Our website relies on funding from our readers, and we may receive a commission when you make a purchase through the links on our site.

How to Protect Your Backups From Ransomware

by John Cirelly - Last Updated: March 31, 2023

How to Protect Your Backups From Ransomware

Data is the most valuable currency in the digital age, and threat actors are hiding in the shadows waiting to break into your network and steal your data. Alongside the development of information technology, which is at the forefront of today’s digital economy, cybercrime is also developing at an alarming pace.

This is especially concerning in this war-torn world, where attacks are expanding from the physical realm into the realm of the internet. The reporting of hacking incidents has turned into a daily occurrence. Data breaches are becoming increasingly common in all types of organizations, including large corporations, small and medium-sized businesses, and government agencies.

In this article, we are going to discuss the reasoning and tips that you can apply and teach your employees in an organization to protect your backup from ransomware.

Why are ransomware attacks such a threat?

A sort of malicious software known as ransomware can infect your computers and encrypt your data, preventing you from accessing your files, directories, software, and other systems. After it has successfully attached itself to your computers, it will encrypt all of your data, making it impossible for you to access or make use of it. The vast majority of corporations will, as a matter of course, pay the ransom because even a short period of disruption to their operation could have catastrophic effects.

The common misconception among small businesses is that they are not at risk from ransomware, but the reality is much more deceptive. In 2019, nearly one-third of victims of cybercrime were small to medium-sized businesses, and it is anticipated that this percentage will continue to rise.

Threat actors will often target smaller businesses rather than larger ones because they are aware that the latter have inadequate security measures in place. So don’t assume you’re not a target. Malware like ransomware poses a significant threat to businesses of all shapes and sizes. No one is immune.

However, ransomware attacks present additional dangers in addition to the risk of losing access to your essential company data. It can take several weeks for ransomware to completely infect all of a company’s computer systems. During that time, the malicious parties have complete access to all of your sensitive files, folders, and financial data, which they could easily steal and either resell on the dark web or use as additional leverage in an attempt to get you to pay twice as much as you originally agreed to pay.

In addition to that, there is no assurance that these lawbreakers will keep their word. Even if you comply with their payment requirements, there is still a chance that they will disclose your information to a third party.

Imagine that one of your customers’ personally identifiable information (PII), financial data, payment data, or intellectual property was among the data that was leaked. Should this occur, you will be held responsible for any regulatory fines as well as any litigation that results, and your company may not be able to recover.

The reality as it stands with ransomware

Email attachments are the most common entry point for ransomware. An attachment contains the code that must be entered to decrypt the system. Another entry point is provided by malicious websites that, in an ironic turn of events, inform visitors that their computers are infected and that they need to download a tool to remove the malware from their systems.

If one of your users clicks on a link in an email attachment or downloads a file from a website, the information on only that user’s device will be encrypted. As a result, user devices are the most likely targets of an attack; however, sophisticated ransomware packages can spread throughout a network. Viral payloads with a delayed execution time can be copied onto shared drives via synchronization

The practice of backing up both your data and your systems is an essential one. If you have a recent backup of your data and a cybercriminal steals it from you during a ransomware attack, you will be able to recover from the attack more quickly if you have that backup. Attempting to spot and stop ransomware attacks is, without a doubt, the simplest and most effective way to defend yourself against this type of malicious software.

Eight tips to protect your backups from ransomware

Here are some practical suggestions to assist you in accomplishing this goal:

1. Implement endpoint security

The level of risk you face and the infrastructure you have in place should guide the security solutions you select. If you are unsure about how to get started, it is a good idea to hire cybersecurity experts to perform an audit of your threat environment, conduct some penetration testing, and advise you on the solutions that are the most appropriate for your specific requirements.

You require a reliable firewall in addition to virus protection at the very least. But keep in mind that there is a limit to how far these can go. All of the firewalls in the world won’t be able to stop an infection from spreading if an employee clicks on a malicious link in an email that looks like it came from a coworker and opens the email.

You will have access to the most recent cybersecurity protection and encryption tools if the majority of your systems are hosted in the cloud. Despite this, there is always more that can be done. Inquire with your vendor of cybersecurity about their recommendations.

2. Provide training to your staff to identify and evade malicious attacks

A malicious link in an email or a file that you download is typically how ransomware is introduced into a computer system. It’s simple to advise someone, “Don’t click on any links in emails,” but there are instances in which the email appears to be completely genuine.

Put in place a stringent security policy and make sure it is followed to the letter. Your workforce should be educated to detect common dangers, and you should make sure they are aware of what to do if they discover one.

Make sure that your email provider’s anti-phishing and anti-spam tools are turned on. Regularly revise your security policies and hold regular refresher training sessions to keep your team apprised of any new or developing dangers. For instance, every employee at Rewind goes through regular security training on how to recognize and avoid the most recent ransomware attacks.

