Home > Backup and Recovery Blog > Ransomware Backup Strategies and Best Practices. How to protect backups from ransomware?

Ransomware Backup Strategies and Best Practices. How to protect backups from ransomware?

1 Star2 Stars3 Stars4 Stars5 Stars
(22 votes, average: 4.50 out of 5)
Updated 23rd May 2022, Rob Morrison

Increased Needs For Ransomware Backup Protection

Despite numerous cyber security incidents making international news on a regular basis over the last few years, it was specifically the WannaCry ransomware attack in May 2017 that brought renewed and urgent focus on what organizations need to do to protect their businesses and services from ransomware. This attack seriously impacted thousands of organizations worldwide, having hit more than 150 countries and over 200,000 computers.

The WannaCry ransomware attack is an example of crypto-ransomware, a type of malware used to exhort money. In this case, cybercriminals encrypted valuable files, taking the data hostage and promising to return it only if a Bitcoin ransom was paid. This particular attack became a dramatic demonstration of why it’s so important to do regular backups, and protect those backups from ransomware as well.

Some of the more common methods of spreading ransomware are phishing emails, spam and social engineering – but newer methods are also constantly developing, such as drive-by downloads or actual infected websites. The prime purpose of a ransomware is to get inside a networked system – it can then proceed to encrypt a company’s data and then demand a ransom for the encryption to be lifted. There are ways to protect your company against these attacks, and the first, critical one is to make sure you have ransomware proof backups.

Let’s first look at the different types of threats. Encryption-related ransomware (cryptoware) is one of the more widespread types of ransomware in the current day and age. Some less common examples of ransomware types are:

  • Lock screens (interruption with the ransom demand, but with no encryption),
  • Mobile device ransomware (cell-phone infection),
  • MBR encryption ransomware (infects a part of Microsoft’s file system that is used to boot the computer, preventing the user from accessing the OS in the first place),
  • Extortionware/leakware (targets sensitive and compromising data, then demands ransom in exchange for not publishing the targeted data), and so on.

The frequency of ransomware attacks is set to increase dramatically in 2022 and beyond, and with increasing sophistication. For example, some malware already exists that is more sophisticated than WannaCry and which actually looks for weak backup systems and encrypts the backed up data itself. It’s paramount that we are ready to face these threats and understand the necessary link between ransomware and backups. A research from Palo Alto Networks shows that just in the first half of 2021 the average ransom payment amount is typically more than half a million dollars ($570,000+, to be exact).

While preventive measures are the preferred way to deal with ransomware, they are typically not 100% effective. For attacks that penetrate successfully, backup is the last bastion of defence that an IT department can use. Data backup and recovery are proven to be an effective and critical protection element against the threat of ransomware. However, being able to effectively recover data means maintaining a strict data backup schedule and taking various measures to prevent your backup from also being captured and encrypted by ransomware.

For an enterprise to sufficiently protect backups from ransomware, advance preparation and thought is required. Data protection technology, backup best practices and staff training are critical for mitigating the business-threatening disruption that ransomware attacks can inflict on an organization’s backup servers.

Ransomware attacks on backup systems are frequently opportunistic – not necessarily targeted. The exact process will differ depending on the program, but ransomware will typically crawl a system looking for specific filetypes and, if it counters a backup file extension, encrypt it. Then, it will try to spread and infect as many other systems as it can. The movement of these malware programs is lateral and not deliberate.

One of the best protections against such attacks is to have a data and ransomware backup solution of correct architecture, properly configured, combined with best-practice backup strategies. This includes ensuring any cloud backups are adequately protected and available, and you have a strategy to ensure you’re not syncing local infected files with those that should be kept safe in the cloud. That also means having up-to-date copies of that data available elsewhere. For any medium to large company, having an enterprise-grade backup solution is essential because correct data backup, storage and compliance practice can be the main difference between a company’s survival and failure in the event of a ransomware attack.

Common Myths About Ransomware and Backups

If you are researching how to protect backups from ransomware, you might come across wrong or out of date advice. The reality is that ransomware backup protection is a little more complex, so let’s look into some of the most popular myths surrounding the topic.

