Backup strategy against ransomware and what to do when infected

We had a user whose laptop was infected with ransomware, and that led me to look into the solution to it, and our backup system.
Fortunately, he was not connected to the company network, so the files were only locked in his laptop.
Free ransomware removal tool from TrendMicro, and someone else did not work.

1. What is the best removal tool?

I am looking into Sophos. They have Enterprise Malware Removal Tool that can take care of Ransomware. We use their anti-virus software, so theirs caught my eye.

2. What is the best backup strategy?

I had a IT admin friend, and his system got infected. He spent $30K to get his files back from the servers, and what was interesting was that the ransomware did not manifest itself right away. It was like 2 or 3 days later.
Right now, my servers are backed up fully every night to a USB drive. I have only 3 servers. No incremental or differential. I'd like to know how people backup a couple of terabyte data these days. Tape systems were used in the past, and each day manually or automatically different tapes were used. Do people do this even in 2018? I only used it 10 years ago.
These can have multiple full backups, and each time are they totally offline from each other? I hear that Ransomware can go into other resources in the same LAN. Then I need a backup system that can backup multiple generations (like daily), and they need to be completely offline. If Ransomware can infect the backup drives either via USB or LAN, then that is a problem.

Of course, one way is to have 5 separate USB drives for Monday through Friday, and cycle it each week. Is there a better way?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Well, the key is that your backup strategy includes backups that are not connected to any system or network at some point. If a backup drive is online and the infected system can access them, then you're going to have those potentially infected/encrypted as well.

The best tool against ransomware is prevention, which includes a mixture of spam filtering, tool improvement (AV and malware), user education, and minimizing areas open to exploitation.
Member_2_7970390Author Commented:
Hi, masnrock,
Thank you for your comment. The whole purpose of asking professionals like you this question is to find out what the best way to have offline backups. Also, what are the prevention tools that you use or recommend? I'd like to have actual names of software and equipment.
Yes, prevention is the biggest key, but not all users are careful. Things happen.
Anti-malware tools cannot detect and block every possible ransomware that is developed and revised every day.

Could you give me more specific options for solution?
External USB hard drives would work. Even NAS drives are fine, as long as you take them offline whenever they're not the one to be used. 1 for each day of the week works well. As long as you properly follow the rotation, you would minimize loss. Nobody is really using tapes these days, as there are a lot of other solutions (even though ironically a tape drive could work for this type of scenario).

If you wanted an additional malware product, you could go with Malwarebytes. However, a lot of endpoint security products are pretty well suited for as well. ESET is one I'd mention, but you have Sophos Endpoint, Symantec Endpoint, and so on.

Anti-malware tools cannot detect and block every possible ransomware that is developed and revised every day.
Despite best efforts, no product can do this. They may be great at catching things exploiting a number of things, but not every single thing. There's no silver bullet in this area, hence why preventing becomes so important.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Security is a multi-tiered approach.

Put in a good firewall/UTM to stop things from getting in.  Web filtering/DNS filtering can help. Good firewall rules that only allow access for the services and ports required for workers to work (for example, there's no need to have port 25 open for sending from EVERY IP in your network if you have a mail server that handles that for you. By blocking 25 for everything but the server, you prevent mass mailing worms infecting individual PCs from spreading the worm).

Antivirus - using different products - helps - but these days it's also largely ineffectual (ever try uploading a file or testing a suspicious link with  MOST products find the item clean... 3-5% actually catch it... and they change with each questionable file).  So use a different antivirus on server than on your workstation - and a different AV technology on the UTM as well.  

TRAIN YOUR STAFF.  That's the single biggest thing you can do to prevent these things.  If your staff is well trained, they won't mistake seemingly legitimate (but actually dangerous) messages as valid.  

