Use CrashPlan for Small Business to defend against ransomware

Set file backup frequency and version retention

Use the frequency and version settings to create frequent backups. A robust set of backed up files with a large date range increases the odds that you can restore files from a date and time before the ransomware infection. If the frequency and version settings are too restrictive, they won't allow for frequent enough backups, and it's possible that even your oldest backup could be encrypted by ransomware.

To change frequency and version settings:

1. Sign in to the CrashPlan console.
2. Select Device Backup.
3. Select the Backup tab.
4. Navigate to Frequency and versions.
   Following are the default settings.
   
5. In Frequency, drag the slider on Backup changes every to indicate how often to back up and create new versions of files in the archive.
   Keep the default setting of Every 30 minutes to give you enough versions to revert to if you're hit with ransomware.

   Large files

   You can change the frequency interval to a longer period to accommodate large files.

6. In Version retention, drag the slider to indicate which versions to keep from different time periods, and leave Remove deleted files at the default setting of Every 90 days.
   Keep enough older versions so that you have clean versions you can restore.

   Prevent removal of files

   Some ransomware programs change file extensions, causing the CrashPlan app to think the original files were deleted. This causes the CrashPlan app to remove the original files at the time set by the Remove deleted files value in the Frequency and versions settings. Therefore, leave Remove deleted files at the default setting of Every 90 days to prevent immediate removal of files in the event of a ransomware attack.

7. Click the Push button for Frequency and versions to push the settings to users.

    Changes to frequency and version settings

   Changes to frequency and version settings are applied to each backup archive after the user's device connects to the CrashPlan cloud.

Require the account password to open the CrashPlan app 

Since recovering from ransomware depends on the integrity of the backed-up files, it's important to prevent unauthorized access to the CrashPlan app. Requiring the account password to open the CrashPlan app helps protect backed-up files from being accessed or deleted by an unauthorized user.

To require the account password to open the CrashPlan app:

1. Sign in to the CrashPlan console.
2. Select Device Backup.
3. Select the Security tab.
4. Enable the setting to Require account password to access the CrashPlan CrashPlan app.
5. Click Save.

Verify file selection

Ensure that you have included or excluded the appropriate files to ensure you're only backing up the files you want.

For guidance on what files and folders to back up, see What should you back up with CrashPlan for Small Business? 

Exclude known ransomware file types

You can proactively add filename exclusions of known ransomware file types to ensure that infected files are not stored in archives. While not all ransomware attacks change the file extensions, excluding these file types can assist in keeping backup archives clear of at least some infected files.

Test restores

After you have made all the preparations, you should test restoring files to ensure that it works as expected in the event of a ransomware attack. You can restore files using the CrashPlan app or via the CrashPlan console.

Ensure all computers are backed up

Your ability to recover from ransomware is only as good as your backups. You are only adequately prepared if all your computers are backed up continuously without interruption.

Non-backup measures

Backup is not the only defense. In a public service announcement, the United States Federal Bureau of Investigation (FBI) provides additional measures for defending against ransomware. These include:

• Patch software (operating systems, Java, Flash, web browsers, software, firmware).
• Schedule regular antivirus and anti-malware scans.
• Disable macros for email attachments.
• Restrict execution permissions in known ransomware locations.
• Use the principle of least privilege.
• Train your users to:
  • Open attachments only from known parties.
  • Download software only from trusted sites.

File sync is not backup

File synchronization, offered through a variety of products, provides a way for your organization to share files among teams or throughout organizations. At first glance, you might think that file synchronization would be a good way to back up files. But backup and sync are not the same thing:

• File synchronization only accounts for some files, whereas backup can account for all files.
• File synchronization requires users to actively place files in a specific directory or upload them, whereas backup occurs without user intervention. CrashPlan for Small Business allows administrators to define backup policies without requiring user interaction.
• If a synced file is infected by ransomware, and that file is synced with a server, it has the potential to infect any endpoint that accesses it.
• Synchronization encourages replication of the ransomware throughout the synced file set. Consider the Locky ransomware. It corrupts up to 100 times, and in a synced environment, potentially replaces all older good versions of the synced file. This leaves you with no healthy file for recovery. Even if you are able to recover back to a healthy file, many sync products require to you recover each file individually by rolling back to a previous version.

Therefore, you should not rely on synchronization to back up your files.