How can I protect Automatic backups from ransomeware

Geoffsplace

Geoffsplace

Member
Reaction score
8
Location
australia
Hiya,
Years ago I setup all my clients with automatic backups, I use Acronis and it does a full backup each time (its done at night when computers are not in use) however with the increase in ransomeware and the fact that it encrypts any and all drives attached and even cloud storage I am worried because obviously if the backup drive is compromised your stuffed!

It seems they are targeting users in Australia more frequently using emails purporting to be from AGL (major electricity supply co. in Aus) Telstra (major phone co.), Vic Roads (Govt vehicle registration) etc I am seriously concerned that someone will open one of these emails and get infected, as I understand it antivirus programs wont necessarily recognise or block these emails anymore.

I have researched this problem on google and found even password protecting the backup drive at a network level doesn't stop access.

My clients are so likely to open not only the email but also the attachment if it looks remotely legit, I cant blame them for this, they are experts in their own field but know very little about security of computers and that's fine, that's why they contract me.

has anyone out there devised a solution to this problem or have any advice?

rgds
Syb
 
The latest Veeam Endpoint backup will automatically disconnect the USB device once a backup is complete.
The user does need to remember to disconnect and reconnect it again though so that does create the possibility that they forgot to do it one day.
Online backups will be fine as long as the backup service allows versioning, which all do as far as I know. If yours doesn't then seriously look at changing to one that does.
Cloud storage like dropbox/onedrive are not backups so don't rely on them for that.

Also switch their AV to Emsisoft as the behaviour blocker in that is supposed to be the best at blocking these ransomware type infections.
 
Haven't used Acronis for a long time but the two I use most frequently, Altaro and Macrium Reflect, can both store network login credentials, avoiding the need to attach the network backup as a mapped drive. Don't map your network backup locations or store their credentials in Credential Manager/Windows Vault and they should be inaccessible to ransomware, etc.
 
Geoffsplace said:
Hiya,
Years ago I setup all my clients with automatic backups, I use Acronis and it does a full backup each time (its done at night when computers are not in use) however with the increase in ransomeware and the fact that it encrypts any and all drives attached and even cloud storage I am worried because obviously if the backup drive is compromised your stuffed!

It seems they are targeting users in Australia more frequently using emails purporting to be from AGL (major electricity supply co. in Aus) Telstra (major phone co.), Vic Roads (Govt vehicle registration) etc I am seriously concerned that someone will open one of these emails and get infected, as I understand it antivirus programs wont necessarily recognise or block these emails anymore.

I have researched this problem on google and found even password protecting the backup drive at a network level doesn't stop access.

My clients are so likely to open not only the email but also the attachment if it looks remotely legit, I cant blame them for this, they are experts in their own field but know very little about security of computers and that's fine, that's why they contract me.

has anyone out there devised a solution to this problem or have any advice?

rgds
Syb
Click to expand...

My solution which worked was to make a protected network share with a username and password that only the backup has entered. It has a unc path instead of a mapped drive (i.e. \\servernas\backup1). I've already had an instance where a workstation on a domain network got infected but because I had the back ups set up like that we were able to recover quickly.

Alternatively you might be able to make a hidden share and direct your backup to that.

Majestic
 
We normally mix a bit of old school and new school backup methodology. Local image backups are put on rotating drives that get swapped out. Much like the tapes drives of old. The exact number of drives varies by client, but it's normally somewhere between 2 and 7. In addition we backup critical data offsite via our remote backup software. Once that data hits our servers, it cannot be changed. So ransom-ware has no way to touch it.
 
Security is a layered approach. First layer is the outermost, just like an onion.

Hosted Email filtering
UTM / Network Security device
DNS
Anti Virus

are the layers I generally use.

Andy
 
I've had two clients who have had their butts majorly saved by crashplan. Crashplan does an excellent job of keeping file versions. Both clients got cryptolocker and it encrypted all of their mapped drives (all server data), including the workstation itself. I disconnected the afflicted workstation from the network and nuke and paved it. Then I was able to tell crashplan to restore everything to a certain date, the day before, up to a certain time, the time before the workstation started encrypting.

One office I have a dedicated onsite backup for crashplan, 2 portable externals with crashplan backups that get swapped daily, a crashplan cloud backup, and a dedicated external onsite for a server image, all on a server in a RAID 10 with 6 drives, 2x 320GB 10'ks in a RAID 1 for OS, and 4x 600GB 10'ks in a RAID 10 with a dedicated hotspare.
 
Maybe because I'm from the old school what I do is create a second instance backup to an FTP server.
The main support is a mirror (or update with freefilesync) without compression to a shared folder
The second (but most important) is used Cobian in diffrential mode (6 and 1 complete) pointing to local FTP (filezilla server with all blocked except internal IPs ).
In this case everything is copied to an external drive (FreeFileSync in update mode for mirror folders and mirror mode for ftp folder), and removed from the place.

powered?? by google translate
 
You must log in or register to reply here.
Back
Top