7 Ransomware Backup Best Practices to Survive the Next Attack

How Can Backup Help Prevent Ransomware?

Ransomware attacks infect systems and then encrypt files and folders to prevent access to important systems and data. Next, threat actors demand ransom, typically cryptocurrency, in return for a decryption key that provides access.

Many ransomware attacks succeed because the malware can neutralize backup applications, including the operating systems’ features that copy your files. However, you can still use backup to protect against ransomware.

A backup and recovery strategy, as part of an overall ransomware protection strategy, can help you protect your data and avoid paying ransom using backup solutions that are outside the reach of attackers. It can help you quickly and efficiently recover business-critical data and resume normal operations.

In this article, we’ll cover the following ransomware backup best practices:

  1. Review and Update Backup Policies
  2. Encrypt Backup Data
  3. Use Immutable Storage
  4. Air Gap Business Data
  5. Use the 3-2-1 Rule
  6. Ensure Coverage
  7. Test the Backup Plan

Ransomware Recovery with NetApp Cloud Backup
NetApp Ransomware Protection Solution

1. Review and Update Backup Policies

One way to minimize the impact of a data breach or cyber attack is to review your backup policies and procedures regularly. Backups are only effective if they are comprehensive and robust.

Ideally, an organization should defend against ransomware by restoring data from clean backups. Authorities and security experts recommend not paying the ransom if you are hit by ransomware, because there is no guarantee you will get your files back. This makes it critical to maintain safe backups.

Chief Information Officers (CIOs) should provide directives for a thorough audit of all data in all locations. Organizations must examine all data, including data held in the cloud or local systems—this approach is of utmost importance given the movement towards remote work.

Here are some points organizations must consider when updating their backup policies:

  • Are all critical systems regularly and automatically backed up?
  • Has the organization practiced restoring critical systems from backup?
  • Is the organization practicing the 3-2-1 rule (keeping 3 copies on backup on 2 types of media, with 1 copy in an external location)?
  • Does the organization properly isolate and protect backup systems to prevent ransomware from reaching backups?

2. Encrypt Backup Data

Encryption converts data from a readable form into an encoded form. You may only read or process encrypted data once you decrypt it using a secret key. Ideally, a data backup approach should use encryption as it is a powerful way to secure sensitive data.

Because encryption converts the data into unreadable code, if an unauthorized individual accesses your data, they cannot read it without the encryption key. For optimal results, your backup approach should secure your data when stored on a device or in the cloud (at rest) and when it is sent over networks or retrieved (in transit).

You should ensure your files are encrypted using algorithms that meet industry standards, including AES-256 encryption at rest and SSL/TLS in transit. This approach will deter unauthorized users from exploring your data, including any cloud providers that host your data on their systems.

3. Use Immutable Storage

The term immutable storage is used for stored data that cannot be deleted or changed.

Many cloud providers and modern storage technologies support object locking, also called immutable storage, or Write-Once-Read-Many (WORM) storage. Organizations can lock objects for a certain period, preventing users from deleting or altering them.

Here are some key attributes organizations should look for when selecting a backup solution:

  • Select a backup solution that integrates with an object lock capability to create immutable backups.
  • Choose a backup solution that enables you to set a suitable retention period (in the cloud) or has sufficient storage to meet compliance requirements (on premises). Backups cannot be deleted during the immutable retention period—even if a malicious actor or ransomware accesses root credentials.
  • Look for a backup solution that also provides policy-based scheduling that predicts and alerts when backups depart from the retention policy, for optimal protection and control.
  • The backup solution should protect files by default, ensuring that organizations always have point-in-time backups available within the retention period.

4. Air Gap Business Data

An air gap is a security approach whereby computers, networks or computer systems are not connected to other networks or devices. This approach is used in situations demanding airtight security without the risk of disaster or compromise.

It ensures total isolation of a system—electronically, electromagnetically, and physically—from different networks, particularly those not protected. You may only transfer data via a physical device with an air gap approach, such as an external hard disk.   

Cloud storage is a suitable technology for storing long-term data backups. Cloud storage secures data from physical disruption, including power or hardware failures or natural disasters. However, it will not automatically secure data against ransomware. Cloud storage is vulnerable in two ways:

  • Via connections to customer networks
  • Because cloud infrastructure is shared

This means the cloud storage may not be enough to secure against ransomware, and it is advised to keep an offsite copy of the data in a storage medium that is disconnected from all networks.

5. Use the 3-2-1 Rule

Your backup strategy should follow the 3-2-1 backup rule. Here are the requirements of this rule:

  • Three copies of your data
  • Two media types for your backups
  • One backup stored in an offsite location

These layers of protection ensure that if you lose data in one media type, copy, or location, you still have the chance to restore it.   

The optimal approach for any workflow includes two components. Some typical 3-2-1 workflows combine NAS and cloud, disk and cloud, and disk and tape.

6. Ensure Coverage

Ensure your backup solution covers your entire business data infrastructure. This approach should help you recover all pieces of your critical data following a ransomware attack.

This coverage must include endpoints, NAS share, servers, and cloud storage. Many organizations use older systems, so you must protect all your operating systems, including older ones. If you use or need the data, you will also need to back it up.

7. Test the Backup Plan

You need to test all backup and recovery plans. This process is essential to calculate recovery times and if you can or cannot recover certain data.

Here are some questions you should consider when planning your backup approach:  

  • Using air-gapped, off-site media is ideal, but how long will it take to restore the systems?
  • Which systems will you prioritize for recovery?
  • Will your organization need clean, separate networks for recovery?

CIOs must test all phases of the organization’s recovery plan, identify gaps or weaknesses in the plan, and remediate them to ensure that backups are production-ready and can support the organization’s recovery point objective (RPO) and recovery time objective (RTO).

Ransomware Recovery with NetApp Cloud Backup

NetApp understands ONTAP better than anyone else, which is why the best backup solution for ONTAP systems is NetApp Cloud Backup. Designed by NetApp specifically for ONTAP, Cloud Backup automatically creates block-level incremental forever backups. These copies are stored in object format and preserve all ONTAP’s storage efficiencies. Your backups are 100X faster to create, easy to restore, and much more reliable than with any other solution.

Cloud Backup simplifies the entire backup process. It’s intuitive, quick to deploy, and managed from the same console as the rest of the NetApp cloud ecosystem.  Whether you’re looking for a less expensive way to store your backups, a faster, more capable technology than NDMP, or an easy way to enable a 3-2-1 strategy, Cloud Backup offers the best backup solution for ONTAP.

New call-to-action

NetApp Ransomware Protection Solution

NetApp Ransomware Protection is a comprehensive set of data-centric capabilities that allows you to protect your data estate with a Zero Trust approach from the inside out. It enables you to map and classify your data, detect abnormal user activity, manage access, and avoid costly downtime using rapid backup and restore. IT teams can apply these advanced defense mechanisms to strengthen cyber resiliency and make sure the most critical data stays protected.

New call-to-action

Semion Mazor, Product Marketing Manager

Product Marketing Manager