8 Ways to Protect Your Backups from Ransomware

Dennis Faas's picture

Infopackets Reader Bob S. writes:

" Dear Dennis,

... [I run an accounting firm and was recently hit with a ransomware attack which encrypted over 70,000 of my files. I nearly lost everything, though I was finally able to overcome this and recover my data through your help] ... What I need is a comprehensive backup solution that will allow me to automate my backups - which means having the backup drive attached to my system 24/7 - yet, the backup drive must be protected such that ransomware cannot spread to the drive and encrypt my backup data. If that were to happen, my backups would be useless. How can I protect my backups from ransomware? Backups are the only way to undo the damage of a ransomware attack without having to pay a ransom. "

My response:

Bob hired me to look into this for him, and with his permission I've decided to share my findings.

I have given this extensive thought and examined multiple ways to protect a backup drive from ransomware. This article is fairly lengthy but will explain some excellent ideas.

Please note that if you are reading this now and you need help protecting your data against ransomware, you are welcome to contact me for help.

But first, let's start with the basics -

What is Ransomware?

Ransomware is malicious software (malware) designed to block access to a computer until a sum of money is paid.

Files on a computer's hard drive are encrypted, including attached storage devices such as external hard drives and network shared storage spaces. Ransomware is extremely problematic for networks with more than one PC, as it is designed to spread as quickly as possible, which then increases the chance that ransom will be paid to unlock files.

Ransomware is therefore a threat if you intend to run backups on a schedule - whether it's using an internal or external hard drive or cloud backup to store your backups.

Related: Is Ransomware a Real Threat? Should I worry?

What is the Best Defense Against Ransomware?

One way to minimize the risk of becoming infected with ransomware is to patch the operating system regularly with security updates and to minimize potential attack vectors (such as email attachments, remote access, etc) - but that alone is not enough. If the system becomes infected, backups are the only sure-fire way to undo the damage without having to pay a ransom.

There are issues with this approach, however.

One is that backups must be made regularly (daily or every other day) - this requires proper planning and available storage space for backups. Ideally there should be at least 2 or more backup sets per system in case one of the backup sets is corrupted, or if one set has missing data because a file or folder may have been accidentally deleted by a user the day or week prior.

Secondly, backups must be stored in a manner that they are not accessible to ransomware, otherwise ransomware will simply spread to the backups.

In the past it's been widely accepted to run an automated backup on schedule, which typically stores backed up data onto an attached external drive, or in a centralized network location (server or NAS device). This approach is no longer viable because as long as the backup device is accessible, it can be encrypted by ransomware.

Cloud Backups are Not Safe from Ransomware

Having data stored "on the cloud" does not mean the data is safe.

Many cloud backup services such as those offered Carbonite (for example) allow the user to access their backed up files through "My Computer" / or "This PC". Although convenient, these services are 100% susceptible to having ransomware spread to the cloud.

The reasoning is that if the cloud drive is mounted to the operating system and accessible to the user, it is also accessible to ransomware which runs under the user's account and access rights. In Bob's case, ransomware spread to his OneDrive which was shared with his clients.

Therefore the only way to fully protect the cloud backup would be to unmount the cloud drive, though this may be difficult or impossible to do as it may break the cloud backup capability entirely.

That said, there are cloud backup services that use an API (application program interface), rather than an always-mounted drive option. Essentially, this allows you to "mount" the cloud drive and then "unmount" it afterward, physically detaching it from the system. This can significantly reduce the risk of ransomware spreading to your backups. I will discuss this option further down.

How Can Backups Be Protected Against Ransomware?

Storing backups offline is the only sure-fire way to stop ransomware spreading to backups, as ransomware cannot "leap" to a drive that is not connected to the system. However this is problematic in an environment where backups must be automated on schedule, especially in a corporate environment.

Here are some approaches to mitigating the the spread of ransomware should the backups need to be automated:

1. Mount and Unmount The Backup Drive

The "mountvol" command using an administrative command line can unmount a hard drive used for backups, whether that drive is external or internal.

