How to Protect Backups From Ransomware

First Published:
Last Updated:

Every organization acknowledges the significance of data backup in safeguarding data availability. Especially with the growing complexities of cybercrime. However, attackers are raising the bar higher. They are no longer just targeting running environments only. They have discovered that backups present them a golden opportunity to cause more than enough frustration.

One type of cyberattacks that is increasingly threatening backups is ransomware. Don’t just take ur word though. A recent ransomware trend report by Veeam reveals that 93% of ransomware attacks expressly target backups. And in the event of ransomware invading backups, 75% (3 in 4) of the repositories are affected.

If you are in top leadership level such as business owner, CEO, CTO, CIO, etc, this should concern you. 

Imagine, for example, being unable to access 75% of your organizational data. You can think of it as losing all the information regarding your organization except the name, mission, and vision. That’s how threatening a ransomware attack on backups can be.

Not to worry. In this article, we discuss ways you can secure your organization’s backups against the deadly repercussions of a ransomware attack. But first and foremost, it’s essential to understand how a ransomware attack is activated in a backup.

Also Read: What is CTO as a Service? 

How does ransomware spread to backups?

Cyber attackers design ransomware to activate in a target system through drive-by downloading or as malicious attachments in phishing emails.

The drive-by-downloading ransomware is activated when a user downloads malware from an infected website. Consequently, malware driven in the form of an attachment activates when a user clicks a malicious link against their consent.

In both cases, the malware installs in the system and replicates before the user can realize it.

Once in the system, it can spread to the local and cloud backups in diverse ways, particularly spreading in local backups and in cloud backups. Lets see how :

Also Read: Types of Email Attacks

Ransomware spreading in local backups

Once ransomware is activated in a computer system, every backup associated with the device is threatened.

The malware potentially spreads to hard drives, external disks, file servers, and all the computers connected to the compromised system.

Ransomware spreading in cloud backups

Cloud storage solutions are designed to automatically back up data through synchronizing with the local files.

Infected local files synchronizing in the cloud storage can propagate the malware, infecting the files in the cloud storage.

So, how do you protect backups from ransomware? We discuss 10 approaches.

Ways to protect your organization’s backups from ransomware

Investing in a backup solution is not enough. The ideal solution lies in protecting the backups from ransomware invasion.

Besides, have you considered the actual cost of a ransomware attack? It’s beyond losing access to your organizational data and paying the ransom.

There are other repercussions like the trauma that could potentially befall the people in the organization, especially the stuff involved in finding solutions.  You can just imagine the terrible feeling of dealing with some threatening stranger on the other side giving you a few minutes to pay the ransom or else! 

But it doesn't have to be this way, and solid protection is your ultimate savior. Use these eleven ways to make sure the backups are always protected.

Also Read: How to Deal With a Ransomware Attack

1. Back up data both online and offline

Storing your data backups online and maintaining cybersecurity best practices might seem sufficient in the fight against ransomware. However, attackers keep devising new ways to access organizational data.

Having an offline backup, say, in an external hard drive, offers a fallback mechanism in case either of the backups is infected.

2. Have an effective data recovery plan in place

Robust backups were sufficient to handle the earlier variants of ransomware, even without organizations paying a ransom. 

But over time, ransomware has been evolving, with the newest variants capable of destroying an entire backup repository.

An effective disaster recovery plan should be capable of preventing current and future variants of ransomware from manipulating the organization’s data.

Here’s what an effective data recovery plan should take into account:

  • Protecting backups and backup hosts
  • Lowering the risk of unauthorized access to systems
  • Monitoring to identify threats and mitigate them before it’s too late
  • Synching data between systems with integrations and APIs
  • Ensuring the shortest time to recover from any downtime

To effectively cover the five aspects, a data recovery plan should answer the following questions:

  • Who is responsible for data backup: Identifying the person(s) responsible for data backups is the best way to ensure accountability.  
  • Which data should be backed up: It’s not practically possible to back up all organizational data, especially for enterprise organizations. Hence, it’s essential to agree on the critical data to back up.
  • How often should the data be backed up? Determining the frequency of backing up data is also part of accountability. It makes it easy to detect any anomalies between backups, which offers a window to take timely action.
  • Where should the backup be stored? The best approach to adopt would be the 3-2-1 rule of data backup.
  • How should the organization test backups? Data backups can fail. What if a backup was scheduled but turned out unsuccessful? How would you know? You can adopt an annual backup test, like most organizations.
  • How reliable is the backup’s security? The security of the backup should always be top-notch. 

Also Read: Disaster Recovery Plan 

3. Update software on a regular basis

One of the best practices in software development is evolving the solution to meet changing quality requirements. 

In the fight against ransomware, most developers regularly evolve their backup software for the following reasons:

  • To ensure compliance with privacy policies and improve security functions such as multi factor authentication.
  • To fix any bugs that may become a loophole for ransomware attackers to invade

Updating the software simply means you have applied the latest security updates and patches, and this reduces the risk of a ransomware attack on backups.

Also Read: Understanding Patch Management Policy

4. Use immutable storage when doing data backup

Immutability is a write-once, read-many feature that is common in backup storage. It prevents modification, deletion, and encryption of stored data.

Since most ransomware attacks aim at encrypting the backup data, immutable storage serves to halt the malware’s intended activities.

