How backups are protected against ransomware?

Ransomware attacks have become increasingly common in recent years. They involve malware that encrypts files on a system and demands a ransom payment in order to decrypt them. One of the most effective ways to protect against ransomware is to maintain regular backups of critical data and systems. Backups allow you to restore encrypted or deleted files after an attack. However, backups themselves can also be targeted by ransomware. So it’s important to implement backup systems and policies that enhance protection against ransomware.

Why are backups a target for ransomware?

Backups provide protection against data loss from ransomware, but paradoxically they also make attractive targets for ransomware attacks. There are a few key reasons why backups may be targeted:

  • Backups contain valuable data that ransomware wants to deny access to. Encrypting backups can make restoring files after an attack more difficult.
  • Encrypted backups may force an organization to pay the ransom to regain access to data.
  • Deleting backups pressures victims into paying ransoms by eliminating recovery options.
  • Ransomware aims to inflict maximum damage. Preventing the use of backups accomplishes this goal.
  • Some types of ransomware are capable of identifying and targeting backup files and locations specifically.

In summary, backups are a high priority target for ransomware because compromising them can severely hinder recovery efforts and force victims to meet ransom demands.

Where are backups vulnerable to ransomware?

Backups can be vulnerable to ransomware compromise at several points in the backup process:

  • During backup creation: Ransomware could encrypt files as they are copied to the backup location.
  • On backup storage media: Backup files stored on drives or in cloud storage may be encrypted while at rest.
  • Backup software: Ransomware could attack the backup software itself, crippling the ability to restore files.
  • Backup catalogs/indexes: Catalogs that track backup contents could be altered to make restoration difficult.
  • During backup restore: Ransomware could encrypt restored files after recovery.

Essentially, if ransomware gains access to a system, then any component involved in the backup process could potentially be impacted or manipulated to disrupt backup integrity.

How does ransomware disrupt backups?

There are a few main ways ransomware can disrupt backups:

  • Encrypting backup files: By encrypting the actual backup files, the backups become useless for restoration.
  • Deleting backups: Ransomware may delete backup files or formatting backup media to make recovery impossible.
  • Modifying backup configuration: Ransomware can alter settings so backups are disabled or can’t be accessed.
  • Encrypting live data: Backups are encrypted when created if live production data is already encrypted.
  • Corrupting backup software: Ransomware may corrupt the integrity of backup applications needed to restore data.

The impacts range from mild disruption to complete devastation of an organization’s backup capabilities. A resilient backup scheme must account for these various disruption methods.

What backup systems are most vulnerable?

Certain types of backup implementations tend to be more vulnerable to compromise by ransomware:

  • Always-connected backups: Hot backups connected 24/7 to the network can be directly infected by ransomware.
  • Shared backup storage: Centralized backup storage accessible to multiple systems can spread ransomware.
  • Non-isolated backups: Backups that are continuously or frequently accessible lack isolation from infection.
  • Backup agents: Agent-based backups rely on host systems vulnerability to ransomware infection.
  • Single copy backups: Maintaining a single copy of backups provides no redundancy if compromised.
  • Non-encrypted backups: Backups without encryption allow the contents to be accessed by ransomware.

For maximum ransomware resilience, backups should be isolated, redundant, encrypted, and frequently disconnected from production systems.

How can backup systems be designed for ransomware protection?

The following elements represent best practices for architecting backups with ransomware defense in mind:

  • Air-gapped backups: Maintain some backups offline or immutable as an isolated last line of defense.
  • Remote geo-distributed backups: Store backup copies in multiple remote locations to eliminate single points of failure.
  • Backups with versioning: Retain multiple backup versions to facilitate restoration from before an attack.
  • Encrypted backups: Encrypt backup contents as well as communications channels.
  • Least privilege access: Only necessary staff should have access to backup administration functions.
  • Audit backups: Continuously monitor backup system access, configurations, and integrity.

Adopting these measures can effectively minimize the risk of backup compromise due to ransomware while still making them accessible for operational recovery needs.

