Malware, in all of its forms, is becoming an ever greater threat in modern times, one which can see any internet connected device rendered unusable as well as any valuable data which might be stored upon it quickly destroyed!
Whilst malware comes in many different forms, all of which potentially very damaging, one of the most harmful is that of ransomware, a type of malware which maliciously encrypts any files stored on a device before demanding a ransom payment in return for the decryption key!
In this guide I will be shining a light on some of the threats associated with ransomware before going on to show how a solid backup strategy (alongside some good antivirus software) can help provide an almost unstoppable defence and mitigate the need to even think about paying a ransom for your data! This begins in the next section with an overview of ransomware and how it operates!
What is Ransomware?
Whilst many people will be familiar with the term “computer virus” or “malware”, what isn’t always so clear is that there are numerous different forms of malware in existence, all of which having their own ways of working and objectives to achieve (objectives which could be anything from creating a source of income for the authors, stealing cryptocurrency or even causing business or political disruption).
Ransomware is just one of several types of malware which exists as of today, one which specifically targets any files, photos and any other documents which might be stored on an infected device by encrypting them with a strong password (encryption key) known only to the ransomware author. The net result of these malicious actions means that your files will still exist on your device, however, you will not be able to read or make normal use of them thanks to the encryption which has been applied.
If you find yourself falling victim to this type of attack, you will normally first know about it when trying to open a file on your device and discovering it fails to open as usual. In-fact, ransomware usually stays very well hidden on a device until it has finished its work of encrypting all of your files and making sure they cant be accessed, at which point it will usually make its presence known and demand a ransom payment be made in order to unlock any files!
NB – Be aware that ransomware, whilst maliciously encrypting your files, might also be performing other unsavoury tasks such as looking for banking passwords or cryptocurrency wallet keys which could result in further financial losses after the attack. With this in mind, if you do fall victim to this type of attack, it is recommended to change any important account passwords (such as banking) once you device has been cleaned of the malware!
Whilst every piece of malware might have different methods, two common ways of informing users they are infected involve changing the desktop background image (to one with instructions on how to pay the ransom) or another popular method involves adding a “read me” file to every folder and the desktop again, explaining the process of paying the ransom.
NB – Many forms of ransomware will ask for a payment in Bitcoin (or a similar cryptocurrency) given that accepting such payments can effectively done in an anonymous way.
Many ransomware authors will also add further threats to these warning messages, these might include the price of the ransom doubling if not paid in a certain time-frame or the files being permanently deleted should they suspect you of trying to decrypt them by yourself or making use of an anti-virus tool in any way!
Naturally, as internet users, we need a good defence against this type of attack! In the next section I am going to look at the use of antivirus software and the pros and cons of doing so before finally explaining how a good backup strategy can be the vital key in protecting your important data against this type of ransomware attack.
Can Antivirus Software Help?
Naturally, having read the previous section which explains (at a high level) how ransomware operates, you might be thinking you are fully protected thanks to the installation of good, up to date antivirus software on your device, right? Unfortunately, whilst modern antivirus software is very good at protecting against many types of malware attacks (including ransomware), it will never provide a 100% guarantee that you wont be affected by this type of cyber attack.
One of the biggest reasons antivirus software will never be 100% efficient against ransomware is due the nature of how it detects threats in the first place. Whilst such software will usually be very effective against known malware threats (in which the antivirus developers will have had time to analyse the threat and document how it works), there are always new malware threats (referred to as zero-day threats) which can come into play and are the ones most likely to be able to slip through the antivirus net and cause damage!
In recent years many antivirus software companies will promote the fact that instead of relying on traditional malware detection methods (i.e. the method of analysing existing malware) they will also protect against brand new (zero-day) threats thanks to cleaver, real-time analysis which can stop a suspicious application before it has chance to do any damage. Whilst much of this new technology is very good, it is (again) never 100% guaranteed to stop absolutely every threat that you might come across.
With all of the above in mind, it is safe to say that a modern antivirus application is an essential component in helping to protect against many malware threats including the dreaded ransomware which was discussed earlier on. However, given that antivirus protection will never be 100% guaranteed to stop everything, we still need a method for providing further protection, it is here that a solid backup strategy comes into play!
How can Backup Software Help?
At this point we have learned that ransomware is pretty unpleasant stuff to come across, not only can it cause the loss of valuable data but can also potentially cause untold amounts of damage and financial loss in the process! We have also learned that whilst modern antivirus software is a very good form of protection against malware such as ransomware, it will never provide 100% protection and our devices will always (in part) be somewhat vulnerable to such threats, no matter how careful we might be!
It is at this point, assuming the worst has happened and a device is overrun with ransomware, we can still save the day thanks to a solid backup strategy, one which sees that all of our valuable documents are all safely saved in a location to which the ransomware has no access. The process for recovering from a ransomware with some help from backup software attack might look something like this:
Step 1. Upon discovering a ransomware attack, one of the first things to do will be to clean the underlying device of the infection. I am not going into fine details of how to do such cleaning in this guide but a specialist anti-malware removal tool (such as Malwarebytes) could be of great help here. Alternatively, re-formatting the main system disk and re-installing the operating system from scratch might be one of the safest and most reliable way of ensuring the ransomware is completely removed.
