How To Protect Your Backups From Ransomware

By July 5, 2021Backup and Recovery


Ransomware is a word on everyone’s lips these days. It is a weapon used by cyber criminals to extort money from businesses by encrypting company data and holding it to ransom.

It has many attack vectors including email viruses and phishing attempts. Our security specialist Joe Brady recently spoke about the steps to take to protect against this attack in the first place in this article.

While Joe’s advice is about how to prevent an attack, today we will look at how to protect your backup data in case the unthinkable happens and you are struck down by ransomware.

How does ransomware work?

When ransomware first appeared, the target was to encrypt file shares and a ransom request would be made to pay for them to be un-encrypted. Companies worked around this by restoring their data from the latest backup and carried on. The attackers then built more sophisticated methods of attack and also started directing their attacks at backup data, by encrypting or deleting it, meaning the ransom had to be paid.

The only way to prevent this is to have an ‘air gapped’ copy – which simply means to have a copy of your backups kept offline and out of the office in some way. Tape copies are the most common way of doing this. Some people use convoluted disk-based systems that bring the data offline after each copy and then back online for the next. These work on a schedule so can be also compromised, while tape is famously slow to restore from and needs manpower to manage properly.

Sending a copy to the cloud was always seen as the next logical step, but while the data was indeed offsite, it was still online. This means it was available to restore but also available to be deleted.


What happens to backup data during a ransomware attack?

Here, I detail the different stages of a ransomware attack and the outcomes, depending on what backup solution is in place:


Scenario One: Tape copy

In this scenario there is a secondary copy to tape completed each day and once the copy is complete the tapes are removed from the library.

Ransomware infiltrates the environment via a phishing attempt or an email attachment, the production data has been encrypted, along with the production data, the backup server has also been compromised and all backups have been deleted, and any tapes in the library will have been wiped.

As the tape library is connected to a physical server whose OS is compromised the backup server needs to be rebuilt at the OS level first. The backup software needs to be reinstalled and configured.

While parallel tape copy might have gotten your data out to tape in 24 hours, multiple server restores from tape in parallel is not normally possible. So, one would spend time staging the data back to disk first. This alone can take a day or two depending on the footprint. Then data can start to be restored server by server. For an environment with anything more than a few small servers’ recovery would take weeks, and that is if tapes are sent off-site EVERYDAY. In reality, most companies do not actually do this. This would lead to the data coming from tapes that are already a week old increasing the data loss.


Scenario Two: Disk only

In this scenario there is a backup to local disk completed each day.

Ransomware infiltrates the environment via a phishing attempt or an email attachment. The production data gets encrypted, and along with the production data, the backup server has also been compromised and all backups have been deleted.

As this was the only copy of backup data, there is no restore scenario. The ransom must be paid, or the loss of data is to be accepted. This is clearly the worst-case scenario, and not a place any IT admin wants to be. As many companies go out of business after such a catastrophic data loss event.


Scenario Three: Immutable offsite copy

In this scenario there is a backup to local disk completed each day. Backups are then tiered off to immutable cloud storage.

Ransomware infiltrates the environment via a phishing attempt or an email attachment, the production data gets encrypted, and along with the production data, the backup server has also been compromised and all local backups have been deleted.

As the off-site copy is immutable there is no way for any attacker to delete or encrypt the backup data, so this is available for restore from the latest backup point.

Even though the backup server OS is compromised, Veeam restore from a free version allows the capability to install Veeam even on a laptop without a licence. Once the S3 access keys are added to Veeam and a repository sync is complete, the data is available for restore. This allows for instant restore of a DC to allow access to users and then the parallel restore of servers can go ahead. This is still limited to the speed of the download link and may still take several days to fully recover. But is the most secure and available type of backup storage with zero management overhead to make it work on a day-to-day basis.


How to prevent ransomware attacks on backup data

In Scenario Three, I detailed how using an immutable, offsite copy is the most secure way to protect your data. This method uses Object Lock which is a method of sending data to the cloud and then locking it from any changes. This is a new feature that can be enabled via an API call on S3 storage. And backup software like Veeam V10 brought support for this immutable (un-editable) method of storing data.

how to protect your backups from ransomware

In Veeam v10 this is setup by simply adding a cloud tier to the local repository and Veeam will copy the backups to the cloud as soon as the backup completes.

protect your data from ransomware


How does Veeam Object Lock work?

Veeam breaks up the backup data into blocks or ‘objects’ and locks them from any changes for a set period of time. This means that while the backup data is locked, it cannot be affected by ransomware, accidental or malicious deletion.

The compliance mode protection cannot be changed in any way. Even the root admin account for the storage at the command line level cannot delete or remove the object lock until this time has passed. If you try to delete the backup data from the Veeam console or via PowerShell, an error for the deletion is shown.

protect your backup data from malware

This gives total protection from ransomware for your secondary off-site backups.


Backing up your data with Evros

To provide our customers with a solution to this problem, we have invested in S3 object storage for our Dublin datacentres.

protect your backup data


Evros chooses Cloudian S3 hardware to base the backup storage service on due to its 100% compatibility with S3 API calls and its ability to offer redundancy by spreading the data across multiple datacentres. All data is stored in Dublin and will never be sent out of the Irish jurisdiction.

By splitting the objects up across multiple datacentres and also storing extra clones of the objects across several nodes, the storage solution can withstand a complete datacentre outage without affecting the service availability or backup data – and both are still available.

At Evros, we do this ‘as a service’ via our CloudVault product. Customers simply sign up to a subscription with Evros and we provide the S3 URL and access keys for the customer to add to the backup repository.

Once the local backup completes backup data is copied to the cloud and is locked.

To restore data Veeam will only download blocks that do not exist locally, however Evros do not charge for egress. Unlike other cloud products Evros customers will not be charged for restoring their own data.

Should you lose all backup data on the local site, backups can be restored from the cloud tier without the local disk in place. Even if you lose your entire onsite backup server, one can simply add the repository back into a new Veeam install and run a sync. All data will then be available to restore.

Backup data can be encrypted in the cloud storage so even if access was gained to the CloudVault, no data can be used without the Veeam managed encryption key.

All of this provides a solution to the ransomware and retention problem that has been subject of many a search by a backup or compliance manager.

This level of security and reliability has never been seen in backup storage at this price point.

I have previously said that this is the holy grail of backup storage and I still stand by that. As a backup engineer for the last decade, I can tell you that I have wished for this storage my entire career. And now it is finally here. And is affordable enough for every level of business. Whether you have 1TB or 1000TB of data we can give you a solution.


Find out more

You can read more features from Backup Solutions Architect and Veeam Vanguard, Stephen Seagrave in our blog, or get in touch to speak to us about any of our services and how we can help you protect your business.