5. Create awareness around backup protocols

Backup protocols are a part of organizational disaster recovery, data protection, and business continuity

So you want to create a set of procedures that govern how backup data is stored, the frequency of backup, and who is responsible for the backup. The procedures should also dictate where backup data is stored in the organization.

This level of awareness helps employees to make informed decisions, enhancing the effectiveness of the backup process even further.

There are various to educate employees and stakeholders on backup procedures, including:

  • Organizing workshops and webinars
  • Providing manuals, videos or simulations
  • Tailoring backup training to different roles, such as users, administrators and operators
  • Evaluating training performance through feedback

Also Read: Benefits of Cybersecurity Awareness Trainings

6. Restrict access to backups

This is an access level security that holds specific people accountable for any activities on the backup resources.

A common approach is to restrict access by defining who should have access to the backups and their level of access.

This is one way of limiting human errors in handling backup data, and this will greatly limit the potential to activate ransomware in case of any.

One way to foster access control on backups is by implementing role-based access control (RBAC). Here, specific permissions are assigned to a specific user.

7. Use multiple backup locations

Part of an effective data recovery strategy is ensuring data availability through duplication.

Backing up data in multiple locations ensures that in the event of ransomware invading a backup in one location, you have a redundant backup to fall back on.

The most common methods used to back up data in multiple locations include Server Disk Storage, Backup Appliance, and Tape.

8. Perform data backup at regular intervals

There are different ways of implementing backups, including full backups and incremental backups. And the type of backup you choose depends on your organization’s backup needs.

Whichever method you choose, determining a backup frequency is key to effective backup. It ensures you have as much data as possible to fall back on in case of a ransomware attack.

Additionally, regular backups make it easier to identify any malicious activities between backups.

The best way to ensure regular backups is to implement a backup schedule for all types of backups in the entire organization.

Also Read:

9. Use intelligent ransomware detection and remediation tools 

Antivirus solutions are not sufficient to defend organizational data against ransomware. But thanks to advancements like the emerging AI-based technologies, it’s possible to secure backups with intelligent ransomware detection and remediation tools.

These tools offer end-to-end monitoring to hunt any threats and offer a detailed analysis of the threats identified within the backup infrastructure.

The tools have the capacity to relate patterns and predict future ransomware patterns for preventive measures.

Which critical features should you check out when choosing a ransomware detection tool? Here are a couple:

  • Real-time monitoring and alerting: The tool should detect anomalies within the backup infrastructure in real time and recommend actions.
  • Automated reporting and analytics: The tool should provide detailed information regarding any threats. This facilitates informed decision making and quick remediation.
  • Flexibility: The tool should support both online and offline backups.

Examples of intelligent ransomware detection and remediation tools for backups include:

  • Observer Ransomware Detection
  • Acronis
  • Veeam Data Platform

Also Read:

10. Use Air-Gap backups

Air-gapping is a strategy that involves storing data on a detachable storage such as disk, tape, or detaching the storage from the production environment.

There are two main air gap approaches, classified according to the setup:

Physical air gaps

With physical air gaps, the target storage is physically isolated from the production environment.

The data in the storage can only be read when the storage is powered on. And when powered off, there’s no physical connection between the storage and the production environment.

Logical air gaps

Logical air gap backups are physically connected to the production site but logically disconnected from the network. 

In other words the backup remains disconnected via logical processes such as software-defined networking and access-based control.

Air-gapped storage helps keep backups off the production site. Hence, you can count on it in case a ransomware invades the backups on the production environment.

To demonstrate the lethal impact of a ransomware attack on backups, let’s have a quick glance at what happened to a construction management company. 

Case study: A construction management company loses over $160,000 

A construction management company suffered the deadly consequences of a ransomware attack on backups. The invasion resulted in a loss of over $160,000. 

This is how it all unfolded:

  • All on-site backups compromised
  • No off-site backups
  • 30 employees were unable to work for 10 days due to data unavailability
  • Over $100,000 was lost during the downtime
  • $60,000 paid as ransom to help restore data

One question remains. What triggered the ransomware invasion on the organization’s backup?

The cause

Here is the root cause for the company’s massive loss from a ransomware attack on their backup:

  • The company didn’t have ransomware preventive measures in place to keep their backups safe.
  • The company had the impression that they were regularly and securely backing up their data in multiple locations, which was never the case.

You can read the entire case study here


As seen in the case study, the construction management company was able to recover their data, but only after paying a ransom. Don’t forget that at least 30 employees were unable to work for up to 10 days, losing a cumulative 300 days.

But what if they paid the ransom and never got their data back? Now, that’s something you don’t want to imagine.

The truth is ransomware attacks targeting backups are on the rise, and it’s not difficult to figure out why this is the case. Cyber criminals have discovered that backups are the fallback plan for companies, so holding your organization’s backup at ransom is a «clever» punishment. 

Unfortunately we still see many organizations not thinking about ransomware attacks from the context of backups. Perhaps this is due to the myth that ransomware does not normally get to backups.  

The ransomware attackers of today are aiming everywhere they prospect they can inflict the most impactful pain, and backups are their newfound goldmine. 

Fortunately, the preventive approaches here should give you good cover. Please apply them.

No comments yet. Be the first to add a comment!
Our site uses cookies