Ransomware Backup Myth 1: Ransomware doesn’t infect backups. You might think your files are safe. However, not all ransomware activates as you are infected. Some wait before they get started. This means your backups might already have a copy of the ransomware in them.

Ransomware Backup Myth 2: Encrypted backups are protected from ransomware. It doesn’t really matter if your backups are encrypted. As soon as you run a backup recovery, the infection can become executable again and activate.

Ransomware Backup Myth 3: Only Windows is affected. Many people think they can run their backups on a different operating system to eliminate the threat. Unfortunately, if the infected files are hosted on the cloud, the ransomware can cross over.

Of course, there are still many ways in which you can protect backups from ransomware. Below are some important strategies you should consider for your business.

Top 7 Ransomware Backup Strategies

Here are some specific technical considerations for your enterprise IT environment, to protect your backup server against future ransomware attacks:

1. Use distinct credentials, uniquely for backup storage

This is a basic best practice for ransomware backup; and with the increasing amount of ransomware attacks on backup servers, it is as necessary as ever. The context that someone uses to access the backup storage needs to be completely confidential and only used for that one specific purpose. Other security contexts should also not be able to access the backup storage except for any account(s) that might be needed for the actual backup operations. To protect backups from ransomware, you should avoid working as root or Administrator. Use service accounts that are restricted as much as possible, whenever possible. By default, Bacula builds two factor authentication into the design and enables the user to apply as much separation as possible when dealing with production workloads, establishing a more ransomware-proof backup. For example, its default installation ensures that its daemons run with dedicated service accounts.

2. Make offline storage part of the backup strategy

Offline storage is one of the best defenses against the propagation of ransomware encryption to the backup storage. There are a number of storage possibilities that can be used:

Media Type What’s Important
Cloud target backups These use a different authentication mechanism. Can only be partially connected to the backup system. Using cloud target backups are one good way to protect backups from ransomware because your data is kept safe in the cloud. In the case of an attack, you can restore your system from it, although that may prove expensive. You should also keep in mind that syncing with local data storage can upload the infection to your cloud backup too.
Primary storage Snapshots Snapshots have a different authentication framework and can be used for recovery. Snapshot copies are read-only backups, so new ransomware attacks can’t infect them. If you identify a threat, you can simply restore it from one taken before the strike took place.
Replicated VMs Best when controlled by a different authentication framework, such as using different domains for say, vSphere and Hyper-V hosts, and Powered off. You just need to make sure you are keeping careful track of your retention schedule. If a ransomware attack happens and you don’t notice it before your backups are encrypted, you might not have any backups to restore from.
Hard drives/SSD Detached, unmounted, or offline unless they are being read from, or written to. Some solid-state drives have been cracked open with malware, but this goes beyond the reach of some traditional backup ransomware.
Tape You can’t get more offline than with tapes which have been unloaded from a tape library. These are also convenient for off-site storage. Since the data is usually kept off-site, tape backups are normally safe from ransomware attacks and natural disasters. Tapes should always be encrypted.
Appliances Appliances, being black boxes, need to be properly secured against unauthorized access to protect against ransomware attacks. Stricter network security than with regular file servers is advisable, as appliances may have more unexpected vulnerabilities than regular operating systems.

3. Use Backup Copy Jobs to help mitigate risk

A Backup Copy Job copies existing backup data to another disk system so it can be restored later or be sent to an offsite location.

Running a Backup Copy Job is an excellent way to create restore points with retention rules that are different than the regular backup job (and can be located on another storage). The backup copy job can be a valuable mechanism that can help you protect backups from ransomware because there are different restore points in use with the Backup Copy Job.

For example, if you add an extra storage device to your infrastructure (for instance a Linux server) you can define a repository for it and create Backup Copy Job to work as your ransomware backup.

4. Do not rely on different file systems to protect backup storage

Although involving different protocols can be a good way to prevent ransomware propagation, be aware that this is certainly no guarantee against ransomware backup attacks. Different types of ransomware tend to evolve and get more effective on a regular basis, and new types appear quite frequently.

