Backups do not prevent ransomware events but are critical for recovery after an event.
- If you have never tried to recover from backup, you do not have backups!
- If your backups are not resilient to ransomware, you do not have backups!
Ransomware attackers are successful if they can both encrypt your data and corrupt your backups. At that point, the only way to recover is to pay the ransom.
- If you suffer an event, you need to recover from a backup taken before the system was compromised.
Attackers may stay resident undetected for long periods while they prepare, and during this time, any new backups are likely to contain malware.
- Keep ransomware resilient copies (offline, or well protected) for extended periods of time. These clean copies are the key to recovery.
- Ensure you recover from a protected backup that was taken before the system was first compromised.
Ideally you run a modern backup infrastructure that includes, as per a Gartner report:
- Isolated recovery capability
- Air gap technology
- Instant recovery capability
- Ransomware detection capability
- Automated data restoration and deployment capabilities
If you run your own backups:
- Ensure data is recoverable by following 3-2-1 backup best practices:
- 3 copies of data
- 1 primary working copy
- 2 backups
- 2 physical locations
- 1 backup must be on separate system preferably at a different location
- The system at the different location should
- Not be accessible from credentials on the production systems. (Use a pull to copy the backup).
- Not be accessible directly from the internet
- Use different credential sets so the productions systems
- 1 offsite/offline,
- 3 copies of data
- Perform frequent backups
- Plan the frequency of full backups so that you can recover from an event.
- Retain copies that are protected from change for extended periods.
- Does your current plan allow you to recover if a server was compromised for months?
If you use a cloud service
- Make sure you understand limitations
- Make sure the service meets requirements for ransomware resilient backups.