How to Easily Protect Your Servers Against Ransomware

Below are some strategies to help protect against ransomware.

The simplest solutions include:

• Invest in a good cloud backup system
• Rotating external hard drives. Only one drive should be connected at a time. Configure external hard drives to use the same drive letter when plugged in and avoid plugging in more than one drive at a time because that would cause Windows to rearrange the drive letters.
• Use separate devices for browsing the internet and do not open email attachments

More elaborate ransomware protection strategies revolve around the idea of making backup files inaccessible to ransomware, which usually runs in a regular user session or LocalSystem:

• Create a dedicated administrator account and change the Log On Settings of “BackupChain Service” from LocalSystem to that new dedicated account. What this achieves is that even if ransomware gets inside the LocalSystem user session, it won’t have access to the folders that BackupChain uses.
• Isolate backup folders (local or on network) so that only the dedicated BC administrator account can write into them.
• If a NAS or network share is used, make sure no one has write permissions to the backup folder, only the dedicated BC user.
• Create two scripts at the start and end of a task to attach and detach storage devices. These could be local/external drives or iSCSI and would only be visible in the server for the duration of the backup task.
• There are power management devices on the market that permit computer-controlled on/off cycles, very much like a relay board. With such a system you could power up a NAS or external drive and power it down when the backup has finished, perhaps with a 10 minute delay at the end to ensure all file system buffers are flushed properly. It is possible to power up those types of power circuits by calling an executable in  BackupChain’s Options tab and thereby power up and shut down the storage remotely.
• The best ransomware isolation is a physical disconnect (i.e. power off and physically unplugged, which also protects against power surges). Software-based disconnects and folder isolation are only a hurdle that smart-enough ransomware will be able to circumvent one day.
• Don’t forget that ransomware contains a trojan horse as well, giving criminals access to your computer and hence the entire network. Once ransomware gets into your computer, it allows the criminal to log in and do whatever ‘clever’ crime they wish. True customer story: the criminal gained access to a computer, browsed through documents, found a document containing cloud backup account access details, then logged in to the account and deleted the cloud data manually. But because our own cloud backup storage system also keeps a separate offline copy of all accounts, our customer was able to restore the entire factory’s file server data. All other local backups were lost.
• More general recommendations: keep access limited to certain accounts, do not log on using the domain admin account, and don’t remain logged on to the system when not using the computer. Use separate passwords on different computers. Do not use mapped drives and remove the network connection when it’s no longer needed.
• BackupChain’s version backup feature automatically protects against overwrites by ransomware because ransomware typically encrypts and renames a file afterward. The file, hence, appears as a new file and is backed up separately if the backup system is still running. The original file backup remains untouched.

Note that BackupChain backup software removes network connections that it creates itself when the backup is finished. This reduces the possibility of an attack as well because more elaborate ransomware now checks all outside server connections that are stored in the user session and infects those as well. By running the backup process in an isolated user session, the Local System user session will have no access to those network connections, even if a backup is currently running. If your backup software is configured to do full backups only, with limited retention, the tool may end up overwriting the good data with the encrypted data damaged by the ransomware. It makes sense, hence, to use version backup instead for file server data, so that in either scenario all files are preserved in the backup folder at any point in time.