Therefore, it is advisable to use an enterprise-grade approach to security: backup storage should be inaccessible as far as possible, and there should be only one service account on known machines that needs to access them. File system locations used to store backup data should be accessible only by the relevant service accounts to protect all information from ransomware attacks.

There is no reason why end users from different systems should ever have permission to access them. Using another set of credentials to allow access to shared file systems, for example for snapshots, offline shares, or cloud storage is an inherently insecure approach – all those should be restricted exclusively to the backup service account.

5. Be sure to use the 3-2-1-1 rule

Following the 3-2-1 rule means having three distinct copies of your data, on two different media, one of which is off-site. The power of this approach for ransomware backup is that it can address practically any failure scenario and will not require any specific technologies to be used. In the era of ransomware, Bacula recommends adding a second “1” to the rule; one where one of the media is offline. There are a number of options where you can make an offline or semi-offline copy of your data. In practice, whenever you backup to non file system targets, you’re already close to achieving this rule. So, tapes and cloud object storage targets are helpful to you. Putting tapes in a vault after they are written is a long-standing best practice.

Cloud storage targets can act as semi-offline storage from a backup perspective. The data is not on-site, and access to it requires custom protocols and secondary authentication. Some cloud providers allow objects to be set in an immutable state, which would satisfy the requirement to prevent them from being damaged by an attacker. As with any cloud implementation, a certain amount of reliability and security risk is accepted by trusting the cloud provider with critical data, but as a secondary backup source the cloud is very compelling.

6. Beware of using storage snapshots on backup storage

Storage snapshots are useful to recover deleted files to a point in time, but aren’t backup in the true sense. Storage snapshots tend to lack advanced retention management, reporting, and all the data is still stored on the same system and therefore may be vulnerable to any attack that affects the primary data. A snapshot is no more than a point in time copy of your data. As such, the backup can still still be vulnerable to ransomware attacks if these were programmed to lie dormant until a certain moment.

7. Ensure you can recover all systems from bare metal

Bare metal recovery is accomplished in many different ways. Many enterprises simply deploy a standard image, provision software, and then restore data and/or user preferences. In many cases, all data is already stored remotely and the system itself is largely unimportant. However, in others this is not a practical approach and the ability to completely restore a machine to a point in time is a critical function of the disaster recovery implementation that can allow you to protect backups from ransomware.

The ability to restore a ransomware-encrypted computer to a recent point in time, including any user data stored locally, may be a necessary part of a layered defense. The same approach can be applied to virtualized systems, although there are usually preferable options available at the hypervisor.

Backup System Specific Tools as a Means of Additional Ransomware Protection

Going for an augmented approach to the same problem of ransomware-infected backup, it is possible – and advisable – to use backup systems’ tools as an additional means of protecting against attack. Here are five ransomware backup best practises – to further protect a business against ransomware:

  • Make sure that backups themselves are clean of ransomware and/or malware. Checking that your backup is not infected should be one of your highest priorities, since the entire usefulness backup as a ransomware protection measure is negated if your backups are compromised by ransomware. Perform regular system patching to close off vulnerabilities in the software, invest in malware detection tools and update them regularly, and try to take your media files offline as fast as possible after changing them. In some cases, you might consider a WORM approach (Write-One-Read-Many) to protect your backups from ransomware – a specific type of media that is only provided for certain tape and optical disk types, as well as a few cloud storage providers.
  • Do not rely on cloud backups as the only backup storage type. While cloud storage has a number of advantages, it is not completely impervious to ransomware. While harder for an attacker to corrupt data physically, it is still possible for ransomware attackers to gain access to your data either using a shared infrastructure of the cloud storage as a whole, or by connecting said cloud storage to an infected customer’s device. This is why it is highly recommended to always have an alternative backup strategy other than online backup, and a separate backup media and destination in combination with the Cloud, such as off-site tape. By having redundant protections, you will be able to safeguard your data from ransomware. Remember also that a large recovery from a cloud source may be very expensive and slow.
  • Review and test your existing recovery and backup plans. Your backup and recovery plan should be tested on a regular basis to ensure you’re protected against threats. Finding out that your recovery plan is not working as intended only after a ransomware attack is clearly undesirable. The best ransomware backup strategy is the one that will never have to deal with malicious data breaches. Work through several different scenarios, time-check some of your restoration-related results such as time-to-recovery, and establish which parts of the system are prioritized by default. Remember, many businesses can – and should – measure in dollars-per-minute the cost of services being down.
  • Clarify or update retention policies and develop backup schedules. A regular review of your ransomware backup strategies is strongly recommended. It may be that your data is not backed up often enough, or that your backup retention period is too small, making your system vulnerable to more advanced types of ransomware that can target backup copies via time delays and other means of infection.
  • Thoroughly audit all of your data storage locations. To protect backups from ransomware, these should be audited to be sure that no data is lost and everything is backed up properly – possibly including end-user systems, cloud storages, applications and other system software.

