Configure your backups to properly deal with Crypto Ransomware

Brandon Backup, Security


Let’s talk about backups and how it pertains to ransomware.

Backups are so important in today’s threat landscape. Ransomware is a leading cause for data loss. Without properly configured backups, your data may be gone forever. Let’s go over some important backup related terms.


Retention is the amount of time in which a given data set will remain available for restore. Depending on your retention time, it could be a matter of days, weeks, months or years. The longer your retention time, the more storage capacity you will require. Did you know it’s very common for organizations to have no retention period? Once affected by ransomware, if a backup is taken, it will overwrite your only good copy of the backup, making recovery impossible. That is why having a properly configured retention policy is key.

Incremental Backup

This type of backup is defined as only backing up the files that have changed since the last time the backup was run. Because you are only backing up the changes, this allows a backup to run faster and more efficiently. This type of backup also cuts down on the amount of storage required which allows you to increase the retention time. I want to briefly touch on Shadow Copies here as it is a form of incremental backup in my opinion. Many sources cite that this is not a backup, however in the case of ransomware, this is a valid means for recovery and often the first place I restore from. This is not turned on by default and should be enabled and configured for every network share on every server in your organization.

Offline Backup

Offline backup is a backup taken that is not connected to the server. If your backup is connected to the server, ransomware can encrypt that data as well making recovery impossible. That is why having an offline backup is crucial to the success of your backup policy. An offline backup can be a backup you disconnect from the computer after the backup is complete, or a backup that is hosted elsewhere, in the cloud for example.

Having an offline backup, a properly configured retention policy, and having enough free space can mean the difference between a successful recovery or disaster. As a last resort, there are only two reasons you may need to touch your offline backup.

  1. Your backup was encrypted.
  2. Retention overwrote your last good backup.

Taking everything into account

Even if you set a long retention period, if you run out of space, most backup software will overwrite the oldest backup if additional space is required. In the scenario of ransomware where every file gets encrypted, the backup software sees this as a change. What you will be doing is overwriting good backups with a bad encrypted version of your files. Checking your storage capacity with relation to the size of your backup set, is as important as checking that you are successfully backing up each day. You want to ensure your storage capacity is a multiplier of the total amount of data you are trying to store. For example, you want your storage to be able to hold at least twice the amount of data you’re trying to backup. If you are backing up 500GB of data, ensure that you have at least 1TB of backup storage, I recommend 3x as a good starting point to ensure that you have the proper retention. You want your retention to be able to store 3 full copies of your backup at the following Retention periods, 1 month, 1 week, and 1 day. There is nothing wrong with having longer retention times, however, you should be moving the information to offline storage for archival purposes. It is more important that you have sufficient storage capacity to avoid possible retention overwrite.

The next time you ask I.T. if the backups have been successful, please understand that having completed backups every day is sometimes not enough, consider retention time, storage space, and offline copies, especially with today’s Ransomware.

If you need someone to audit your backup settings, give us a call!