Protection Against Ransomware, CryptoLocker, Trojans and Viruses

In this article we describe how to protect against ransomware, CryptoLocker, Trojans, viruses, and other forms of digital vandalism.

How to Protect Your Data Against Attacks

Depending how your infrastructure is set up and what kind of virus strikes you may be able to recover from it; however, having a server backup is usually not enough because ransomware maliciously scans all drives and network shares it can find and encrypts each file with a random password. Unfortunately if the ransomware or CryptoLocker virus has access to your backup files, those will also no longer work to recover your data!

The main issue is that there is no way to truly write-protect files when the system actually has write access to them. For that reason there are two main prevention techniques: make access physically impossible (preferred but requires manual labor), and less effective, prevent certain types of ransomware attacks by isolation.

We recommend the following practices to protect against ransomware, trojans, intruders, and other forms of digital vandalism. The only real protection is strategic prevention, in the form of a good server and PC backup.

The Gold Standard Against Ransomware Attacks

The best “gold standard” strategy practiced by many of our users, in addition to other types of backups, is physical isolation and duplication:

First, create a backup task that rotates at least two external drive targets. Many users opt for one drive for each workday. The external drive must be electronically disconnected when the backup has finished. Also, all other external drives that are part of the rotation should not be connected permanently to the server; just one drive at a time. This practice ensures you have a physically detached and 100% isolated backup medium that is protected from manipulation. If all drives are permanently attached, you basically provide the attacker (or ransomware) with simultaneous access to all your backups.

In BackupChain’s File Types screen, the column ‘delayed deletion’ should be set to ‘never’ (default) or a reasonably long period of time to give you enough time to react; otherwise, BackupChain would eventually delete the original file from the backup media when the time limit specified in ‘delayed deletion’ has passed. Likewise, do not use short ‘retention period’ settings as they can also lead to total loss after the period passes.

Note that this strategy also protects against theft, bit rot, media failure, vandalism, electrical issues, disk and file system corruption.

Silver Standard Protection

Next best, prevent within reasonable limits how ransomware accesses backups and other important network information:

First, use a dedicated BackupChain user account to access network target shares. Hint: access network shares in BackupChain via IP address instead of network name to prevent name clashes when other user sessions access the same network server. Second, switch the Log On settings of BackupChain Service to use a dedicated BackupChain user account (domain admin + fixed password) instead of ‘local system’. By doing this, BackupChain runs in its own isolated user session and network shares aren’t accessible from the system user session or other sessions.

Furthermore, it’s beneficial to set up the network share such that only the BackupChain user has access. If you have more than one servers backing up to the same network server or NAS, place each backup client in its own network share when backing up to a NAS so that if one server gets infected, the other server’s data remains intact. Taking this idea to the next level, you could also replicate to several NAS via multiple backup tasks, in case a NAS becomes infected or ransomware somehow manages to get access to it.

General Recommendations

It makes sense to lock down NAS servers to prevent access by other users and to use firewalls even for internal networks. Apart from backing up to targets on the network, consider adding cloud backup, which is also isolated from ransomware access.

The BackupChain Advantage

BackupChain has helped many companies to successfully recover from ransomware attacks. Its file versioning backup feature creates a backup history you can rely on and fine-tune to suit your organization’s needs. In the case of a ransomware attack, you can revert your file server structure back to how it was before the attack by recovering a known restore point and BackupChain takes care of the rest.