Limit access rights.  It's not about trusting your staff... it's about protecting your data in the event of an attack.  An attack on the HR person should have NO EFFECT on the accounting files.  An attack on the Marketing person should have no effect on the Sales person's files. Because in both cases, they don't need access.  If you're a small enough company that folks back each other up, fine, create a separate account with the necessary rights for them to cover someone on vacation.  But don't give default read/write permission (or worse, admin permissions) to everyone.

As for backup, your backup is WORTHLESS - UNLESS YOU TEST.  It's next to worthless if you don't have a DISCONNECTED, OFFLINE copy.

Backup is NOT disaster recovery and disaster recovery is NOT backup.  They share similarities in some ways, but are not the same.

One way you could mitigate this is to pull your host off the domain and then backup the VMs from it. With the accounts different and the VM backup software backing up the VMs, you would be able to restore yesterday's server before infection.  But you always have to test backups, create offline copies, and take things seriously, tracing how the access/access rights might affect things.  (I assume you're virtualizing... there's little excuse for not and if you're not, your next project should be converting to virtual servers).  Backups are insurance.  If you want the gold premium protection, then you need to pay for it.  If you want no-frills, you can pay very little and hope you never actually need the protection the insurance provides... (Who buys homeowners insurance HOPING they need to use it?  And would you rather have the insurance that all you have to do is make a phone call and everything is handled... or the one where you spend dozens of hours on the phone, going to offices, and having to pay a portion yourself...)
Wayne HerbertIT SpecialistCommented:
What I have learned about ransomware control (some of it through hard experience).
a)  Forget about a malware removal tool.  An infected computer is going to have useless files anyway... rebuild from the ground up to ensure that it is clean.
b)  Prevention is the best protection.  Use a hardware firewall capable of layer 7 blocking and a real time update/analysis of threats.  I use a Meraki.
c)  Use a strong email spam/malware catcher.  The best I have found is OnlyMyEmail... better catch stats and fewer false positives than any other on the market.
d)  USB drives can be encrypted but so can any FQPN.  If it's available for share or access from a PC, it can be compromised by ransomware.  Therefore, limit the number of shares and network access entries to reduce the possibility of infection.
e)  Set any folders that absolutely do no have to be written to as read only.
f)  Ensure that for shares for things like backup drives have only certain groups or permissions allowed to access/update.  For example, create an admin user "backupguru" and make sure only it has access rights to your backup share drive.  Your standard (infected) user won't be able to alter the shared drive.
g)  Use a versioned cloud backup system in addition to any local backups you may take.  Even if you end up with backing up a ransomware compromised file, you'll still have the originals to put back.
h)  Consider using a product that blocks reads/writes from certain folders by suspicious processes.  Windows Defender has such an animal:
i)  And finally, bi-weekly scare emails to all users, warning of threats.  Although the ransomware infection we incurred took time to clean up, it had two benefits.  We are much harder to break into now, and I guarantee that no user on our shop will now click on a link for "Caribbean Vacations" from a dodgy website like "Uncle Bob's Cheap Holidays".
Member_2_7970390Author Commented:
If the tape devices are not used in terabyte era (that is good know, thanks!), then NAS is the only option, apart from daily separate external drives.

1. Can ransomware reach out to other servers on the same network, and lock up their files?
2. (4 to 8)-Bay Network Attached Storage like the one I put the link for - is each bay totally manageable separately (online / offline), therefore unreachable from ransomware?
Wayne HerbertIT SpecialistCommented:
Anything that is reachable with a fully qualified path name (FQPN) can be corrupted.  So, if server1 can see \\server2\MyFolders and MyFolders gives write permissions to the process executing the ransomware, then yes, your other server is vulnerable.  And, if you are using DFSR, it will also happily duplicate corrupted files.
Your NAS drive will show up as a mapped drive and therefore, is corruptible, if online, unless writes are restricted to certain accounts which are not busy executing the ransomware.
Lee W, MVPTechnology and Business Process AdvisorCommented:
Can ransomware reach out to other servers on the same network, and lock up their files?

