Backups are an organization’s last line of defense against ransomware, because comprehensive, offline, offsite backups give you a chance to restore or rebuild your computers without paying a criminal for a decryption key.
Unfortunately, many organizations don’t realize how important it is to make backups until it’s too late. And it’s all-too-common for those that do take regular backups to discover too late that they aren’t fit for purpose.
Why? Because backups are hard to get right.
In September 2021, Malwarebytes spoke with Matt Crape from VMWare to find out why backups are so hard, why they fail, and what to do about it. This World Backup Day, we thought we’d revisit his advice for creating a more consistent, stable, and resilient backup process. Here are three essential things every organization can ponder today.
1. Know what you’re trying to achieve
Good backups start with a clear understanding of what your organization needs them to do. From that, you can determine what needs to be backed up, why, how frequently, and for how long. The answers to those questions will depend on how much data you have, how often it changes, whether you can live without any of it, whether you have remote employees, the implications of legal requirements such as GDPR, and a wide range of other factors.
Every organization is different, so the “right” answers to those questions will be unique for each. Organizations also change over time so decisions about what you need from your backups need to be reviewed often enough to keep up.
When thinking about ransomware, a good starting point is to imagine what you would need to do if all of your computers were rendered useless and you had to rebuild them from scratch. What’s your approach, will you restore everything from backups, or recreate applications and operating systems from a “golden” disk image? If that’s your plan, do you know how long it will take to reinstate every computer in your organization? Can your business survive that much downtime?
2. Keep a backup offline and offsite
Modern ransomware attacks are carried out by gangs who break into company networks, prepare the ground for their attack, and then run their ransomware manually. Gangs can spend weeks inside a network looking to increase the chances of their attack succeeding, and backups are a prime target. If the attackers can find them, they will delete them.
That’s exactly what happened when a ransomware gang attacked the Northshore School District in Washington state. In an instructive and painfully honest episode of our Lock and Code podcast, Systems administrator Ski Kacoroski told us “we find out, at about 4 or 5 hours after the attack, that our backup system is completely gone.” Without effective backups, Kacoroski was left with a mountain to climb: “It started to really sink in that I’m going to have to rebuild 180 Windows servers, and more importantly, rebuild Active Directory from scratch, with all those accounts and groups, and everything in it. That part really, really hurt us.”
The lesson of the Northshore attack and many others is that it’s vital to keep at least one recent copy of your data offsite and offline, beyond the reach of an attacker who has domain administrator access to your network
CISA recommends the tried and tested 3-2-1 rule of backups: 3 copies of your data, on 2 different media, with 1 held offsite, which provides resilience against a range of different risks, including ransomware.
3. Test your backups
A backup is only as useful as the data that can be successfully restored from it. So while it’s useful to know that your backup solution is running and recording data, the only way to be sure it works is to try reading data from it.
A true acid test is to prove to yourself that in the event of a ransomware attack, natural disaster, fire or flood, that you can restore your critical business systems from scratch. Simply having the data may not be enough. Companies grow organically and unless they are very new, their networks are likely to have been built over time rather than in one go. This can create interdependencies where system A requires system B and system B requires system A, and so on.
And keep in mind that the best judge of whether data has been restored successfully is the person who relies on that data—so keep them engaged during the testing.
To learn more about why backups fail when you need them, and how to improve your chances of success, listen to the full podcast with Matt Crape, embedded below.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.