How can backups be kept isolated from ransomware infection?

Maintaining proper isolation is key to keeping backups protected from ransomware that may have infected production systems. Useful isolation techniques include:

  • Physical air gaps: Store some backup media completely disconnected from networks.
  • Logical air gaps: Placing backups in storage locations isolated through access controls.
  • Immutable backups: Make certain backups permanently read-only to prevent encryption or deletion.
  • Offsite backups: Store backup copies outside the network with a cloud provider or remote facility.
  • Separate domains: Host backups in a separate domain from production systems.
  • VLAN segmentation: Use VLANs to isolate backup traffic from production environments.

Testing proper isolation correctly will provide confidence in the ability to recover from potential ransomware attacks compromising production systems.

Should backups be continuously connected or disconnected?

There are merits to both continuously connected and frequently disconnected backup systems:

  • Continuously connected pros: Quick and easy to perform backups, restores. Near-zero recovery point objectives.
  • Continuously connected cons: Increased vulnerability to backup manipulation or encryption by ransomware compromising production systems.
  • Disconnected pros: Reduced risk of backup compromise via “air gap” isolation from production environments.
  • Disconnected cons: Manual labor required to connect and disconnect for backups. Higher recovery point objectives.

Typically a hybrid approach is optimal – maintain production backups on connected storage, but also create periodic air-gapped copies. The precise schedule depends on recovery objectives vs. acceptable downtime and manual effort tradeoffs.

How can backup access be restricted to prevent compromise?

Restricting unauthorized access to backups is critical to prevent malicious modification, deletion, or encryption of backup contents. Useful access restriction measures include:

  • Least privilege: Only essential staff should have backup access or admin privileges.
  • Multifactor authentication: Enforce MFA for backup tooling admin access.
  • Topology hiding: Obfuscate backup infrastructure details from unauthorized parties.
  • Jump server access: Require a Bastion/jump host to access backup environments.
  • Backup user accounts: Maintain separate user accounts just for backup administration.
  • Read-only media: Use write-block technology to make recovery points immutable.

Consider access restrictions both for on-premise backup platforms and cloud-based backup services. The key is to grant access only on an as-needed basis.

How can you detect ransomware attacks targeting backups?

Detecting when ransomware is attempting to disrupt backups allows an incident response before significant damage occurs. Detection methods include:

  • Backup audit logs: Monitor logs for unauthorized configuration changes or high volume activity.
  • File integrity monitoring: Detect unauthorized modification of backup catalogs.
  • Anomaly detection: Watch for abnormal deletion rates or version changes.
  • Backup testing: Regular validation tests will reveal backup corruption or encryption.
  • Honeypot backups: Deploy decoy backup targets and monitor them for modifications.
  • Snapshot comparison: Diff backup snapshots over time to identify alterations.

Quickly identifying backup tampering is crucial to preventing irreversible damage. Consider multiple layered detection methods across monitoring, auditing, testing, and data forensics.

What should you do if backups are impacted by ransomware?

If ransomware evades preventative measures, follow these steps to mitigate damage:

  1. Isolate backups from networks to prevent further spread.
  2. Evaluate the scope of impact to backups – which systems, locations, timeframes affected.
  3. Attempt restoration from intact backups created prior to the event.
  4. If necessary, remove and rebuild core backup components to re-establish integrity.
  5. Identify the ransomware entry point that allowed backups to be compromised.
  6. Engage incident response teams to contain and remediate the attack.
  7. Review defenses and access controls to prevent recurrence.

With proper backup architecture and planning, impacts can be minimized. But careful execution of response steps is key to recovery.


Backups are the last line of defense against ransomware attacks. But as a high value target, they must be architected with protection in mind. Isolation, immutability, encryption, and access restrictions make backups more resilient. Recovery testing also helps verify defenses. With rigorous security controls, organizations can rely on backups to mitigate data loss, while denying ransomware the leverage they seek over victims. Backups represent hope against an emerging threat – with forethought and vigilance, that hope need not be misplaced.