How to protect your backups from ransomware

how to protect your backups from ransomware

Hitesh J

Do you want to protect backups from ransomware? Then, read this article to know everything about ransomware, like what ransomware is, how it works, the exact steps to protect your backup from ransomware, and the best tools to protect backups from ransomware.

What is ransomware?

Ransomware is a kind of virus that uses encryption to hold a victim's data hostage. First, the vital data of a person or organization is encrypted, making it impossible for them to access files, databases, or apps. Then a ransom is asked to gain access. Ransomware is frequently designed to propagate over a network and target database and file servers, paralyzing a whole enterprise in the process. It's a growing menace that generates billions of dollars in payouts to hackers while causing considerable damage and costs to businesses and government agencies.

How does ransomware work?

Asymmetric encryption is used by ransomware. This is a type of encryption that encrypts and decrypts a file using a pair of keys. The attacker generates a unique public-private pair of keys for the victim, with the private key used to decrypt files saved on the attacker's server. The attacker usually only gives the victim the private key once the ransom is paid, but this is not always the case, as recent ransomware operations have shown. It's nearly hard to decode the files being held for ransom without access to the private key. There are many different types of ransomware.

Ransomware employs asymmetric encryption. This is a sort of encryption that uses a pair of keys to encrypt and decode a file. For the victim, the attacker creates a one-of-a-kind public-private key pair, with the private key being used to decrypt files saved on the attacker's server. The private key is usually only given to the victim once the ransom is paid, but as recent ransomware attacks have proven, this is not always the case. Without the private key, decoding the files held for ransom is practically impossible. Ransomware comes in a variety of forms.

Once data have been encrypted, ransomware will demand a ransom payment within 24 to 48 hours, or the files would be permanently lost. If a data backup isn't available, or if the backups are encrypted, the victim will have to make the payment to the ransom to get their files back.

Why do you need protection against ransomware?

Simply put, ransomware has the potential to ruin your business. Even if you are only locked out of your files for a day, it will impact your revenue. However, because ransomware puts most victims offline for at least a week, the financial losses can be substantial, if not months. Not only do systems fail for long periods due to ransomware, but also due to the time and effort required to clean up and restore networks.

Consumers grow apprehensive of handing their data to firms they perceive are vulnerable, not just because of the immediate financial impact of ransomware. In addition, cyber criminals have discovered that vital infrastructures like hospitals and even industrial facilities are profitable targets for ransomware attacks and that interrupting these networks can have severe ramifications for people in the physical world.

Steps to Protect Backup from ransomware

How to Protect Your Windows System?

The bulk of ransomware attacks target Windows hosts, and once one is infected, it spreads to additional Windows hosts in your computing environment. Finally, the attacker activates the encryption program after the ransomware has spread to enough hosts, and your entire world is instantly shut down. As a result, the most obvious thing to do for your backup server is to utilize something other than Windows.

Unfortunately, many popular backup programs are Windows-only. The good news is that a lot of them also have a Linux version. Even if the primary backup program is Windows-only, it may have a Linux media-server alternative. Because the data you're trying to safeguard is stored on the media servers, they're crucial. Ransomware assaults against Windows-based servers will not access your backups if they are only accessible via Linux-based media servers.

Make sure your central backup server's backups are also saved behind a Linux-based media server, in addition to your regular backups. It doesn't matter if your backups are unencrypted. If the ransomware has encrypted the database, you need to access them. Windows-based backup servers should likewise be as secure as feasible.

Learn which services are used by ransomware to target servers (such as RDP) and disable as many as feasible. Remember that this server is your last line of defense, so think security rather than convenience while configuring it.

Save Backups In a Separate Location

Backup copies should be saved in a separate location, regardless of the backup method you use. This entails more than merely installing your backup server in a cloud-based virtual machine. It's just as easy to attack a virtual machine if it's just as accessible from an electronic standpoint as if it were in the data center.