How Ransomware Can Tamper With Your Backups

While it is true that backup and recovery systems are capable of protecting organizations against ransomware in most cases, these systems are not the only ones that keep progressing and evolving over the years – because ransomware also gets more and more unusual and sophisticated as the time passes.

One of the more recent problems of this whole approach with backups is that now a lot of ransomware variations have learned to target and attack not only the company’s data in the first place, but also the backups of that same company – and this is a significant problem for the entire industry. Many ransomware writers have modified their malware to track down and eliminate backups.. From this perspective, while backups still can protect your data against ransomware – you will also have to protect backups from ransomware, too.

It is possible to figure out some of the main angles that are typically used to tamper with your backups as a whole. We will highlight the main ones and explain how you can use them to protect backups from ransomware:

  • Ransomware damage potential increase with longer recovery cycles

While not as obvious as other possibilities, the problem of long recovery cycles is still a rather big one in the industry, and it’s mostly caused by outdated backup products that can only perform slow full backups. In these cases, recovery cycles after ransomware attack can take days, or even weeks – and it’s a massive disaster for the majority of companies, as system downtime and production halt costs can quickly overshadow initial ransomware damage estimates.

Two possible solutions here to help protect your backups from ransomware would be: a) to try and get a solution that can provide you a copy of your entire system as quickly as possible, so you don’t have to spend days or even weeks in recovery mode, and b) to try and get a solution that offers mass restore as a feature, getting multiple VMs, databases and servers up and running again very quickly.

  • Your insurance policy may also become your liability

As we have mentioned before, more and more ransomware variations appear that can target both your original data and your backups, or sometimes even try to infect and/or destroy your backed up data before moving to its source. So you need to make it as hard as possible for ransomware to eliminate all of your backup copies – a multi-layered defense, of sorts.

Cybercriminals are using very sophisticated attacks that target data, going straight for your backups as that’s your main insurance policy to keep your business running. You should have a single copy of the data in such a state that it can never be mounted by any external system (often referred to as an immutable backup copy), and implement various comprehensive security features, like the aforementioned WORM, as well as modern data isolation, data encryption, tamper detection and monitoring for data behaviour abnormality.

There are two measures here that we can go over in a bit more detail:

  • Immutable backup copy. Immutable backup copy is one of the bigger measures against ransomware attacks – it’s a copy of your backup that cannot be altered in any way once you’ve created it. It exists solely to be your main source of data if you have been targeted by ransomware and need your information back as it was before. Immutable backups cannot be deleted, changed, overwritten, or modified in any other way – only copied to other sources. Immutable backups are an effective defense against ransomware because, as their name hints, they are unchangeable. Some vendors pitch immutability as foolproof – but in terms of ransomware backup, there is no such thing. Any backup environment can be vulnerable to sleeper attacks where the ransomware infiltrates the data and remains dormant for a period of time. But you should not fear immutable backup ransomware attacks. Just ensure you have a holistic strategy that includes attack detection and prevention, and implement strong credential management.
  • Backup encryption. It is somewhat ironic that encryption is also used as one of the measures to counter ransomware attacks – since a lot of ransomware uses encryption to demand ransom for your data. Encryption doesn’t make your backups ransomware-proof, and it won’t prevent exploits. However, in its core, backup encryption is supposed to act as one more measure against ransomware, encrypting your data within backups so that ransomware cannot read or modify it in the first place – it turns your structured data into a jumbled mess of symbols that cannot be changed back into its regular state without an encryption key.
  • Visibility issues of your data become an advantage for ransomware

By its nature, ransomware is at its most dangerous when it gets into a badly managed system – “dark data”, of sorts. In there, it can do a lot of damage, a ransomware attack can encrypt your data and/or sell it on the dark web. This is a significant problem that requires the most cutting-edge technologies to detect and combat effectively.

