Label

Ransomware Backup 
Strategy

Prior to 2019, reliable backups combined with a good disaster recovery plan could get most organizations through a ransomware attack that they failed to detect.
Home » How To Prevent Ransomware? » Passive Defense » Ransomware Backup Strategy

In This Section

Why You Need 
a Backup Strategy

Prior to 2019, reliable backups combined with a good disaster recovery (DR) plan could get most organizations through a ransomware attack that they failed to detect. The recovery process might take a while, but most data would be restored and there would be no reason to pay the ransomware actor. With the advent of ransomware actors’ extortion strategy, reliable backups are no longer enough. Instead, a good backup strategy is only one component of preparation for a ransomware attack.
Although good backups are no longer enough as a defensive strategy against a ransomware attack , they’re still critical to the ransomware recovery process. Reliable and well-tested backups give a ransomware victim options. With no backups, or backups that can’t be restored, most organizations have very few options for recovery. In contrast, if an organization has confidence in its ability to restore from backups, they’re empowered to make a more nuanced decision. The organization won’t necessarily need to pay to decrypt files, so they must determine the sensitivity of the data exfiltrated by the ransomware actor.
Ransomware victims need every advantage they can get during ransomware recovery and negotiation with ransomware groups. Reliable and tested backups are one such advantage.

Developing 
Ransomware-Resistant Backups

One ransomware story that’s heard over and over again is that a ransomware actor managed to encrypt or outright destroy backups during a ransomware attack. Ransomware groups want to make restoring from backup difficult, if not impossible, for victims, so they seek out backups and, through whatever means, make sure the backups are unusable.

The advice usually given by security ...

... experts is to ensure that backups are “stored offline.” This advice is often met with blank stares, as many people don’t understand what that means. Broadly speaking, offline backups are backups that aren’t connected to the network. 
These could be backups stored on:
Tape
A DR network
A cloud provider
An offline backup storage facility (such as Iron Mountain)
A few other formats are also not readily accessible from the network. The goal is to make it difficult for ransomware actors to access the backup system to encrypt or destroy the files.
A backup network design with offline storage

One way to create offline backups is shown ...

in the diagram above. Backups from physical and virtual servers are sent to a disk-based backup server, which then copies the backups to tape, creating onsite offline backups. In addition, periodic backups are made to a cloud backup provider. Not only does the cloud provider meet the traditional definition of “offline” when discussing backups, but it’s also not directly connected to the network, making it difficult for even advanced ransomware actors to gain access.
A number of other precautions also have been taken in the design shown in the diagram. The backup systems have been isolated in their own VLAN, so they're not easily accessible from the rest of the network. The backup servers are also behind an internal firewall, which restricts who and which software can access the backup servers. With the firewall in place, the security team can restrict access to the backup servers to only the ports needed by the backup software and even limit administrative access when managing these systems just to IP addresses in the administrative VLAN.
Finally, the external firewall between the on-premises and cloud backup solutions can limit what traffic can be sent to the cloud backup provider and which systems are able to administer the cloud solution.

3-2-1

If the diagram above seems excessive, it really isn’t. It’s one of the ways that an organization can follow the 3-2-1 rule . The 3-2-1 rule for backups is:
Three copies of backed up data
Stored on at least two different media types
One of the copies is offsite

The reason for the emphasis on ...

... storing three copies of backed up data is that it creates more redundancy for backups. Having three sets of backup data makes it less likely a ransomware actor will be able to encrypt all of the organization’s backups. Of course, having three copies protects against more than just ransomware, but ransomware attacks are the focus here.

Naturally, three copies of backed up data ...

... all residing on the same backup server doesn’t offer any additional protection. Therefore, the backups need to be stored on different media. In the diagram above, backups are sent to a backup server and a subsequent copy is sent to the tape drive. Although some backup professionals don’t like tape backups as an alternative to drives, no ransomware group has figured out how to encrypt or delete files backed up to tape especially tape that’s not in the loader (in other words, truly offline). Tape backup plus a backup file server is just one way to diversify media types.
Finally, ensure at least one of the three copies is stored offsite. It’s possible that a ransomware actor will figure out how to access both copies of backups stored on the local network, but it’s unlikely they’ll be able to access a properly protected offsite storage facility. Whether that third option is a cloud data center provider or a storage facility such as Iron Mountain, organizations want to make sure the offsite backup storage isn’t easily reachable by a ransomware actor.

Gold Images

In addition to storing backups of data, organizations also need to store “gold images” of all their critical servers. Gold images are preconfigured versions of the operating system and all installed applications on those servers. Having these gold images in place allows organizations to quickly rebuild systems in the event of a ransomware attack (or other disaster).

But, of course, as IR and DR plans change, ...

Gold images allow organizations to reinstall all the software on a server, then simply restore from backup any data compromised during the ransomware attack. This precaution also helps DR teams move through the restoration process a lot faster, because they don’t have to install the OS and necessary software for every critical server.
In order for gold images to work effectively, they have to be properly maintained and installed on the same hardware as the image was created. “Properly maintained” means that as your IT team updates the OS and different applications, it has to make a new gold image so that it’s always current. Moreover, making an image on one set of hardware and then installing the image on another is going to cause problems with drivers and components.
Organizations should plan on keeping identical spare versions of their most critical servers. Then, during a ransomware attack, the gold image can be installed on the spare server and the data backed up on to that. This image should be stored offline, to reduce the risk of those images being encrypted during a ransomware attack.

