How can I protect my ransomware backup plan?

Ransomware attacks have become increasingly common in recent years. These malicious programs encrypt files on a system and demand payment in order to decrypt them. Having a solid backup plan is critical for recovering from a ransomware attack. However, backups can also be compromised if proper precautions are not taken.

Use offline backups

One of the best ways to protect backups from ransomware is to keep them offline. Ransomware can’t encrypt files on a disconnected external hard drive or tape backup. Simply disconnecting the drive from the system when not in use can be an effective strategy.

Some options for offline storage include:

  • External hard drives that are only connected during backup windows
  • Removable media like USB flash drives or tapes that are stored offline
  • Cloud-based object storage services that are accessed minimally

When using external drives, be sure to safely eject them before disconnecting to avoid data corruption. Cloud storage apps should be configured to limit automatic syncing. The key is minimizing exposure of the backup files to any systems infected with ransomware.

Test restoration from backups

It is important to regularly test that files can be successfully restored from backups. This helps ensure the backups are viable and that the restoration process works in the event it needs to be performed after a ransomware attack.

Try restoring backups to a test environment on a regular basis. Restore the full backup initially, then perform incremental restores from successive backup periods. Verify that the files and directories appear exactly as expected. Testing backups is the only way to confirm that the data is recoverable.

Use immutable backups

Immutable backups can’t be deleted or encrypted once created. This prevents ransomware from compromising backups after they are taken. Cloud services like AWS S3 Glacier support immutability by locking objects in an archive for a defined period of time.

Object storage in general is a good option for immutable backups. Individual backup files can be locked to prevent manipulation until after a set retention period. This gives time to recover files in the event of ransomware striking soon after backups are taken.

Distribute backups

Don’t keep all backup copies in a single location. Ransomware could spread through connected systems and encrypt all centrally-stored backups before being detected. It is better to maintain redundant backups in different locations.

Distributing backup copies can include:

  • Storing backups on removable media that is kept at multiple secure locations
  • Backing up to a cloud service in addition to local appliances/drives
  • Replicating backups across data centers or cloud regions

This diversity makes it much harder for ransomware to impact all backups simultaneously. Having multiple restore points helps hedge risk.

Air gap backup systems

For the most critical data backups, consider maintaining an air gapped backup system that is physically isolated from networks. This could be a standalone drive or tape robot that is only connected briefly during the backup process. Without any network access, ransomware has no way to reach these systems.

Air gapped backups provide an assurance that at least one intact copy of data will be available after an incident. This allows for recovery without paying ransom. Just be sure to protect the physical media as it will represent the only surviving copy in some cases.

Apply the 3-2-1 rule

The 3-2-1 rule provides best practices for maintaining robust backups:

  • Have at least 3 total copies of data
  • Store backup copies on at least 2 different media types
  • Keep 1 backup copy stored offline

This covers the key principles of immutability, distribution, and being offline to gain ransomware resilience. Sticking to the 3-2-1 rule reduces the risk of unrecoverable data loss.

Encrypt backup files

Encryption serves as an extra layer of protection for backup files against unauthorized access. Even if ransomware manages to delete or overwrite backup files, strong encryption leaves the contents inaccessible.

Encryption options include:

  • Encrypted virtual tape libraries
  • Backup tools with built-in encryption features
  • Archive encryption for cloud object storage

The keys used for encryption should be protected separately from the backups to avoid a single point of failure.

Use read-only media

Writeable media like hard drives and tapes can have backup files deleted or overwritten by ransomware. Read-only media like Blu-Ray discs or write-once tapes avoid this issue.

While optical discs have size and durability constraints, they can provide an inexpensive way to supplement a standard backup plan. High-capacity tape formats like LTO with WORM (write-once, read-many) capability offer a more robust option.

Offsite storage of read-only media adds another layer of protection for critical data. This forces reliance on remaining writable backups that may be more actively protected.

Isolate backups from production

Don’t share infrastructure between backup systems and production networks. Ransomware often spreads through shared resources like servers, storage devices and virtual machines.

Maintaining air gaps between production and isolated backup networks is ideal. At minimum, ensure backups run on dedicated infrastructure without bleeding into production domains. Never store backups on production servers.

Use firewalls and ACLs

Firewalls and access control lists can limit communication with backup systems. This helps prevent ransomware spread if other systems are compromised.

Cloud-based object storage offerings should have locked-down ACLs to avoid unauthorized access. On-premises backup appliances often support firewall policies to specify allowed data flows.

The strictest rules possible should be enforced. For example, if performing cloud backups over the public internet, restrict outbound firewall access to just necessary IPs for the cloud provider.

Monitor backup activity

Look for unusual activity that could indicate ransomware attempting to access backups. Some signs include:

  • Backups suddenly missing or corrupted
  • Unrecognized encryption appearing on backup files
  • Backup sizes decreasing drastically
  • Backup storage performance slowing significantly

Send alerts on any unexpected backup changes. Monitor for spikes in reads/writes that don’t align to scheduled jobs. This can help detect ransomware activity so backups can be isolated.

Have an incident response plan

Know how to quickly isolate backups if an attack occurs. This can limit damage and preserve restore points. Being able to disconnect infected systems is critical.

Response plans should identify containment strategies such as:

  • Physically unplugging backup appliances/drives
  • Blocking IP communication to backup endpoints
  • Revoking cloud service credentials
  • Blocklisting affected systems at the firewall

Predefined plans avoid hesitation during incidents that could lead to wider encryption of backups. Run response drills to prep the team.

Prioritize high value data

Backupeverything is not always feasible. Focus on backing up mission critical data first.

Categorize systems and data sets based on business impact. High priority servers, databases, and file shares should be backed up more frequently.

Also increase redundancy for important backups by replicating to multiple destinations. Adding more backup copies strengthens protection.

Educate staff on risks

Ransomware often enters through phishing emails or drive-by downloads. Training staff helps avoid these infection vectors. Teach techniques like:

  • Identifying suspicious links/attachments
  • Not browsing risky sites on work devices
  • Using email spam filters
  • Running up to date endpoint security

Provide regular simulated phishing tests. Reinforce consequences of risking backups by opening unverified emails or downloads. Awareness is a key ransomware defense.

Store backup credentials securely

System credentials used by backup tools to access storage should be protected. Lock down credential files or consider using a password vault.

This helps prevent ransomware with endpoint access from harvesting credentials to directly sabotage backups. Securing credentials adds another hurdle for malicious actors.

Use least privilege permissions

Backup accounts should have minimal permissions needed to run jobs and access storage. Avoid blanket admin-level access that enables wider data destruction.

Set file system and object storage permissions to lock down what backup accounts can access. Limit credential use to specific IP ranges/systems.

Strict permissions ensure damage from compromised backup tools stays contained.


Ransomware can do wide-ranging damage if backups are not properly protected. However, there are many tactics that can harden backups and recoverability. Distributing encrypted copies across mediums and locations makes restoring data feasible even if some backups are impacted.

The keys are maintaining offline backups that are diversified, immutable, isolated and actively monitored. Test regularly to verify that restoration succeeds. With a reliable backup process that limits susceptibility to ransomware, organizations can operate with confidence despite rising cyber threats.