Ransomware is a form of malware that encrypts files on computers and demands that you pay a ransom to decrypt these files. Instead of paying the criminals behind a ransomware attack, you can use CrashPlan for Small Business software to restore files from a date and time prior to the infection.
This tutorial provides best practices for CrashPlan for Small Business administrators to follow to ensure that they are in the best situation to recover from ransomware.
Defeat ransomware with frequent backup
The best defense against ransomware is frequent, reliable, automatic backup of all the endpoints in your organization. Analysts and industry experts advise frequent backups to mitigate risk of data loss and eliminate ransom payments. The best backups are those that happen automatically and continuously and offer versioning that supports reliable file restore.
Prepare your CrashPlan for Small Business environment
Set file backup frequency and version retention
Use the frequency and version settings to create frequent backups. A robust set of backed up files with a large date range increases the odds that you can restore files from a date and time before the ransomware infection. If the frequency and version settings are too restrictive, they won't allow for frequent enough backups, and it's possible that even your oldest backup could be encrypted by ransomware.
To change frequency and version settings:
- Sign in to the CrashPlan console.
- Select Device Backup.
- Select the Backup tab.
- Navigate to Frequency and versions.
Following are the default settings.
- In Frequency, drag the slider on Backup changes every to indicate how often to back up and create new versions of files in the archive.
Keep the default setting of Every 30 minutes to give you enough versions to revert to if you're hit with ransomware.
You can change the frequency interval to a longer period to accommodate large files.
- In Version retention, drag the slider to indicate which versions to keep from different time periods, and leave Remove deleted files at the default setting of Every 90 days.
Keep enough older versions so that you have clean versions you can restore.
Prevent removal of files
Some ransomware programs change file extensions, causing the CrashPlan app to think the original files were deleted. This causes the CrashPlan app to remove the original files at the time set by the Remove deleted files value in the Frequency and versions settings. Therefore, leave Remove deleted files at the default setting of Every 90 days to prevent immediate removal of files in the event of a ransomware attack.
- Click the Push button for Frequency and versions to push the settings to users.
Changes to frequency and version settings
Changes to frequency and version settings are applied to each backup archive after the user's device connects to the CrashPlan cloud.
Require the account password to open the CrashPlan app
Since recovering from ransomware depends on the integrity of the backed-up files, it's important to prevent unauthorized access to the CrashPlan app. Requiring the account password to open the CrashPlan app helps protect backed-up files from being accessed or deleted by an unauthorized user.
To require the account password to open the CrashPlan app:
Verify file selection
Ensure that you have included or excluded the appropriate files to ensure you're only backing up the files you want.
For guidance on what files and folders to back up, see What should you back up with CrashPlan for Small Business?
Exclude known ransomware file types
You can proactively add filename exclusions of known ransomware file types to ensure that infected files are not stored in archives. While not all ransomware attacks change the file extensions, excluding these file types can assist in keeping backup archives clear of at least some infected files.
After you have made all the preparations, you should test restoring files to ensure that it works as expected in the event of a ransomware attack. You can restore files using the CrashPlan app or via the CrashPlan console.
Ensure all computers are backed up
Your ability to recover from ransomware is only as good as your backups. You are only adequately prepared if all your computers are backed up continuously without interruption.
Install the CrashPlan app on all computers
First, create separate accounts for each user in your organization. Separate accounts help make sure that users can only access their own files.
Ensure backups are running
To ensure backups are running, you can monitor the CrashPlan app and CrashPlan console.
You can also or generate warning emails. Administrators automatically receive email reports if the CrashPlan app isn't able to reach any backup destinations after a specified time period. However, if you want additional users to receive these reports, add their email addresses:
- Sign in to the CrashPlan console.
- Select Reporting.
- Add email addresses in Additional report recipients.
- Click the + button.
Backup is not the only defense. In a public service announcement, the United States Federal Bureau of Investigation (FBI) provides additional measures for defending against ransomware. These include:
- Patch software (operating systems, Java, Flash, web browsers, software, firmware).
- Schedule regular antivirus and anti-malware scans.
- Disable macros for email attachments.
- Restrict execution permissions in known ransomware locations.
- Use the principle of least privilege.
- Train your users to:
- Open attachments only from known parties.
- Download software only from trusted sites.
File sync is not backup
File synchronization, offered through a variety of products, provides a way for your organization to share files among teams or throughout organizations. At first glance, you might think that file synchronization would be a good way to back up files. But backup and sync are not the same thing:
- File synchronization only accounts for some files, whereas backup can account for all files.
- File synchronization requires users to actively place files in a specific directory or upload them, whereas backup occurs without user intervention. CrashPlan for Small Business allows administrators to define backup policies without requiring user interaction.
- If a synced file is infected by ransomware, and that file is synced with a server, it has the potential to infect any endpoint that accesses it.
- Synchronization encourages replication of the ransomware throughout the synced file set. Consider the Locky ransomware. It corrupts up to 100 times, and in a synced environment, potentially replaces all older good versions of the synced file. This leaves you with no healthy file for recovery. Even if you are able to recover back to a healthy file, many sync products require to you recover each file individually by rolling back to a previous version.
Therefore, you should not rely on synchronization to back up your files.
- CrashPlan for Small Business resources: Ransomware: outsmart the attacker
- Wikipedia: Ransomware
- FBI: Ransomware Victims Urged To Report Infections To Federal Law Enforcement (Alert Number I-091516-PSA)
- Symantec: ISTR Insights Special Report: Ransomware and Business 2016
- Gartner Group: Use These Five Backup and Recovery Best Practices to Protect Against Ransomware