Immutable Cloud Backups

It’s not enough to simply back up important data to the cloud; the data should also be copied to a cloud backup provider. Cloud storage providers generally don’t have the same protections in place that a cloud backup provider has (though some cloud providers have started offering some of these features for an additional cost). 
Some of the advantages of cloud backup providers include:
Versioning
The ability to leave the file structure in place
Scheduling
More encryption options for file transfer
Immutability

Immutability is the ability to lock a ...

... filesystem so that no one, not even an administrator, can make changes to the files. While this is available for a variety of media types—tape backups can be made immutable—the feature is currently most common with cloud backup solutions.
Immutability gives IT and security teams assurance that the backups won’t be touched. Immutable file storage isn’t a good option for the initial resting point for the backed-up data, because that backup solution is often used for day-to-day restoration and may change more frequently. But if you’re making more intermittent copies—for example, weekly full backups to your cloud backup provider—an immutable solution adds resiliency to the backup solution and serves as an additional layer of protection against ransomware.

Testing Backups with 
Ransomware in Mind

The "Creating Disaster Recovery and Incident Response Plans" page introduces the concepts of Recovery Point Objective (RPO), Recovery Point Actual (RPA), Recovery Time Objective (RTO), and Recovery Time Actual (RTA). These terms, briefly, measure how much data an organization is willing to lose and how quickly managers expect to recover during a ransomware attack.
These measurements are largely determined by the backup program in place and really pose two questions:
How often is data being backed up?
How quickly can lost data be restored?

Measuring the answer to these questions ... 

... is harder than it might seem at first, but those answers are necessary to properly build out a DR plan. For example, let’s say that backups are conducted hourly. That means that an organization should never lose more than an hour of data, correct? Not necessarily. Let’s say it takes four hours to back up a server. That means you could lose as much as five hours of data, depending on where in the backup cycle the ransomware infects the server.
Backup decision tree

You also have to consider the sources of the ...

... backups, as shown in the diagram above. Ideally, the backups are pulled from the backup server, but what happens when the ransomware actor manages to encrypt the backup server? The next logical choice would be to pull the backup from the tape drive, but what if the tape is corrupted and no one noticed? If that fails, the restoration has to come from the cloud backup provider, but the organization isn’t backing up the cloud provider hourly, just a few times a week.
Therefore, if the ransomware actor is successful or part of the process fails, the DR team has gone from being able to restore the server with only an hour or so worth of lost data to a week’s worth of lost data. All of these possibilities should be documented ahead of time so the DR team can offer an honest assessment of how much data will be lost during the recovery process.
The diagram above highlights another potential problem: determining how quickly data can be restored. The DR plan might include a recovery time that assumes the DR team will be able to restore from the local backup server. If that’s encrypted, the team has to rely on restoring from tape backup or the cloud provider. The geographic location of the backup likely affects the recovery time, and all times should be documented for the same reason that variations in the lost amount of data needs to be documented: To provide an accurate assessment of the recovery time, not just for that server, but for the entire network.

Get More Like This

Sign Up To Receive Our 
Monthly Ransomware Newsletter

Don't Worry. We Hate Spam too!

Restoring from Backup 
After a Ransomware Attack

We go into detail about backup restoration after a ransomware attack on other pages on this site. But it’s never too early to start planning recovery. In fact, one challenge that some DR teams run into is that backup processes that everyone thought were in place actually weren’t.
Organizations need to test backups on a regular basis. These tests need to have three components:
Test from all backup sources—if the first two fail, it’s important to know that the third works
Don’t just test by restoring a single file; conduct a full recovery
Test the restoration of multiple systems at once, to see how much bandwidth and processing power the DR team will be able to count on from the backup system

When conducting a full recovery, use spare ...

... hardware and start by installing from the gold image to make sure the operating system and applications load properly. Then conduct a full restore of the server and test it thoroughly to ensure everything works properly. Try the same test on several servers simultaneously. This serves as a stress test for both the backup software and the DR team.

Once the restoration process is complete ... 

... fully document everything and add it to the DR plan. Notes from these tests will prove invaluable during an actual ransomware attack and help the DR process run more smoothly.
Once again, good backups that are regularly tested are not protection from a ransomware attack. Instead, they serve as an insurance policy: They give an organization some choices after a ransomware attack. The organization can restore files from backup, or they can pay the ransom (though that’s not advised). The point is that, outside of extortion based on exfiltrated files, the organization has the power to decide because they have confidence they can restore from backup.
school house

What Do We Mean by Spare?

Normally when you think of a spare computer you think of an old system lying around in a storeroom somewhere. In this case, spare means an extra server that has the same specification as the encrypted system.
It’s not uncommon for organizations to purchase spare systems when they order servers in the event of a catastrophic hardware failure. In this case, you would be using the spare server to replace the one infected with ransomware.

Dominate Ransomware

Get The "Go-To" Ransomware Resource. The 437 Page Book Ransomware: Understand. Prevent. Recover.  
- Second Edition

GET IT HERE
Ransomware Book 2nd Edition 2023

Download The 
"Ransomware Backup Strategy"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "Ransomware Resistant Backup Strategy" resource on your site or blog using this code.

Share this Infographic On Your Site

Want More?

This site is adapted from a book on Ransomware. 
If you would like to learn more keep reading ...
READ MORE ABOUT CREATING DISASTER RECOVERY AND INCIDENT RESPONSE PLANS
© Future US LLC, Full 7th Floor, 130 West 42nd Street, New York, NY 10036
envelope linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram