Ransomware is everything bad about humanity distilled into malware—maliciousness, greed, and casual incompetence. It encrypts your files and demands payment for a key that might not even work. But with the right backup strategy, your files can survive an infection.
We recommend you do this today and avoid the debate over whether you should pay the ransom.
What You Need to Know About Ransomware
Ransomware is a kind of malware designed to lock you out of your computer unless you pay a ransom. It usually encrypts your files to lock you out, and the ransom is typically in cryptocurrency. Ransomware usually targets corporate, enterprise, and government entities, but individuals can and do get pulled into the fray.
The software is increasingly sophisticated with new variants arriving all the time. While most criminals treat an attack as a transaction, some ransomware authors seem to revel in screwing with victims. Last year, we learned about ZENIS, ransomware that purposely deletes backups. And more recently, GermanWiper, which doesn’t encrypt your files at all—it simply deletes them and demands a ransom anyway. Hapless victims who pay have nothing to decrypt because their files were gone from the start.
And there are more attack vectors than ever.
“Ransomware is now being transmitted in a variety of mechanisms making it increasingly difficult for end-users to stay protected,” said Victor Congionti, chief information officer at cybersecurity firm Proven Data. “Traditionally, ransomware has been distributed via email campaigns that rely on gullible users to download malicious links.” But he also said, “Ransomware is increasingly distributed in nontraditional ways.”
Criminals now disguise it in apps and unvetted software. Or, they transmit it through spear-phishing attacks, in which they target individuals within an organization who are more likely to click on suspicious links.
It’s a jungle out there!
How to Protect Your Backups From Ransomware
If your system is infected with ransomware, you can either pay the ransom and hope you get your files back, or not pay and try to reconstruct your PC from backups. The first option is problematic for moral, ethical, financial, and logistical reasons. So, you can take steps right now to ensure you can recover painlessly from a ransomware attack.
Start with these three guiding principles for backups:
- Assume ransomware will encrypt or delete anything you can access from your PC. If you back up to an internal or external hard drive that’s constantly connected to your PC, or the cloud, consider those files already dead. They’re only of value for a more old-fashioned and conventional disaster, like a hard drive failure. There’s nothing wrong with this kind of backup for traditional threats, but it should not be your only line of defence to protect your data.
- Disconnect your backup from the network. A solid weapon against ransomware is to use a backup media you can air gap, meaning it’s completely disconnected from your computer and the internet. For example, if you back up to an external hard drive, only connect it during the regularly scheduled back up, and then disconnect it again immediately afterwards. “It’s crucial that the local storage drive is not kept attached to the network,” said Congionti. “This will prevent the backups from being encrypted if the ransomware executable is loaded onto the network, and the storage device is offline outside of the encryption process. If the drive is attached, the ransomware can now have access to these backups which will render them useless, as they’ve become encrypted along with other files.” Yes, this is inconvenient, and it takes discipline to connect a drive manually and trigger a backup. But it’s a particularly secure strategy.
- Rely on versioning. Even if you disconnect your external drive, there’s no guarantee it will remain protected. This is because your system might already be infected with malware when you run a backup. “Versioning is a key strategy to ensure recovery from a ransomware attack,” said Dror Liwer, founder of security company Coronet. Use a backup tool that saves multiple timestamped versions of your files. Then, when you restore your computer, you should have the option of going back far enough that your backup predates the infection.
Implement a Practical Backup Strategy
Obviously, common backup solutions simply aren’t robust enough to protect you from a ransomware attack. Cloud storage is not the same as cloud backup and, consequently, anything that syncs or mirrors your data is toast. If you want to reclaim any files, you can’t rely on the free versions of Dropbox, OneDrive, or Google Drive, for example.
But if you pay for storage, the story might be a little different. Dropbox includes the Dropbox Rewind feature in paid tiers. Dropbox Plus (2 TB of storage) gives you a 30-day history of your files, which you can roll back to at any time. Dropbox Professional (3 TB) has a 180-day version history.
OneDrive has its own ransomware protection. If OneDrive detects possible ransomware activity, it notifies you and asks you to verify if you’ve made the recent changes to your files. If not, Microsoft attempts to help you clean up your hard drive and restore the damaged files.
Because Google Drive and iCloud have no such built-in protection, we don’t recommend you rely on them when ransomware is such a serious risk.
In addition, most online backup solutions employ versioning, so with services like Acronis, Carbonite, and iDrive (among others), you can roll back to a snapshot of your hard drive from before it was infected.
“Carbonite has successfully recovered over 12,600 customers from a ransomware attack after calling into our customer support line,” said Norman Guadagno, senior vice president of marketing for Carbonite.
Some online services even bake in anti-ransomware tools. Acronis, for example, has a tool called Active Protection that looks for malicious behavior.
“When Active Protection detects something fishy,” said James Slaby, director of cyber protection at Acronis, “Like a process that is renaming and then encrypting a bunch of files, it kills the process immediately.”
In the same way the Apollo spacecraft had two independent guidance computers, we recommend you have at least two ways to back up your data. You can combine a simple, easy-to-access sync-based solution with one robust enough that you can recover from a ransomware attack.
For example, you can use a traditional cloud backup solution, like Dropbox or OneDrive, to ensure your files are always available if you log in from a different PC or suffer a catastrophic computer failure. If you have a subscription and can take advantage of built-in ransomware protection, that’s even better!
Simultaneously, implement a secure backup solution with versioning. You can use a local backup app that writes to an external drive, or an online backup service that stores your files in the cloud. Yes, it’s more difficult to get to your files when you use these types of backups, but they can weather a ransomware attack, which your day-to-day file sync cannot.
How to Avoid an Infection
Although it’s one of the most worrisome kinds, ransomware is just another type of malware you should be aware of and prepared for.
Once you have a secure, multitiered backup solution in place, follow these commonsense rules to minimize your exposure to ransomware:
- Use a strong antivirus product with ransomware protection. Of course, no antivirus app is perfect, but any security strategy that doesn’t include one is fundamentally broken.
- Don’t click on anything you don’t trust. You know the drill. Don’t click strange links on websites, in email or text messages, or delivered via carrier pigeon. Also, don’t use pirated software or visit illicit websites. And stay in sanctioned storefronts on your phone, like the Google Play and Apple App stores.
- Keep your computer equipped with the latest system updates.
If You Get Hit
Finally, if you ever have the misfortune of being infected with ransomware, all hope is not lost. There are two free tools you can use to decrypt your files without paying a penny in ransom:
- No More Ransom: This is a joint project between McAfee and a handful of European law enforcement organizations that now boasts about 100 corporate and government partners. If your system is infected, you can go to the No More Ransom site and upload some sample encrypted files from your computer. If it’s cracked that ransomware family, you can unlock your PC at no cost.
- ID Ransomware: Similar to No More Ransom, security company Emsisoft created this project. You can also request that ID notify you if a non-decryptable attack becomes decryptable in the future.