10 Critical Steps to Survive a Ransomware Attack, Step 7: Have Rock Solid Backups

If your luck is anything like mine, you’ll find out that your backups are inadequate shortly before you really need it. Fortunately, I learned this lesson early on, when I was in college, and all I lost was a database I’d made of all of my comic books. While it didn’t cost me any business, it did cost me hours of work and years of data that I’d accumulated over time. As a result, I had to recreate the database and dedicate a few hours here and there to recreate it.
But when your business is down because your primary line of business data is gone, it’s not that simple. Let’s imagine the same thing has happened to your business. As I am writing this, we are in the middle of responding to an incident where a business has been entirely shut down due to being infected with the Locky ransomware. The entire business has been shut down for 10 days now because a single employee’s PC contracted a virus which managed to attach itself to the entire network, encrypting every Microsoft Word, Excel, Access file, along with every picture, PDF, video, and audio file it could grab – which was all of them. We received a panicked call from the client on Monday morning, expecting that we would be able to wave our magic wand and get their data back. Sadly, this was not the case, as the client was lacking all of the critical controls we will outline in this and subsequent articles.
Most businesses we encounter have some sort of backup. That’s the good news. The bad news is that they are often inadequate. There are several different types of backups. This article won’t go into great detail on them – just skim the surface so you have a basic understanding, and can make sure you have the appropriate solution for your business.
Manual Backups
One type of backup is manual. This means that a human has to create the backup by themselves, starting it, supervising it, confirming it, and testing it. This may be as simple as dragging a copy of your data file to a USB drive or copying a file from your desktop to a server.
The problem with manual backups is the fact that they are manual! Given enough time, you will forget to perform a backup. This has happened – without exception – to every single backup that I have encountered which required a human to manually perform. It’s not a matter of if – it’s when.
Automated Backups 
As implied, an automated backup is one that happens on its own, without a person having to click a button, swap a tape, insert a drive, etc. This doesn’t mean you are totally off the hook, and can just “fire and forget” about the backups; someone still has to check up on them periodically to make sure they ran. I have seen plenty of instances where a business had no backup for days, weeks, or even several months because backups were not being monitored by anyone. Someone – whether it’s an internal IT staff member or an external provider – needs to be monitoring to make sure your systems are backed up properly.
File Backups
These backups will grab one file at a time, and keep copies of them. In a pinch, it’s likely that you’ll be able to get your files back, which is good.
The problem? They usually don’t preserve your system’s metadata. This is special information on a system – things like file permissions (who should and should not be able to read or write to the file), usernames and passwords, and sometimes email or other types of databases. Often, these special data files require their own, special type of backup to catch everything, and restoring only a part of them means you get back only a part of the data.
A classic example is something like Carbonite or Crashplan. These file level backups do a great job of catching your data files, but don’t preserve things like your user accounts or filesystem permissions. As a result, if you use one of them to back up your work server, and need to restore completely (known as a “bare metal restore”), you may not be able to, and will have to go through the process of rebuilding the server from scratch before you even have a place to restore your data files to! This effort should not be underestimated, as the process can take days or even weeks when things like software discs, licenses, and other special information needs to be dug up or re-purchased.
Image Backups
Far superior to file backups are image backups. These take a complete “snapshot” of the system, and allow you to restore the computer back to a prior point in time. These provide the greatest reliability and flexibility, as they often allow you to do anything from extracting a single file all the way up to a complete system restore. Some systems even allow you to use virtualization to make a virtual hardware machine from the backup. This is an amazing time saver when something is wrong with the original server’s physical hardware and can’t be used. Even if the original server literally bursts into flames, the virtual replacement can be spun up in a matter of minutes, and business can continue.
Local Backups
Local backups are kept on site, with the system which they are backing up. The advantage to these is time – you get to recover your data much more quickly than if the data is kept in a remote location. The disadvantage is that if something catastrophic happens to your facility, the same catastrophe likely will affect your backups. Imagine you have a fire in your server room. Where are the backups? Most businesses will respond “in the server room.” So what happened to the backups? They are likely in the same puddle of melted metal and plastic that the server is now.
Remote Backups
Remote backups are kept someone other than at the site which they are backing up. This can be at an off-site facility (often referred to as “in the cloud” or in a remote datacenter), at a satellite office, or even at an employee’s home. The advantage is that if something happens to the main location, the data is safe.
However, there are concerns with remote backups. First off, is getting the data back. If you have a lot of data, it will take time to restore, whether it’s on a hard drive stored at your home, or in a cloud datacenter over the Internet. When combined with an image backup and virtualization, you can often get your business back up in minutes. However, without this, with data stored far away, it may take days or even weeks to get everything back, and installed on a replacement system in the case of a serious failure.
These qualities of backups are not mutually exclusive, and can be combined in various ways to come up with different backup solutions. For example, your backup solution may be local, and manual, or it could be automated, local and remote, and support image backups with virtualization (my favorite).
To protect your business from ransomware and other disasters, get a solid, robust backup solution that backs up everything on your system – not just a few files and folders – several times per day (not just overnight), and keeps multiple versions that go back several months – allowing you to go back to prior to the infection – both locally and at a remote location. And remember the key step that is too often overlooked: test your backups. Do NOT assume that everything is working fine – test your backups, or have your IT staff test them for you, and give a full report on the restore process. Do a full restore to make sure you could get everything back if the server literally blew up in a ball of flames.
A solution that covers all of the bases likely will require you to work with IT to make sure everything is configured properly, but it’s easy for you to take the first step and send an email to whomever manages your backups right now and ask “can you show me the results of the latest backup test?” And if they don’t have one, no problem! Just say “Okay, could you perform a backup test and report back to me?” Again, this should be a full backup test restore. If they say this is not possible, ask probing questions as to why, and see what it will take to achieve this functionality to properly protect your business.

Peter Nikolaidis is an information security professional based in Cambridge, MA. He holds several information security certifications, including the CISSP. In his spare time, he enjoys practicing martial arts and yoga, mountain biking, and thinking about ways to protect the innocent… often from themselves. Connect with Peter on LinkedIn.