NB – In the process of re-installing an operating system, we will also lose (overwrite) any user documents as well as any software which might be installed on the device as a part for the re-formatting process. In this case (thanks to the ransomware damage) many of these these files would have been unusable anyway, so this is not usually a problem in this circumstance.
Step 2. If you have managed to clean the ransomware infection using specialist software (as opposed to reinstalling the operating system) then you will probably also need to remove any encrypted files from the device as well. Some backup software will allow overwriting files as a part of the recovery process but this will only be applicable if the ransomware hasn’t altered any file names. If taking this device cleaning route then it is advisable at this point to go through the device and delete any affected files prior to performing the restore operation.
Step 3. With a clean system now available, (if applicable, after reinstalling he operating system) we can then re-download and install our favourite backup software application. Once the backup software is installed and ready to use we can then go about simply connecting to our backup storage location and recovering any previously affected files.
Step 4. (Applicable if a re-install of the operating system has taken place) With all of our files recovered, the final step will be re-configuring the backup application so as to continue backing up any new changes to these recovered files form this point onwards. Most backup software will allow an existing backup set to be “adopted” on a new system, this basically means that once the storage location is connected, any existing backup sets fond upon it can be reinstated on the newly installed operating system with all settings ported over to the new install.
NB – If you have successfully managed to remove the ransomware with cleaning tools and not resorted to re-installing the operating system, then step 4 wont be relevant given that the backup software should still be configured correctly.
At this point, regardless of which route you might have taken, you should now have a clean system and all of your valuable data restored (without resorting to having to pay the ransom).
Further Strengthening your Backup Strategy Against Ransomware?
Whilst having any form of backup solution in place can offer an additional layer of protection against a ransomware attack, there are several ways in which we can fine-tune and enhance our backup solution to be as resilient as possible to any form of ransomware attack. In the points below (in no particular order) I have listed several important things to be aware of when configuring a backup solution with ransomware protection in mind.
1. Make sure any backup storage isn’t easily accessible
When making use of popular forms of storage such as an external hard drives or network shared drives, be aware that if you leave such storage continuously attached to your PC then your backup files could also be targeted by a ransomware attack (given that such storage, by been permanently attached, is essentially a part of the system been attacked). Mitigating this danger could be as simple as detaching your external drive or network share whenever the backup software is not making use of it, however, as was discussed earlier on, some ransomware can operate silently in the background for many days or weeks which means this might not be a very effective option.
A much better form of mitigation would be to make use of the 3-2-1 backup method, this is a method which, amongst other things, sees at least one copy of your backed-up data stored on an external location which is not directly connected to your PC (such as a cloud storage provider). By having at least one copy of your data stored off site (e.g. on the cloud) it should remain untouched and safe even if the device itself is subject to a malware attack.
NB – When using cloud storage for storing backups, always make sure any cloud drive mapping software cant access the folder which is been used for storing the backup data (i.e. make sure it cant be accessed via the Windows file system). Most desktop software which allows connecting a virtual drive within Windows to a cloud storage service will also allow a specific folder on the cloud drive to be targeted (or selected drives excluded). Make sure you take advantage of this functionality when setting up virtual mapped cloud storage.
If you are using specialist cloud backup software (for example, Backblaze, Acronis Cyber Protect Home Office, Arq Premium or Crashplan, amongst others) then there will naturally be a degree of separation between the cloud storage being used by these solutions and the device itself which is being backed-up. In other words, given that this cloud storage can only be accessed via the backup software itself, if your device does fall victim to a ransomware attack then the ransomware wont be able to access the cloud storage used to host your backup files (only the backup software can make a connection meaning the data should remain safe and ready to be restored from).
2. Make use of historic file versioning
This is a really important point! In some cases it can be very easy to confuse the differences between a file synchronisation solution and that of a full backup solution. If you are simply synchronising your files with another device (such as a shared folder on a NAS device or a cloud drive) then any files affected by a ransomware attack could also be synchronised over as well! In essence, this means instead of protecting your files, the synchronisation software will potentially copy over and replace your good versions of any files with those which are encrypted and unusable!
NB – This is one of the main reasons why file synchronisation software should not be relied upon as a form of backup!
The answer to this particular problem is to make use of good backup software which allows multiple historic versions of any backed-up files to be kept! By keeping multiple versions of a file (i.e. keeping a record of any changes to the file over time) we can, if necessary, go back in time and recover an older version of each file. In practice, even if your backup software does start backing up any encrypted (or otherwise damaged) files then we can simply restore from older versions of the backup once the system has been cleaned and is ready for accepting restored files.
