How to
Ryan Harnedy
Apr 2016

3 Better Ways to Use Backup to Recover from Ransomware

Photo by Mike Wilson

When faced with a ransomware attack the current wisdom is if your computer gets infected and it encrypts your files you have three basic options:

  1. Pay the ransom
  2. Restore from a backup
  3. Cut your losses and nuke the computer

Of those three choices, backup is obviously your best option. Assuming everything goes well, you’ll get your data back and you can get back to work knowing you dodged a bullet.

But remember, just because you have backup in place doesn’t mean you’re protected from ransomware. We recently invited members of the Spiceworks IT community to share their experiences with ransomware in a brief survey. While the majority of them reported backing up their data, only 42% were able to fully recover everything that had been compromised or encrypted.

Relying solely on backup as ransomware protection is like using your emergency brake for everyday driving: it may get the job done but it’s going to be messy.

The truth is, restoring from backup isn’t always going to go smoothly. There’s also no guarantee it’s going to be comprehensive. It’s a much preferred option to paying the ransom, but to make sure it’s a viable option there are several things you need to prepare for and consider. Otherwise, if or when ransomware does hit, you may unfortunately find out you don’t have that choice after all.

Using Backup to Recover from Ransomware: 4 Things You Have to Consider

While it’s true that restoring from backup is the best option when you’re hit with a ransomware attack there are several things to think about when you use backup as the core of your ransomware protection strategy.

1) Recovery point objective (RPO): Recovery Point Objective is the timeframe dictating how often backups are created. It also informs the dates and times you can recover from. If you take weekly backups and you suffer data loss you can restore that computer exactly as it was a week ago. If you take daily backups and suffer data loss you can restore your computer as it was the day before.

It’s important to understand what your RPO is and how much data you could stand to lose if you were hit with ransomware and had to recover from your backup.

Ex: If your RPO is a week and you take backups on Sunday, a ransomware hit on Saturday is going to wipe out a week’s worth of work. If your RPO is 24 hours, on the other hand, at most you’re doing to lose a day’s worth of work.

2) Recovery time objective (RTO): Recovery Time Objective is the rough amount of time it will take to restore a computer from backup and get it back up and running. RTO is typically used to help your IT team estimate how long it will take to recover from any data loss.

However, you should keep in mind that this is an average. Depending on the type of data loss the time to actually recover the data might be longer than you anticipated.

3) The better the backup, the bigger the price tag: While it is possible to keep your RPO and RTO very low and improve your ability to recover more data faster, the price tag on those types of backup systems can go up very fast.

In most cases, it can be more cost and time efficient to invest in something like behavior-based endpoint protection rather than looking to upgrade your backup solution. You’ll stop more attacks and not be as reliant on backup.

4) Local backups can be encrypted by ransomware, too: If your backup solution is local and connected to a computer that gets hit with ransomware the chances are good your backups will be encrypted along with the rest of your data.

Ransomware such as CryptoFortress and Locky can encrypt connected network drives, so it's crucial to have backup that isn't directly connected.

3 Tips to Make Your Backup Ransomware Ready

While all this may look like a lot of bad news, the upside is that there are some quick tweaks you can make to to your backup strategy that will make it more effective against ransomware.

1) Embrace 3-2-1 backup: 3-2-1 backup is a backup strategy that requires you to have three copies of your data in two different locations, one of which is offsite. Making your backup 3-2-1 compliant ensures that even if one copy of your backup is encrypted by ransomware you’ll still have at least one off-site copy that can’t be touched.

2) Use both image and file backup: Image backup creates a snapshot of your computer that allows you to restore your computer to a state it was in at a previous point in time.

A single image file is easier to easier to manage and quicker restore than thousands of individual files which will help reduce your RTO. However, a file-based backup will allow you to recover single files more quickly than a whole system image. So if your user needs a critical document right away you can recover it for them while you restore the rest of the image.

3) Test, test, test: As a best practice, testing out how long it actually takes you to restore an individual endpoint from backup is a great way to help understand the cost in resources and time from a ransomware attack.

3 Things to Rely on for Ransomware Protection Before You Resort to Backup

Relying on backup recovery is a good backup option to have, but it's equally important to invest in security approaches that help you avoid ransomware in the first place. Here are few things you can easily do to help ensure it doesn't come down to you putting all your eggs in the backup basket:

1) Use a multi-layered security strategy: No security tool is 100% effective, but using a multi-layered approach that includes firewalls, antivirus, and behavioral-based malware detection can help ensure that even if one layer doesn’t catch a threat another layer will.

2) Conduct user training, and lots of it: Whether it’s through malvertising, phishing, or social engineering the biggest weak point attackers target is user behavior. Schedule regular training with your users to go over best practices and how they can avoid having their computers compromised by malware.

If you need help getting started on this our Realist’s Guide to Cybersecurity Awareness has some great resources to help you make user training efficient, effective, and actionable.

3) Patch early, patch often: Security software needs regular updates and patching to keep up with new cyber-attacks. Make sure all of your security software is regularly updated.

Next Steps

Ready to learn more about how to keep your users happy, productive, and malware-free? Check out the IT Pro’s Guide to Endpoint Security.

Ryan Harnedy

Ryan Harnedy

Ryan writes about how to make cybersecurity make sense to end users and keep employees safe from ransomware, malware, and phishing attacks. He enjoys decoding buzzwords and sharing security tips that users might actually follow.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.