Once the drive is unmounted, the drive letter assigned to that drive is no longer viewable via "This Computer" or "My PC", nor is the drive letter accessible using a command prompt. In essence, ransomware would not be able to spread to the drive because the drive is technically "offline", though it is still attached to the system.

The only way to have the drive available again is to use the mountvol command to remount the drive according to its global unique identifier (GUID). In terms of backups, it is possible to keep the drive unmounted until the backup script is run, then remount the drive during the backup, then unmount it afterward.

Caveats

Depending on how sophisticated the ransomware is, it is possible to supersede this protection. For example, the ransomware may begin its operations by scanning all available drives using the mountvol command, mount all available drives, then encrypt data on all drives.

One way around this would be to rename the mountvol command to something arbitrary, thus denying the ransomware program the ability to issue the mountvol command in the first place. This may require booting into safe mode or another operating system as the mountvol command is protected by the operating system, resulting in 'access denied' error if a rename is attempted.

Optionally it may be possible to deny access to the mountvol command by modifying its permissions (using icacls, described further down). This would deny administrators access to the command (unless permissions were reset). That said, denying access to mountvol may break parts of the operating system itself.

Another caveat is that if the system is already infected with ransomware, it may simply spread to the drive as soon as it's mounted. This risk would be significantly diminished if the backup was stored in a separate location (NAS or network central storage) with access privileges restricted on the backed up destination folder in order prevent ransomware from spreading across the entire drive.

2. Set the Backup Drive as Read-Only (Write Protected)

In order to for ransomware to spread (and encrypt files), the files themselves must contain read and write permissions by the operating system. Otherwise, any attempt to change a file - whether it's renaming, encrypting, or overwriting it - will be denied by the operating system.

To make a disk read-only, the "diskpart" command can be used via an administrative command line. In doing so, ransomware will be denied access if it attempted to encrypt files.

With that said, the same command (diskpart) can be used to set the drive as read and writable. In terms of backups, it is possible to keep the drive as read-only all of the time, then set the drive as writeable just before the backups runs, then set it as read-only again.

Note that some drives, such as Western Digital My Book have a feature to "lock" the drive. This is the same as setting it as read-only and can be undone by issuing the diskpart command, as discussed in this article; therefore, even these drives are not fully protected against ransomware.

Caveats

Depending on how sophisticated the ransomware is, it is possible to supersede a read-only environment. For example, since the diskpart command can be used to read-only, it can also be used to set the drive as read and writable. Therefore, a sophisticated ransomware program may be able to issue the diskpart command to undo the read-only protection.

There are ways around mitigating this threat, as mentioned in the previous section. For example, the diskpart command could be renamed, or permissions modified to deny any automated program from accessing it and thus reversing the read-only attributes on a drive.

Yet another caveat (also previously discussed) is that once the drive is set as writable, ransomware could spread to it. This can be mitigated by storing backups in another location (NAS, central storage) and restricting access to the backup folder in order to prevent the ransomware from spreading across the entire drive.

3. Deny Access to Backup Sets using "icacls"

The "icacls" command using an administrative command line can set all files in a folder (or root) with the "deny" access restriction.

In this case, a hard drive or storage location would be used to store backups; once the icacls command is used, the backup files are set with a special permission which then results in an "access denied" if the backup files are accessed (whether it's reading or writing to the file). Effectively this would lock ransomware out from attempting to make changes to the backups. The only way to clear the restriction is to use the icacls command and "takeown" to reset the permissions.

In terms of backups, the icacls command could be used to permanently set all files with the "deny" restriction; when the backup is run on schedule, the icacls and takeown can be used in a script to reset the permissions to make the backups writeable again; when the backup is complete, the permissions are set to deny.

Caveats

As previously mentioned: depending on the sophistication of the ransomware, the icacls command can be used to reset any files that have the deny access flag set. Therefore it is possible that the ransomware program can use the icacls command to gain access to otherwise denied files.

To mitigate this threat the icacls command can be copied to another location and named as something else, then the original icacls command locked or deleted. That said, there are some serious issues with renaming programs used by the operating system - whether it's as icacls, diskpart or moutvol - as this can potentially break parts of the operating system that normally rely on these programs for other operations.

