The document outlines strategies to protect backups from ransomware, emphasizing the use of immutable storage that locks data to prevent alterations. It also discusses the 'air-gap' method, which separates backups from production data to limit attack spread, and stresses the importance of restricting access to backup systems. Additionally, it highlights the use of backup tools for detecting potential attacks by monitoring unusual backup activities and systems.

1. HOW TO
PROTECT
BACKUPS FROM
RANSOMWARE

2. 1
Immutable
storage
Immutable storage is the simplest
way to protect backup data. Data is
stored in a Write Once Read Many
(WORM) state and cannot be
deleted for a prespecified period.
Policies are set in backup software
or at storage level and it means
backups can’t be changed or
encrypted.

3. Utilising an
‘air-gap’
2
Another method of protection is the
‘air-gap’. Adding an ‘air-gap’ means
separating backups from production
data so there is no way for an attack to
spread from one to the other.
Traditionally, that means keeping a
copy of data physically separate, often
on tape. If an organisation doesn’t want
to keep its backups on tape (as many
don’t), it’s also possible to create a
logical ‘air-gap’, and there are several
ways to do that.

4. 3
Restricting
access
To protect backups, it’s important to
prevent unauthorised access to
backup software.
Restricting access, strong
passwords, and MFA all reduce the
chance of attackers accessing
backups.

5. 4
Using backups
todetectattacks
Backup vendors are now adding innovative
features, using signs from backup and
production data to detect and prevent
attacks.
A sudden, very large incremental backup
indicates that a lot of data has changed and
should be investigated as a potential
ransomware attack.
Honeypot files can be closely monitored and
provide alerts if ransomware encrypts those
files.
Lastly, you can monitor the entire storage
environment can be monitored for spikes in
I/O activity.