5 tips on how to protect backups from ransomware

Celeste Kinswood, Director, Product Marketing - Cyber Resilience & Data Governance

Ransomware remains one of the most frequent forms of security incidents. Over a quarter (27 percent) of malware incidents in 2020 were ransomware attacks.¹

That’s because the motivation behind the vast majority of malicious data breaches is not geopolitical or national security objectives, it is money. And there is simply no better or faster way to monetize a malware attack than encrypting or deleting victims’ files and demanding payment. 

Plus, payment demands are going up. In Q3 2020, the average ransomware payment demand was $233,817.² Companies like CWT Global and Colonial Pipeline have each paid more than four million dollars to get their data back after a ransomware attack.

A disturbing trend

How can attackers demand such astronomical ransoms? Threat actors are making sure companies don’t have access to backup data that would empower them to recover without having to pay. Recently, an increasing number of incidents have included the deletion or disablement of backups.

Many organizations make mistakes when backing up their data that leave the backup data vulnerable to ransomware attacks. On-premises backups are often stored on the same network as primary data. Ransomware looks for file directory entries that are likely to represent backup data and delete these before a ransom is demanded. Even cloud backups can be susceptible to ransomware if credentials are compromised as part of the attack. 

The key to avoiding a payout is having clean backup data. Let’s talk about five ways you can ensure your backups are safe and how to protect them from ransomware.

1. Ensure data integrity

The first step in protecting your backups is to make sure the data is stored on a platform where it cannot be modified. Look for backup vendors that offer object-based storage. This type of storage makes it impossible for ransomware to modify backup data. It is possible to add and delete objects, but you can't change the data that is already stored in an object. That means even if ransomware lands in your backup environment, it can't encrypt your data.

2. Adopt the zero trust model

Backing up your data using an off-site, object-based backup provider is a great first step. But it is not enough if ransomware can use compromised credentials to access your backups. Fortunately, it is easy to address this risk. Require separate account access for your backup environment and reinforce that security by using multi-factor authentication (MFA). 

3. Implement multi-level resiliency

Choosing ransomware protection with a backup solution that includes deletion protection can offer another line of defense. Platforms that include excess deletion prevention or soft delete options (similar to a recycle bin) can ensure that even if ransomware manages to delete backup data, there is a fallback copy for recovery. Many vendors also offer write-once, read-many (WORM), or unmodifiable backups that cannot be modified or deleted — even by authorized personnel. 

4. Automate response

Detecting and responding to a ransomware attack as soon as possible can help prevent contamination spread and make the recovery process easier. However, ransomware often enters the system and spreads quietly for 90+ days before a ransom demand. In addition, many threat actors specifically instruct ransomware to wait until everyone is out of the office for a holiday or the weekend before fully executing. 

A strong security posture with dedicated detection and prevention solutions in your primary environment can help prevent and detect ransomware. Backup solutions that monitor for anomalies in access or data patterns can alert you to possible ransomware attacks. But remember how bad actors wait until a long weekend before sending a ransom demand? Integrating your backup solution with SIEM and SOAR platforms automates the response process, so no one needs to be in the office or even see the alert to perform response activities like quarantining infected systems and snapshots to prevent contamination spread. Anomaly detection can also help you identify the best snapshot to use for recovery.

5. Recover with confidence

Even if you have backup copies that were not encrypted or deleted and have identified the best snapshot to use for recovery, hidden malware can cause reinfection and start the process over again. To ensure the hygiene of your recovery data, it’s vital to scan snapshots for malware or indicators of compromise (IOCs) before you restore. The best solutions available enable you to scan for threats using both built-in antivirus detection and threat intelligence from your own forensic investigations or threat intel feeds.

Protect your data from ransomware attacks

With the volume of cyber threats increasing each day, organizations must have strong data recovery, ransomware protection, and a business continuity plan leveraging the cloud’s advantages to reduce the spread of these attacks.

Cloud backup vendors like Druva deliver comprehensive cloud data protection and robust defense-in-depth security, and provide the peace of mind that comes from knowing unencrypted backup data is always safe and available. 

Want to learn more about how to protect your data from ransomware attacks? Visit Druva's site for more about how third-party, cloud-based backup can help secure your data and enable a quick recovery from ransomware.


¹ Verizon, “2020 Data Breach Investigations Report,” Gabriel Bassett, C. David Hylender, Philippe Langlois, Alexandre Pinto, and Suzanne Widup, May 19, 2020.

² Coveware, “Ransomware Demands continue to rise as Data Exfiltration becomes common, and Maze subdues,” November 4, 2020.