Note that backup programs such as Acronis True Image use something called "Active Protection" to deny access to backups. Using icacls, these permissions can be reset in the same manner discussed. As such, the "Active Protection" offered by Acronis is susceptible to ransomware.

4. Use All of the Above

Using all of the above methods together would significantly help to protect backups where the drive is always attached to the system (or network), though it would have to be done in a certain order.

For example: set all backup files with the deny access, then set the entire drive as read only, then unmount the drive. When it comes time to run a backup, reverse these steps using a script before the backup runs, then set all backup files with the deny access, set the entire drive as read only, and unmount the drive.

Caveats

There is still a risk of ransomware being able to supersede the methods discussed in the article - it all depends on how sophisticated the ransomware is. Therefore it is recommended that in addition to using these steps, backup data should be copied to a second location such as another external hard drive and stored offline, completely detached from the system. These backups can be done once a week or once a month for convenience, though the less frequent the greater the risk.

5. Use Windows 10 Controlled Folder Access to Protect Backups

Controlled Folder Access (CFA) is a new feature available in Windows 10 which is designed to protect the system against ransomware. The user can specify which folder is to be protected using CFA along with programs which can access that folder. Any program (ransomware) attempting to access the folder without previously being listed as an allowable program will result in an "access denied", thereby protecting the user's files.

Caveats

Controlled Folder Access can be shut off or superseded using administrative command prompt commands; therefore the protection it offers is limited.

6. Use a Cloud Backup Service with an API to Store Backups

As mentioned earlier in this article, some cloud backup services such as Carbonite permanently mount their "cloud backup drive" to the operating system.

In doing so, the user is able to access the cloud backup drive (as a virtual drive) through File Explorer. Since the drive is accessible in this manner, any data it contains will allow ransomware to spread to it. Other examples of cloud drives that mount automatically are include One Drive, and Google Drive.

One way around this would be to purchase a cloud backup plan that allows the user to mount the cloud drive using a script or command prompt, then disconnect the drive after the backup is completed. Though not as convenient, this significantly reduces the risk of ransomware spreading to the cloud.

In my research, I discovered a program called rclone which can be used to interface between cloud backup plans, though as I mentioned the plan should include an API (application program interface) option and not force the user to use a permanently mounted drive attached to the operating system.

While researching rclone and a suitable cloud backup service with the best possible price, I discovered a service called pcloud, which offers permanent cloud backup without a recurring fee - plus it works with an API (rclone). Pcloud offers 500GB cloud storage for $175 and 2TB for $350 - this is a one time fee. It is by far the best deal I could find if you don't want to keep paying for cloud backup storage indefinitely.

Caveats

There are risks with a cloud backup API approach when it comes to storing backups.

If the system is already infected with ransomware, it can still spread to the backup / cloud drive even if it's mounted for the duration of the backup and then unmounted afterward. To limit this possibility, backups should be stored in a central location on the network using special access permissions; if possible, program the NAS or server to dump backups to the cloud at a later time. And as discussed previously, use an external drive to copy backups once a week or once a month for the best possible protection.

7. Store Backups on a Remote Server using a VPN Connection

Yet another option would be to use a script to connect to a remote server using a secure VPN connection. This approach is similar to a cloud backup using an API to connect to a remote storage location. The only difference is that the destination storage point is attached to a fully functioning server, which means the remote server can also run daemons and scripts to manage the backed up data.

A VPN connection means that data to and from the remote server remains encrypted and not viewable / accessible to third parties. Also, since the remote server is technically connected to a separate subnet, it means that ransomware cannot spread as easily, compared to having it on the same physical network.

Caveats

Renting a remote server costs significantly more than renting cloud backup storage space. The same risks apply here as they do with using remote cloud storage via API.

8. Copy Backups to an External and Store it Offline (Manually)

This approach requires manual intervention by the user. For example, backups can be run in an automated fashion using ideas described above. Once a week or once a month, the backups would be copied to an external hard drive (manually), then physically detached from the system when complete. This way, ransomware can't spread to the drive if it's not attached to the system.

