Backup: Last Line of Defense Against Ransomware

Fighting ransomware through backup modernization and best practices

Jan 14, 2022 by Joe Galvan

In the past several months, Prescriptive engineers have seen a dramatic spike in ransomware attacks across industries, a trend further solidifying the importance of robust and comprehensive backup protection for government and business IT systems.

Backups are critical to recovery when a ransomware attack does manage to circumvent all other efforts. However, backups should be your last line of defense against attackers, not your only one. A strong backup system is not an excuse to neglect a secure perimeter, privileged account management, end-point protection, anti-phishing practices, and other Baseline 5 Cybersecurity Readiness measures. This article revisits a set of core best practices related to a sound backup strategy, but also highlights some of the advantages of newer, more modern backup systems available today.

Pre-attack Reconnaissance Trend

With an increasing volume of attacks, we’ve also seen more incidents initiated with reconnaissance. Attackers are gathering intel and looking for vulnerabilities before staging the actual attack. Criminals compromise privileged accounts or impersonate an organization’s users, customers, or business partners to transact fake invoices. The ultimate goal of these exploits is to enable infiltration and encryption of data for which a ransom can be demanded in exchange for the data’s release. By addressing the pillars of effective backup strategy, IT leaders can thwart attackers’ best efforts.

Pillars of Effective Backup Strategy

There are three main pillars to an effective data backup strategy and rapid recovery: immutability, access restriction, and air gaps.


Immutability is the most important strategy for protecting backups and is a fundamental requirement of data security. Data within an immutable backup can’t be changed, even if the backup is breached.

Traditionalists may espouse the virtue of tape as the reliable option for immutability, and while it does provide for an offline copy, there are other, better options now available.

Conventional backup software may not inherently provide immutability, but immutability can often be provided by the disk target. Veeam repositories, for example, are presented over server message block (SMB) or network file system (NFS). SMB is problematic since it’s often accessed via a service account with full control, as opposed to a more restricted NFS export by IP or subnet. Veeam has addressed the need for immutability in their Hardened Linux Repo, which leverages the immutability flag of the XFS filesystem. Veeam also provides for immutability through object-based cloud storage acting as an offsite repo. Veeam Backup Jobs can then be configured as immutable. If the Veeam Linux Hardened Repository is not compromised, the outcome is good local backups. Similarly, unless the cloud object-based storage is compromised, offsite backups will be intact as well. Those accounts should be secured with PAM, MFA, geofencing, etc.

More modern backup approaches such as Cohesity and Rubrik inherently provide immutability. As data protection platforms, they combine data mover software and storage. The backups are composed of independent snapshots—representing recovery points—which are presented on the network only when a restore is issued.

Restricted Access

Although an immutable backup can prevent the data from being changed, the threat of these immutable backups being deleted is still apparent. Given that system management often starts with logging in as an administrator, it’s easy to understand that an attacker would want to leverage an administrator account to log in and, for example, delete an organization’s immutable backups. Enabling and enforcing multi-factor authentication (MFA) is a meaningful deterrent since it makes it more difficult for criminals to log in successfully. MFA is part of Prescriptive’s Baseline 5, five critical security measures that every organization should be using to protect their data. Additional security measures, such as privileged access management (PAM), are also advisable.

Organizations are also vulnerable to potential internal bad actors—whether company employees, contractors, or other staff members such as interns or volunteers. Your best protection against them is Write-Once-Read-Many (WORM) storage. Data stored on a WORM device cannot be edited—or deleted—once it’s been written.

Rubrik and Cohesity can be configured to lock the snapshot until the retention expires and provide WORM compliance. As a result, even a high-ranking internal actor with MFA enabled can’t delete the backups.

Air Gaps

With onsite backups well-secured, the next step for ensuring successful defense involves creating an offsite copy, or, forming an air gap. Air gaps—another Baseline 5 measure—prevent offline copies from being reached electronically.

The common conventional air gap solution was backup tape stored safely offsite. Today, tape has largely been replaced with cloud object-based storage and additional sites. These solutions offer immutability and strict access controls to secure your offline data as effectively as your on-site copies. In a proper air gap, a number of measures are taken to limit connections, such as key exchanges for encryption of data transfer or a total severing of connections when data transfer is not active. Modern solutions pair sites via a key exchange, so both can establish a trust. This approach can be augmented with cloud storage via an access key for the target bit bucket. This keeps the air gap session-based, rather than network-wide.

How modernized data protection platforms outperform legacy solutions

Modernized data protection platforms offer two more distinct advantages over traditional backup solutions: detection and rapid recovery.


Modern data protection solutions can scan your backups for malicious content and anomalies in the data, such as many writes, or entropy indicative of encryption. If anything suspicious is detected, administrators are alerted with a data report on what was affected and a timeline on the activity, including the last known good point-in-time for recovery.

Rapid Recovery

The recovery process for a large environment used to be long, tedious, and disruptive. Modern data protection solutions leverage snapshots and other data to identify a recovery point quickly. As a result, these platforms can provide near instant recovery. Using vMotion or another tool, data can be migrated back to primary storage in the background, without disrupting employees’ work.

Executing a recovery plan and conducting periodic testing will indicate to you and your leadership team what a realistic timeline for recovery might look like if a full operational recovery becomes necessary.

Parting thoughts on backup and ransomware

Backups alone do not make for a comprehensive strategy to protect your system from ransomware attacks. But adhering to backup best practices can serve as a final defense against ransomware if a sophisticated attack breaks through your other security measures. Immutability, access restriction, and air gaps can keep your backups safe and expedite the recovery process. While these measures are generally achievable with legacy backup toolsets, modern backup systems like Cohesity and Rubrik have eliminated a great deal of the hassle and complexity, providing for a stronger last line of defense among organizations that have adopted them.

Photo by Jan Vašek on Pixabay