Ransomware is a particularly nasty type of malware where the bad guy often comes out on top. Ransomware works by encrypting your data, making files unusable. The only way to decrypt your data is to pay the fee demanded for the decryption key.
While it goes against the grain to yield to these criminal demands, many businesses and individuals feel they have no option but to pay up, even though their data may still be inaccessible after they’ve paid. The only alternative way to overcome the problem is to have everything securely backed up.
The problem is that standard backup strategies often overlook the threat from newer versions of ransomware. Newer versions of ransomware delay the demand for a ransom for a period of time. This delay increases the chances that the backed-up data are also encrypted, so the victim still needs the decryption key.
Backed-up data can be encrypted by ransomware in two ways:
- When your backup storage device is physically connected to an infected device, the ransomware can detect the backup device, even on a network, and encrypt files on it.
- Ransomware encrypts files on your working device. When you do your backup, you are actually backing up encrypted data, and overwriting non-encrypted data.
Bigger businesses, and those that handle large amounts of data, usually have the resources and strategies in place to prevent this type of problem from arising. For individuals and smaller businesses, being able to recover from a ransomware attack means rethinking backup strategy.
Here are some relatively simple steps to protect your valuable backed-up data:
- Do an audit of your data to identify data that can be archived (that is, data unlikely to change). Backup archive data to remote devices that are not permanently connected to any device, and that are used only for holding archived data. These could be USB sticks, external hard disks or DVDs. Storage devices are relatively cheap, and could save you a lot of money and trouble. Doing this keeps archived data safe from ransomware attacks, and makes recovery easier.
- Modify backup procedures to first check that the data being backed up is still accessible. You could set up a handful of dummy text files in various folders. Give these names starting with digits, e.g. 001dummy.txt. That will mean they will normally be the first files found by ransomware. Modify them every day so that their timestamps will also be fairly new. If any of these dummy files is inaccessible, do not proceed with the backup.
- If you have networked devices, designate one as the device from which all backups will be run. Boot that device into safe mode before beginning each backup.
- If you use cloud storage, make sure you disable automatic login. If automatic login is enabled, ransomware could corrupt files on your cloud backup.
- Make backups stretch back as far in time as you can. Again, cheap storage will make it possible for most people to store several months worth of data.
- Always disconnect storage devices as soon as the backup is finished.
While these steps should help you recover from ransomware attacks, prevention is always better than cure. Keep your anti-virus software up to date, and make sure your operating system has all updates and patches installed. You could also invest in special software designed to identify and prevent ransomware activity.
If you do fall victim to a ransomware attack, following the advice above will greatly minimize the impact of the attack. Doing so may mean a change in how you do your backups. It means that you should not rely on unattended, automatic backup procedures, but the inconvenience may prove worth it.