You must design things in such a way that attacks on your data center systems do not spread to your cloud backup services. This can be accomplished in several methods, including firewall rules, operating system changes, and storage protocol changes. Most cloud vendors, for example, provide object storage, and most backup software products and services can write to it. However, despite the sophistication of ransomware attackers, they have yet to figure out how to target backups saved on object-based storage.

Furthermore, such services frequently have a write-once, read-many option, which allows you to set a time limit for backups to be updated or deleted, even by authorized staff. There are additional backup services that can store data that is only available through their user interface. If you can't see your backups directly, the ransomware can't either. The goal is to get your backups—or at least one copy of your backups—as far away as possible from an infected Windows PC. Put them on a cloud provider's cloud that is secured by firewall rules, run your backup servers on a different operating system, and save your backups to another type of storage.

Deny file-system access to backups

If your backup system saves backups to disc, be sure they can't be accessed through a conventional file system directory. E:\backups, for example, is the very worst place to save your backup data. Ransomware deliberately targets directories with names like those, encrypting your backups in the process. Unfortunately, this means you'll have to find out a way to store those backups on disc without the operating system recognizing them as files.

For example, a backup server might write its backup data to a target reduction array installed to the backup server through a server message block or network file system. Because the backups are accessible via a directory, if a ransomware product hits that server, it will encrypt those backups on the target deduplication system.

You should look at allowing your backup software to write to your target deduplication array without utilizing SMB or NFS. This feature is available in all popular backup software.

Save Multiple Copy of Backup

Make it difficult for ransomware to access your backups and encrypt them. If possible, avoid storing them on a Windows server and keep at least one copy elsewhere that is not electronically accessible from your data center. Finally, set up your backup system so that backups aren't visible on your backup server as files. Then, in the event of a ransomware attack, give yourself a fighting chance.

Best Tools to Protect Backups from Ransomware

1. CrowdStrike Falcon – FREE TRIAL

CrowdStrike Ransomware Protection

CrowdStrike Falcon is an Endpoint Protection Platform (EPP) with ransomware detection and prevention capabilities. Falcon Prevent, a next-generation antivirus service, is one of the modules included in the EPP. This is the main ransomware-blocking module. The Falcon EPP is a cloud-based platform. This cutting-edge architecture allows powerful cybersecurity software to safeguard devices without putting a strain on their processing capacity. To coordinate threat detection and response, a tiny agent application must be deployed on the endpoint. Windows, Windows Server, Linux, and Mac OS are all supported by the agent. A mobile version for Android and iOS is also available.


  • Stop the spread of ransomware by turning off affected devices
  • View in-depth details of events to conduct further research
  • This cutting-edge architecture allows powerful cybersecurity software to safeguard devices without putting a strain on their processing capacity

To detect attacks, the Falcon defense system employs AI-based machine learning. Before touching the operating system, suspicious files are uploaded to the CrowdStrike server for further examination. The antivirus service compiles a list of “attack indicators” for freshly found malware (IOCs). This document outlines the entry points and vulnerabilities exploited by modern ransomware, allowing an antivirus to harden an endpoint before it is attacked. This method effectively prevents infection from email attachments and Trojan and ransomware programs disguised as useful utilities.

CrowdStrike is a team of cybersecurity experts and researchers who are constantly looking for new malware. The team also detects malware sources, allowing them to map linked attacks. As a result, they can prepare CrowdStrike customers' devices for various attacks that tend to come in waves. In addition, CrowdStrike Falcon's administration console is cloud-based and accessible through the browser. As a result, systems administrators may manage the security of a large number of devices in one location, including endpoints at several locations.

You can test out CrowdStrike Falcon through a 15-day free trial.

Website Link:

Download 15-day Free Trial!