This depends entirely on who gets infected, what their access rights are, and what how the malware works.  Bottom line: MAYBE.

Are you backing up your VMs?
btanExec ConsultantCommented:
Actually it is advised not to have backup in USB drive as it can be lost, stolen or allow unauthorised access if it is not encrypted or using weak passwords to encrypt. Typically a 2FA encrypted drive is minimal and not bringing it out of premises..

Generally the strategy adopts the 3-2-1 principle, e.g. make 3 copies, store in 2 places, keep 1 copy offline. I will add in another "1" which is to verify at least 1 copy is recoverable. There are some that took on backup with different restore point so that different backup of certain period can be recovered or restored.

Preventive is still needed as all mentioned. Importantly consider having "alarm" to trigger if there are a lot of writes on disk and high CPU utilization. Here is one that have recommended practices for consideration
Tape backup is still used in larger organizations for archival backup.  They're still more robust and faster than a single disk for off site storage.  Smaller organizations are using disks because they're cheaper for smaller backup sets, without having to spend the money for an additional tape drive to read and write the tapes.  The tapes are also quite expensive, unless you buy in scale to make it cheaper than buying 100s of disks.
Fred MarshallPrincipalCommented:
re: Wayne Herbert's list items (e) and (f):
No panacea: The degree of exposure can also be reduced by temporal group membership.  If there's no backup happening, then switch the group of the "writer" to one that can't WRITE.  Only switch the "writer" into a group that can WRITE when absolutely necessary.  Even Task Scheduler can do this - it may entail a reboot as part of the process.
Robert OrnelasVP Operations at Cook's ComputerCommented:
If you want a solid backup check out Datto, there is a monthly cost but for the peace of mind i think it's worth it.
Member_2_7970390Author Commented:
Thank you guys for all the tips. Here are my overall thoughts at this moment. Of course, prevention side is just as important.

1) Having 5 external disks may be the best method, because it would work like a tape and 4 other disks are completely offline. It make take a day or two, or more, to manifest itself (locking up the files on the server)
2) No one really mentioned a NAS storage with multiple bays that each bay can be separately configured to be online or offline. So I can assume they don't exist...
3) Tape backups are expensive for terabyte era, therefore not suitable for smaller companies.
4) Ransomware spreads out only within the limit of the infected user's access right. Properly granting write access is a big key.

Here is my question, with 4) in mind: How can I make a "backup user" and limit all other users' access to the backup file?
Let's say you buy a 16TB NAS backup system. and each day 3TB is backed up so you have different versions of backups. Then...
- Create a "backup user" in AD and assign him the access right of backed-up folders.
- Configure the backup software and schedule the backups.

Do I need to buy a backup software? Can I do this with built-in Windows server (2012R2) backup service?

>Fred Marshall
That is very interesting. Do I do write a script? Does it need to be PowerShell, and then have Task Scheduler run it? I need to look into it.

Now on the prevention side -
> Wayne Herbert
1. Never heard of Layer 7 protection - I have SonicWall FW without protection subscription. Would it work in the similar way if I bought the subscription? Would it filter emails as well? Or they are two separate things?
2. OnlyMyEmail - Can this be an option if you don't even have an in-house email server? We use a hosted service, so I can't customize the setting.

Lastly, is there a recommended email server provider that has a very good filtering system?

Thank you!
Here is my question, with 4) in mind: How can I make a "backup user" and limit all other users' access to the backup file?
You could do that, but you'd have to be very careful.
1) If you lock the admin out of being able to access the backups, what happens if the backup user account gets messed up somehow? However, that also assumes that an administrator account doesn't get compromised.
2) How are you going to account for the possibility of the backup account getting compromised? It wouldn't be feasible to change access controls on the daily basis.

I would just go with #1 of the 4 that you posted.