Caveats

This method requires manual intervention, though when used in conjunction with automated backups, will provide the best protection.

Conclusion

When it comes to protecting backups against ransomware, there are risks involved should you decide to run backups in an automated fashion. That said, there are some ways to mitigate that risk with some of the ideas I've presented in this article. If you want to be guaranteed 100% that ransomware won't spread to your backups, the only way to achieve this is to copy backups to an external drive then store that drive offline, physically detached from the system.

Do You Need a Custom Backup Solution?

Hopefully you found my ideas in this article informative. If you need a need a comprehensive backup solution to help protect against ransomware, I can help. In addition to researching this topic, I have implemented the solutions mentioned in this article for clients. To get in touch, send me an email and I will get back to you as soon as possible.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.

Rate this article: 
Average: 4.8 (16 votes)

Comments

DavidInMississippi's picture

This ransomware and other malware threat is not going away, and it's not going to get LESS dangerous. Many people who crowed "It will never happen to ME" are now eating crow.

It's not a matter of IF you will need your backups, it's a matter of WHEN.

For me, the best backup solution is as follows:
a. An external hard disk dock. Cost: about $20-$30
b. Three 2TB hard drives (I have a lot of data). Cost: about $60 each for $180
c. Macrium reflect software: Free. This allows you to run your backups on a schedule, meaning you don't have to intervene. It will also create backups of a live and running OS like Windows, and allow disk cloning.

Once you set up this system, all you have to do is figure out your schedule - say once a week - and set yourself an alarm in your computer or phone to change out the hard drives from the dock.

Even if your computer gets infected, you should still have at least one good backup from which you can restore. All you need to do is use a free utility to boot your computer from a CD, totally wipe and reformat your hard drive(s), then restore to the clean drives.

TOTAL COST: Less than $200. (less if you don't have as much data, more if you have more)
TOTAL TIME COMMITMENT (after setup): About 3 minutes per changeout when your alarm tells you it's time.

Wouldn't that work?

David's picture

As I see it, it is a simple and almost foolproof system versus malware, as well as against general drive failure and human error.

r1ch's picture

I am being attacked by ransomware on a weekend basis for the last few months sometimes during the week. I have 2 servers and 15 clients. I have changed/strengthened passwords and 10min lockout after 3 bad attempts. One server is Terminal Services server and other SQL server for 3rd party software. All clients windows 7. I have upgraded computers to new win10 clients except for 2 at this point which should be done in a few days. Updated all computers with latest MS updates. Anti Virus installed on server and clients. Macrium reflect Server Plus with Macrium Image Guardian. One of the users watched on his rdp session a hacker using tools and the browser to do stuff to the TS server in realtime. The hackers came through, I believe through RDP connection and disable Macrium Image Guardian and antivirus and encrypted my backups which were on a USB external drive. (1 drive for each server)

I am now manually connecting up a drive, doing a backup manually at end of day, and removing the drive. I also shut the Terminal Server down every night and weekend.

I need the TS server up all night. I need to make backups that are automated. What does this mean? "Once you set up this system, all you have to do is figure out your schedule - say once a week - and set yourself an alarm in your computer or phone to change out the hard drives from the dock. "

What alarm? can the alarm be affected by administrator account at the server? What do you mean use phone to change out drives.
I have been looking at usb 3 switches but they require manual button push. I would like to have this automated.

Dennis Faas's picture

You've answered your own question. The issue is that terminal service (RDP) is running 24/7 and that is how the hackers are getting in, because you have your RDP port exposed to the world. Limiting password attempts won't help if there is a Windows exploit that allows hackers / anyone through by bypassing the password. You need to run RDP using a VPN server to prevent hackers / anyone from accessing your servers. If you need help with this I can set it up for you using remote support - use the contact form on this site if you are interested in speaking with me directly.

Gurugabe's picture

Another thing you can do is download devcon from Microsoft systernals and use it to install / uninstall hard drive. Less likely to be a part of virus or ransomeware.

