Backup strategies against ransomware

May 14, 2017

A big ransomware campaign is raging on the Internet. Updating your computer regularly, and blocking unneeded ports, are a good first line of defence. Backups are an essential second line of defence. However, if you do backups (and that's unfortunately a big if), you are more than likely doing it wrong. Making your backups useless in case you are hit by ransomware yourself.

Why? Most people that make backups let their computer do it automatically for them. Typically they use a USB hard drive or a network drive for this. The problem is that such drives, because they are either directly or seemlessly connected to your computer over the network, essentially become part of your local storage. A sufficiently clever piece of ransom ware can (and will) access these drives and destroy the data stored on them. Making the backups useless.

So what should you do?

First, separate the backup disk and your computer by removing the permanent connection between them, and connect them only when you want to make a backup (or restore some files). You can separate them either physically or logically.

Physical separation can be achieved by removing the USB cable connecting the backup USB drive from your computer, or powering off your backup network drive after each backup.

Logical separation can be achieved like this. Protect the backup network drive with a password. I do not mean protecting the backup with a password (a common option on many systems). No, I mean protect access to the network drive with a password. Make the drive inaccessible without knowledge of this password. Make sure you do not store the password on your computer, i.e. make sure the disk cannot automatically be made accessible ('mounted') when connecting to it. On Unix like systems, you can use rsync make a to backup. Again, use a password protected account in that case. Automatic login using ssh is risky.

Once you have separated your disks using one of the suggestions above, access to your backups requires some explicit action by you. This keeps any ransomware out. However...

There is another, very important, step you need to take. And that is to make sure that you never overwrite your backups with files corrupted by ransomware when making a new backup. Again there are two ways to achieve this.

The first is to use a continuous backup mechanism that keeps all versions of a file on backup, instead of keeping only the last version that was backed up. Apple Time Machine does this, for example. A poor mans version of this idea is to use two backup drives and alternate between them with each backup. This way you always have the last and second to last version of a file on backup. Should you be unlucky and make a backup while already being infected by ransomware, the other drive still contains a clean (albeit a bit older) version of the files.

The second approach is to verify every time, before making a backup, that your computer is not infected by ransomware. A consequence of this rule is that you should not make backups automatically (unless they are continuous). One way to check that your computer is not infected is by checking the contents of a few innocently looking files of your computer before starting the backup. You can even automate this with a tool like tripwire. If you include this check in your backup scripts, you can even turn automatic backups back on.

Finally: if you have been infected and your files have been corrupted, make sure your computer is clean from ransomware before connecting your precious backup drive. You do not want to destroy years of proper backup hygiene by one silly last minute, I'm-in-a-hurry-and-need-my-files-now, mistake...

In case you spot any errors on this page, please notify me!
Or, leave a comment.