Generally speaking, most backup software will allow the keeping of at least 30days worth of historic file versions (the bare minimum in my opinion for a backup solution). If you are looking for even more protection against ransomware form a backup solution then look for software which will allow the keeping of historic versions of files for at least 6 months (or, ideally make use of a cloud service such as Crashplan or Backblaze, both of which supporting unlimited historic file versioning periods by default).
3. Always do regular restore testing
Firstly, this point applies to good backup management in general, but is especially important in regards to helping to protect data against a ransomware attack! Put simply, if you need to recover valuable data then you will need to be 100% sure that your backup software is working as expected and backing-up any data which it is instructed to.
Whilst almost all modern backup software applications have some form of automatic backup verification tools (which can be very useful and should be made use of), the only way to be 100% certain a backup is working properly is to regularly test the process of restoring files for real!
There isn’t really a lot more to say here, obviously if your recovery test doest work then you are, in effect, not backed-up sufficiently and should look at taking immediate action to fix your backup solution. Even if your restore testing does go as planned, it would still be advisable to keep performing such restore tests on a regular basis to ensure no errors or issues have crept into the process and to help ensure that the backup can relied upon when needed!
4. Make special cold backups from time-to-time
What I mean by this is, from time to time, make a special backup of your data (separate to your main backups) and store it upon a separate external hard drive, USB flash drive or on optical media which is kept in a very safe place away from your main device (e.g. a hidden cupboard or a fireproof safe, ideally at a different location to the one in which the device being backed-up is kept at). A key point to this approach is, once the cold backup is made, the storage device should not be re-used unless it is needed for recovering from onto a clean (malware free) device at some point in the future.
Whilst this approach might seem like overkill for some people, this making of a backup of all data (or just very important data) and then storing it away for months or even years means that it is very unlikely to be affected by any malware or ransomware infections given that the data upon it is kept isolated. Unfortunately, given the “cold” nature of this approach, there are some downsides such as the cost of the devices being stored been unusable for other purposes and the fact that the data wont be easily updatable (in other words, some documents might be out of date if or when they are restored using this method).
NB – Whilst not ideal for commonly worked upon documents, some files such as original photos and video (which do not get regularly updated and are of high importance) are much more suited to been saved as a “cold backup”.
Another important issue to be aware of when using this approach is that of keeping the backed-up data secure whilst it is in storage, ideally through the use of strong encryption as would be applied via a good piece of backup software. If you do make use of encryption in this type of scenario then be sure to remember the encryption password, for additional protection it is also advisable to keep a copy of the backup software installer that is being used to make the backup (and your installation key) on the same media as the cold backup to ensure they are available if required.
Finally, if you do make use of this cold backup method, you will also need to be aware that certain media types have limited lifespans, for example, a typical CD or DVD will usually be good for retaining data safely for up to 10 years providing it is stored correctly (e.g. outside of direct sunlight and at typical room temperatures). If you do need longer time frames for safe storage (or simply more guarantees of safety in the shorter term) then look for specialist archival storage media which can last as long as 100 years when stored correctly!
5. Check all software is updated regularly
Whilst this does apply to backup software, it also applies to any other software that might be installed on a PC as well. Simply put, out of date software can be one of the leading ways in which a PC can become infected with malware such as ransomware, even if a modern, fully functional antivirus solution is running on the device!
With this in mind, be sure to keep all software which is used on your device up to date as regularly as is possible to do so. Many modern software titles allow for automatic updates to be applied and this should be turned on whenever possible to do so. If you don’t have this automatic update option then try to be aware of how old certain software is and look at the manufactures website regularly for information on any security upgrades or patches which might be available (most of the time, such security related patches or upgrades are usually free, even if you are out of subscription on a particular product).
6. Make use of the 3-2-1 backup strategy
I have already made reference to the 3-2-1 backup strategy earlier on in this guide, but following this 3-2-1 method is a really important way of ensuring you backup strategy is as safe and effective as is reasonably possible.
NB – I have written a full guide on making use of the 3-2-1 backup method (click here to read the 3-2-1 backup strategy guide).
Whilst this strategy can still be enhanced (for example, by making use of “cold backups” which are mentioned in point 4 above) it is still widely accepted as one of the most effective and user friendly backup strategies to implement and offers a very good level of data protection for very little work or cost. In-fact (as are listed in my aforementioned 3-2-1article) there are now many backup software titles which are fully capable of allowing users to implement this strategy with just a single piece of software (e.g. they allows for local backups to a local device as well as supporting cloud backups via their own cloud service or a 3rd party cloud storage service integrated into the software).
Conclusion
Firstly, its needs to be said that there is a lot of information in this guide! The key point to take away here is that any form of backup which you might have in place can help substantially in protecting your data against ransomware and will, when applicable, help compliment any other protection which might be in place such as antivirus or other security software!
If you do have the time and budget to extend your resilience against ransomware, then making additional backups of your data in different safe locations, using long historic file retention periods and implementing the 3-2-1 backup strategy can all be relatively simple and effective ways of increasing the protection that your backup strategy offers.