Jim's picture

Crashplan offers unlimited versions of your cloud backups, so even if your local copies get encrypted and backed up to the cloud, you can just restore the previous (unencrypted) versions. And it's totally passive, no human intervention necessary....well, until the poop hits the fan, anyway. :)

tcsharpe_12233's picture

With 1Tb memory sticks now being cheap and commonly available, it's also practical in many cases to use these as a secondary backup method.

kevin.mcdaniel_12912's picture

I apologize but as I read this article, the author himself in all his caveats stated that everyone of his suggestions could be overcome by the write ransomware. Many in the comments suggested that putting in a thumb drive or using an external drive protects you. It doesn't. Almost all ransomware is now written to listen in passive mode for weeks before it does anything, after it has gathered enough accounts with elevated privileges it encrypts things (without locking it, right away). The whole point is that it will just infect your thumb drive or external drive the instant you hook it up to your system.

To protect your organization, you need a backup system that will backup up data either directly to a storage platform that does not require the storage to be mounted (via CIFS or NFS) or to tape. Most organizations to speed backup will do an initial backup to disk, then copy those backup images to a media that does not require it to be mounted by the OS. They also will track backup image sizes for objects and if they notice that there is a drastic change in size, will alert you that there is something amiss.

blackcapsteve_12968's picture

The article is very informative. Thanks for making me think about this. I have several customers, who when they called me out for the first time had no backup at all.

I tend to install Macrium Reflect. It looks after my own systems, with a regular backup onto several internal drives, with a monthly manual backup onto an external drive, which is then removed.

But... The other day a large warning came up from Macrium Image Guardian, saying that a backup file was being tampered with?
It seems that Macrium actually makes its backup files quite resilient to external interference. Just how resilient I dont know.
The trouble is that this stuff is difficult to test.. without purposely infecting ones computer.

Another thought I had was an intelligent switch.. and have the switch shut the port down to the NAS on a time basis, opening the port just in time for the backup.

skfradial_17113's picture

On an external drive, I create a directory with a name and the date of the day. Then inside this the backup files. Once finished I delete the created date directory. This is how every time I want a daily copy. Only I know that the backup exists in this folder. To review it I use a file recovery program such as testisk, Recuva, Disk drill, Minitool Power, etc. Since it is removed but not physically from the disk, can ransomware attack?

Dennis Faas's picture

What you're describing (copy a backup to external, then delete, then use recovery software to undelete the backup in hopes that this method will save you from ransomware) is dangerous at best. If you delete a backup, the space on the drive becomes marked as unallocated. Once the space is unallocated, any newly copied backups you place on the drive can now occupy the space of a previously deleted backup. This makes the previously deleted backup unrecoverable. This is a nightmare scenario. It's best to copy your files onto external and then physically detach the drive from the system. Ransomware can't leap onto a drive if it's disconnected.

Jim's picture

Wasn’t going to say anything but I agree with Dennis 100%. Just make the backup and disconnect the drive. Windows might overwrite your deleted files at any time making them unrecoverable.

skfradial_17113's picture

If not allocated, it cannot be attacked and since the device is only used to copy to a new directory each time and then deleted, each time with a different name, with new blocks of disk space in the allocation table, FAT ,NTFS,...NEW files every time, will it be attacked?

Dennis Faas's picture

I've already answered your question.

Don't delete your backup files and then try to undelete them in hopes it's going to protect you from ransomware because the 'deleted' files may be overwritten, even if you choose to name them differently or store them in a different folder.

Here's why: once a file is marked as deleted on a hard drive, it becomes unallocated space. The next time the hard drive writes to the disk, it will automatically choose unallocated space at random. This means your previously deleted backup may be overwritten by the next backup even if you choose a different folder or different filename.

If you don't believe me, then do whatever you want, but you're going to severely regret it. If you want 100% protection, unplug your backup drive from the system after you finished backing up your data as I mentioned previously.

skfradial_17113's picture

I notice that you do not answer what I ask. I only need the latest copy and as you say, once a file is marked as deleted on a hard drive, it becomes unallocated space so, could it be attacked by ransomware? I already know that if I disconnect the disk it cannot be attacked. That's obvious. Only I know the names of the folders and files to be able to recover them. I repeat, could it be attacked by ransomware?