Do I need to buy a backup software? Can I do this with built-in Windows server (2012R2) backup service?
Given the scenario you named, are you speaking of having 5 of the drives, or just one? Case in point: if you make different folders for each day's backups, the build in service would fail after the first backup because it wouldn't delete the 3 TB backup that already exists (it always wants to be able to keep 1). That said, either make sure whatever you get includes software, or buy some.

1. Never heard of Layer 7 protection - I have SonicWall FW without protection subscription. Would it work in the similar way if I bought the subscription? Would it filter emails as well? Or they are two separate things?
Ideally, that would be proxying. A Sonicwall cannot act as one, but can forward your web requests to a web proxy if you have one. It does, however, have built in content filtering (subscription required). The CGSS service unlocks features including content filtering, application controls (you could at least have policies that are application specific), gateway antivirus and antimalware.
Wayne HerbertIT SpecialistCommented:
The "layers" are derived from the OSI communications model (
Layer 7 is the application layer.  A layer 7 aware firewall is capable of identifying transmissions by URL, IP, and by content type.  Thus, you can block different kinds of traffic:  content, applications, sources, etc.  This is coupled with a real time updating system.  I don't know about your SonicWall, except to say that subscriptions are required for any layer 7 device of which I am aware.  With my Meraki, I can control content to specific users and devices as well, and as a side benefit, I can see who is using Pandora, downloading music, or surfing FaceBook.
Third party mail filtering services are easy to setup, regardless of whether you are in house or hosted.  I use Office 365 subscription services with a third party filtering service.  What you do is update your MX DNS records at your registrar or ISP to point to the email filtering services servers.  They, in turn, forward clean mail to your mail server.
I am of the opinion that the vast majority of email service providers that include spam services are crap.  I have turned off Office 365 protection and use OnlyMyEmail.  I have previously had the unfortunate experience of having to deal with server based McAfee, Spam Assiassin, and Spam Titan.   They are crap... too many false positives, and still too many spam emails in the inbox.
If you are running Office 365, it's easy to to turn off the built in filters, and any other Exchange service you are using should be able to do the same thing, too.
I am of the opinion that the vast majority of email service providers that include spam services are crap.  I have turned off Office 365 protection and use OnlyMyEmail.
I cannot speak for OnlyMyEmail, but I do agree that O365 has *horrible* spam filtering. Even from discussions I've seen with Microsoft, a lot of still even still gets missed. The intelligence end is definitely lacking. AppRiver probably has one of the better host-provided spam filters I've seen, and even that one I felt could still use tuning.
btanExec ConsultantCommented:
with 4) in mind: How can I make a "backup user" and limit all other users' access to the backup file?
I was thinking for a while and looking at other forum, most is either make it read only or make it local account or recover the last snapshot etc. Frankly speaking if the file server or backup does get tampered by the pesky ware, the issue can be even greater how that came in.

Nevertheless, ransomware already get such traction with new variant to go to mapped drive or unmapped drive (yes there are such variant) or network connected store. Limiting access based on account may not mitigate as much. It helps and that is why various copies of backup is needed including one that is offline and that is not in any way connected to the infected machine(s). Cumbersome, and likely not the latest, I know - actually that is dependent on the BCP objective you have in your organisation and part of planning and consensus.

Baseline is really to establish the procedures to reduce the attack surface also in the file server and endpoint with preventive measures (appl whitelisting, anti-ransomware etc). For file server if that is Windows, here is one example on FRSM that does some file screening (disallow ransomware signature files...) - not foolproof but a means to the end. 

My few cents..Pardon me if not went onto the qns.
Ted KCommented:
Shortly, here are the best practices:

1. Use a Cloud Backup
2. Use Encryption
3. Establish Retention Policies
4. Establish Lifecycle Policies

Also, some backup software already has the built-in ransomware protection - it detects the encrypted files and prevents them from being uploaded to the cloud (and deleting the existing "healthy" backups according to the retention policy).
btanExec ConsultantCommented:
Provided due advice
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.