If you lose your data due to a system failure, or because of a ransomware attack, or a malicious person corrupts your data, your backups are critical for recovery. However, if your backups have also been corrupted, you may never be able to regain your data.

Any U of T department or faculty can use UTORrecover, a professionally managed backup solution provided by Information Technology Services.

Researchers / individuals.

  • Make sure you take backups and store the backups where they are protected from access by others. This prevents others from corrupting your backups.
  • If nothing else, back up to an external hard drive or memory stick. Remember to protect the drive / memory stick by locking it securely away.
  • Decide how often to take a backup based on how much data you are willing to lose.
  • Keep several points in time or versions of your backups.
  • Longer term, work with your divisional IT staff on backup solutions.

 

The rest of this page discusses ransomware resilient backups in depth, mostly for a technical audience.

Backups do not prevent ransomware events but are critical for recovery after an event.

  1. If you have never tried to recover from backup, you do not have backups!
  2. If your backups are not resilient to ransomware, you do not have backups!

Ransomware attackers are successful if they can both encrypt your data and corrupt your backups. At that point, the only way to recover is to pay the ransom.

  1. If you suffer an event, you need to recover from a backup taken before the system was compromised.

Attackers may stay resident undetected for long periods while they prepare, and during this time, any new backups are likely to contain malware.

  • Keep ransomware resilient copies (offline, or well protected) for extended periods of time. These clean copies are the key to recovery.
  • Ensure you recover from a protected backup that was taken before the system was first compromised.

Guidance

Ideally you run a modern backup infrastructure that includes, as per a Gartner report:

  • Isolated recovery capability
  • Immutability
  • Air gap technology
  • Instant recovery capability
  • Ransomware detection capability
  • Automated data restoration and deployment capabilities

If you run your own backups:

  • Ensure data is recoverable by following 3-2-1 backup best practices:
    • 3 copies of data
      • 1 primary working copy
      • 2 backups
    • 2 physical locations
      • 1 backup must be on separate system preferably at a different location
      • The system at the different location should
        • Not be accessible from credentials on the production systems. (Use a pull to copy the backup).
        • Not be accessible directly from the internet
        • Use different credential sets so the productions systems
    • 1 offsite/offline,
  • Perform frequent backups
    •  Plan the frequency of full backups so that you can recover from an event.
  • Retain copies that are protected from change for extended periods.
    • Does your current plan allow you to recover if a server was compromised for months?

If you use a cloud service

  • Make sure you understand limitations
  • Make sure the service meets requirements for ransomware resilient backups.