While early detection of ransomware is possible with only a modern data management solution and a good backup system, detecting such threats in real-time requires a combination of machine learning and artificial intelligence – so that you can get alerts about suspicious ransomware activity in real-time, making attack discovery that much faster.

  • Data fragmentation is a massive vulnerability

Clearly, a lot of organizations deal with large amounts of data on a regular basis. However, the size is not as much of a problem as fragmentation – it’s not uncommon for one company’s data to be located in multiple different locations and using a number of different storage types. Fragmentation can also create large caches of secondary data (not always essential to business operations) that can affect your storage capabilities and make you more vulnerable.

Each of these locations and backup types are adding another potential venue for ransomware to exploit your data – making the entire company’s system even harder to protect in the first place. In this case it is a good recommendation to have a data discovery solution working within your system which brings many different benefits – one of which is better visibility for the entirety of your data, making it far easier to spot threats, unusual activity and potential vulnerabilities.

  • User credentials can be used multiple times for ransomware attacks

User credentials have always been one of the biggest problems in this field, providing ransomware attackers with clear access to valuable data within your company – and not all companies can even detect the theft in the first place. If your user credentials become compromised, ransomware attackers can leverage the different open ports and gain access to your devices and applications. The entire situation with user credentials became worse when, because of Covid, businesses were forced to largely switch to remote work around in 2019 – and this problem is still as present as ever.

According to Verizon’s 2021 Data Breach Investigation Report, over 60% of data breaches in a year were performed using compromised credentials. These vulnerabilities can also affect your backups and leave them more exposed to ransomware. Typically the only way to combat this kind of gap in security is to invest into strict user access controls – including features such as multi-factor authentication, role-based access controls, constant monitoring, and so on.

As the threat of ransomware increases (in both frequency and sophistication), you should ensure you have robust identity verification. A simple password made of 8 characters can be cracked in as little as one hour. As computer processing speed increases, this time will only get shorter. If you establish identity with a high level of efficacy, you will be able to deprive ransomware attackers of harming your backup data.

  • Always test and re-test your backups

Many companies only realize their backups have failed or are too difficult to recover only after they have fallen victim to a ransomware attack. If you want to ensure your data is protected, you should always do some kind of regular exercise and document the exact steps for creating and restoring your backups.

Because some types of ransomware can also remain dormant before encrypting your information, it’s worth testing all your backup copies regularly – as you might not know when precisely the infection took place. Remember that ransomware will only continue to find more complex ways to hide and make your backup recovery efforts more costly.


For maximum protection of your backup against ransomware and similar threats, Bacula Systems’ strong advice is that your organization fully complies with the data backup and recovery best practices listed above. The methods and tools outlined in this blog post are used by Bacula Systems’ customers on a regular basis to protect their backups from ransomware. For companies without advanced-level data backup solutions, Bacula Systems urges these organizations to conduct a full review of their backup strategy and evaluate a modern backup and recovery solution.

Download Bacula’s white paper on ransomware protection.

About the author
Rob Morrison
Rob Morrison is the marketing director at Bacula Systems. He started his IT marketing career with Silicon Graphics in Switzerland, performing strongly in various marketing management roles for almost 10 years. In the next 10 years Rob also held various marketing management positions in JBoss, Red Hat and Pentaho ensuring market share growth for these well-known companies. He is a graduate of Plymouth University and holds an Honours Digital Media and Communications degree, and completed an Overseas Studies Program.
Leave a comment

Your email address will not be published. Required fields are marked *