication for them where they are necessary.

You can find a lot of good advice along these lines in this HPE white paper: Protect your Windows SMB file infrastructure from ransomware

Use defense-in-depth

The defense-in-depth principle is that no one failure of a security measure should result in a security breach. The advice above is full of defense-in-depth: The 3-2-1 backup rule is designed to protect data even if there is a hardware failure, even if there is a local security breach, even if there is a fire or natural disaster. Strong authentication and malware scanning and locking down services all are, in part, different ways of protecting against the same sorts of attacks.

For a security professional, defense-in-depth is a philosophy that should pervade the IT infrastructure. Some security measures inevitably will be loosened in the name of usability, but you should always take advantage of opportunities to secure your network and users. Consider examining your network and applications in light of the OWASP Top 10, a list of the most common and serious vulnerabilities.

Use smart software

The most sophisticated backup products are more than just storage devices. They are intelligent systems that provide new ways to notice that something is wrong. For instance, they often will compress or deduplicate data being backed up. If the data is encrypted, it cannot be compressed or deduplicated, and this will be apparent in the backup results. Smart server monitoring software may notice the same thing.

There are other advanced capabilities of high-end backup devices that serve to impede the work of ransomware attackers. Some can mark backup data as immutable, meaning it cannot be deleted or modified, at least not until conditions set by policy are met, such as a certain date having passed. Some separate the actual storage interface in a controller with a private interface.

As a general rule, ransomware attacks are mass attacks, targeting common and relatively soft implementations. Sophisticated targets with astute administrators are a less attractive target for them.

Think comprehensively

Protecting backups is just one of the ways you have to plan to prevent a ransomware disaster. Obviously, knowing that you have a good plan to protect backups is no reason to take the other protective measures lightly. Better the attacker doesn’t get past your perimeter, doesn’t steal credentials, and doesn’t execute malware on your systems.

If you fail to stop the attacker from gaining entry, fail to prevent them from encrypting your data, and fail to prevent them from killing your backups, you’ve failed. With the right knowledge and resources, you can succeed.

Protecting backups from ransomware: Lessons for leaders

  • Commit to an aggressive backup plan, following the 3-2-1 rule.
  • Use separate credentials for cloud-based backups.
  • Use smart, modern products for a thorough and secure backup plan.
  • Consider backing up using a protocol which is hard for malware to access.