3. Ensure proper data backup procedures are followed

The “golden rule” of backups is that you should keep three copies of your systems on two distinct media, with one of those copies being stored away from the original location. If you want to secure your backups against ransomware attacks, you will also need to have one stored offline.

Many businesses select cloud storage for that off-site copy, but if you want to protect your backups, you will need to have one stored offline. Because ransomware can only infect files that it can view, having a second copy minimizes the likelihood of infection. Nevertheless, even the most effective backup plan won’t be of much use if the data has already been corrupted.

4. Maintain a constant care

The computer or device onto which ransomware is initially downloaded is the first to get infected. If you can detect even minute changes in real-time, you will have a much greater chance of isolating the device and placing it in quarantine before the ransomware spreads throughout your network. If you merely monitor the system on an ad hoc basis, you are exposing yourself to greater risk since by the time an abnormality is discovered, it may be too late to do anything about it.

5. Stay away from lengthy backup cycles

Regular, complete backups are necessary if you wish to recover from a ransomware assault promptly. You should, at the very least, do a full backup once every day to catch the rapid changes and upgrades. When you do a full backup less often, you will have to spend a great deal more time during the recovery process reconstructing any data that was lost. In an ideal scenario, you should have a recent full backup that you can restore from the beginning at a point in time when you are certain that your systems are free of contamination.

6. Utilize several different services for cloud storage

Adding another cloud storage solution to your existing storage stack will increase the level of protection that is afforded to your data. In what specific ways could this assist you?

To begin, even if malicious actors circumvent your identity policy and attack one of your storage locations, there is a good chance that the other storage location, which uses different credentials, will remain secure and that you will be able to recover.

There are various backup times. There are situations in which backups become useless, such as when ransomware corrupts the original data but no one realizes it. After that, what happens? The data that has been modified is uploaded by the backup solution, which encrypts the most recent backup. If you use second cloud storage, you should typically carry out a backup at a different time, which will ensure the safety of your other set of backups.

7. Use versions and rollbacks

The size and level of activity of your company should play a significant role in determining the optimal backup strategy for your company. System administrators are typically recommended to do a complete backup once per week and either an incremental or differential backup once per day. This timetable may be too rare for firms that operate at a high pace and where every instant of data processing is critical, such as a stock trading platform.

The use of versioning is a recommended security measure for protecting backups from ransomware. Instead of executing an incremental backup, which deletes older backup copies of certain files, the system maintains the original state and saves the new version in a different location. An incremental backup would otherwise be performed. Because all of these versions are typically stored on the same drive, it is unfortunate that an infection in the most recent version will render all of the versions useless.

You can implement versioning in a way that allows you to roll back to an uncorrupted copy, and there is a mechanism to do this. This is just about the most substantial prospect you can have of retrieving data from a backup that has already been infected by a ransomware executable file.

When you follow the 3-2-1 rule, you will always have two copies of every file. Because of this, you can implement incremental backups on one store and versioning on another store. You can straightforwardly execute the strategy, although there are complex software tools available to manage versioning. That is, ensure that your local tape backup contains all of the data from the previous day.

8. Use the right software

With this, you will be able to locate the “patient zero” of ransomware attacks with the assistance of a clear and simple audit trail, as well as specifics on the client IP of the system where it first began. You are also able to identify and receive fast notifications on the telltale indicators of a ransomware assault, such as a rapid surge in the number of file modifications, renames, and permission changes, even if the attack has not yet occurred.

Backup systems only copy over data files. This should mean that backup repositories are safe from damage by ransomware. However, ransomware, like other malware, is sometimes hidden within data files. For example, Microsoft Office components include an automation feature, called macros, which can be used to create programs. PDFs can also hide programs. Opening one of these trick files can activate the program and launch ransomware.

The hidden nature of ransomware can make this malware difficult to spot, easing the software’s movement into backup repositories. However, there is a strategy that can be deployed that completely sanitizes repositories. That is to block all software from running on any of your computers.

ThreatLocker – GET DEMO

ThreatLocker provides a security solution that disables all software and then allows the system administrator to create a whitelist. Software on the list, which is called the “allowlist” is allowed to run. Therefore, any unexpected or hidden programs will never be allowed to run because it falls outside of the list of known, authorized software.


The ThreatLocker system provides an innovative solution that includes a degree of flexibility. For example, sensitive data can be protected by blocking access to it other than through a limited number of authorized software packages. These packages in turn can only be accessed by a small number of authorized users.

You can examine the ThreatLocker service by accessing a demo account.


As the number of cyberattacks continues to rise daily, businesses need to ensure they have robust data recovery, protection from ransomware, and a business continuity plan that takes advantage of the benefits offered by the cloud to contain the damage caused by these assaults.

I hope you now have a better understanding of ransomware attacks and how to prevent them from getting into your workplace.