2. ManageEngine Vulnerability Manager Plus

ManageEngine Ransomware Protection

ManageEngine Vulnerability Manager Plus is a solution that protects against ransomware attacks by blocking entry points that hackers can use. Endpoints, network appliances, and web applications will all be protected with this system hardening tool. A vulnerability scanner and a patch manager are the two main components of this software. Patches for operating systems and software packages are frequently published due to security flaws discovered in the software house's products. If you don't deploy patches as soon as they become available, your system is vulnerable to a variety of malicious activity, not simply ransomware.


  • Real-time bulk access alerts can help you detect ransomware.
  • Activate notifications as soon as ransomware begins encrypting your files.
  • Ransomware was quarantined using a configurable and automated response mechanism.

A live threat intelligence feed keeps the vulnerability scanner up to date. After the initial sweep, the scanner continues to function, doing a system sweep every 90 minutes and conducting additional investigations whenever a threat information update is received. In addition, the system identifies all networked devices and scans them to create a software inventory.

A patch management method starts with a list of operating systems and apps, along with their version numbers. Next, the patch manager monitors its registered list of resources for patches and updates. Then, it prepares the installers for deployment when one appears. Finally, system administrators can configure the patch management to apply all patches at the next available install time window. Vulnerability Manager Plus is an on-premises vulnerability management solution that employs a distributed approach.

An agent application is installed on each endpoint on the network; agents are available for Windows, macOS, and Linux. Agent operations are coordinated, and threat intelligence actions are channeled to them by a central server that runs on Windows and Windows Server. It also compiles feedback from each agent into a report that can be analyzed on the system console.

Website Link:

3. Kaspersky

Kaspersky Ransomware Protection

The Anti-Ransomware Tool from Kaspersky comes with three primary functions, the first of which is behavioral detection. This function monitors the operations of programs and searches for unusual behavior. It is blocked if something out of the ordinary is found. This capability can maintain track of both local and remote sites, allowing it to stop suspicious activity from both intentionally downloaded files and network programs.


  • It monitors the operations of programs and searches for unusual behavior
  • In the free version, the list of suspected files is shown

A vulnerability scan is also included, which scans for apps with known flaws. You just get a list of suspect files in the free edition, and it's up to you to keep up with the updates. The premium edition, of course, will automatically update this program.

The final key component is cloud analysis, as defined by Kaspersky. You must join Kaspersky's cloud network as part of the setup process for this tool, which keeps you constantly connected to a vast list of other users, generating a list of trusted and untrusted applications. This cloud network is being integrated into several of Kaspersky's security products, but it isn't for everyone, especially if you're a gamer who requires a continuous network connection.

Website Link:

4. Acronis Ransomware Protection

Acronis Ransomware Protection

The Acronis Ransomware Protection program is a free, independent anti-ransomware tool with the same features and capabilities as the more comprehensive Acronis True Image backup utility.


  • Acronis Ransomware Protection is a free anti-ransomware application
  • It also includes 5GB of hosted online backup
  • More crucially, by prohibiting any efforts to edit its files, this utility maintains its integrity

All of the crucial data that the user chooses to secure is saved in the cloud. In the event of a ransomware attack, this online backup system is used as a recovery point.

This is in addition to the local backup cache, which Acronis Ransomware Protection protects against ransomware attacks by blocking access to. Any program or process that does not have the necessary permissions is denied access.

Meanwhile, the program monitors for signals of ransomware attacks and employs “whitelisting” of other essential activities to ensure it doesn't flag legitimate users who require access.

Finally, Acronis Ransomware Protection is a free anti-ransomware application offered by its creator in the hopes that you would enjoy it so much that you will upgrade to the premium version.

Website Link:


Ransomware is quickly becoming the most common data threat. Thus it's critical to ensure bad actors don't encrypt your backup data with your primary data when they launch ransomware assaults. If they succeed, you'll be forced to pay the ransom, which will only inspire them to try it again. Having backups to restore systems that have been encrypted by ransomware is crucial to not having to pay the ransom. The key to preventing ransomware attacks on backups is to create as many barriers as possible between production and backup systems. Whatever you do, make sure your backups aren't just sitting in a directory on a Windows server in the cloud.