1. Documentation
  2. CrashPlan for Enterprise
  3. Cloud administration
  4. Monitoring and managing

Use CrashPlan to defend against ransomware

Updated

Overview

Ransomware is a form of malware that encrypts files on computers and demands that you pay a ransom to decrypt these files. Instead of paying the criminals behind a ransomware attack, you can use CrashPlan software to restore files from a date and time prior to the infection.

This tutorial provides best practices for security teams to follow to ensure that they are in the best situation to recover from ransomware.

Defeat ransomware with frequent backup

The best defense against ransomware is frequent, reliable, automatic backup of all the endpoints in your enterprise. Analysts and industry experts recommend frequent backups to mitigate risk of data loss and eliminate ransom payments. The best backups are those that happen automatically and continuously and offer versioning that supports reliable file restore.

Prepare your CrashPlan environment

Set file backup frequency and version retention

Precise frequency and version settings provide a robust set of backed up files from which to choose. This enables you to download files from a date and time before the ransomware infection. The version settings must allow backups frequently enough to give you a range of dates from which to choose. If these settings are too restrictive, it's possible that even your oldest version could be encrypted by ransomware.

To change frequency and version settings:

  1. Sign in to the CrashPlan console.
  2. Select Administration > Environment > Organizations.
  3. Select a specific organization.
  4. From the action menu in the upper right, select Device Backup Defaults.
  5. Select the Backup tab.
  6. Navigate to Frequency And Versions.
    Following are the default settings.
    Frequency_And_Versions_Admin_Console_5.3.png
  7. In Frequency, drag the slider on Backup new version to indicate how often to back up and create new versions of files in the archive.
    Use the default setting of Every 15 minutes to ensure there are versions to revert to in the event of a ransomware attack.
    Large files
    You can change the frequency interval to a longer period to accommodate large files.
  8. In Version retention, drag the slider to indicate which versions to keep from different time periods, and leave Remove deleted files at the default setting of Never.
    Ensure you keep enough older versions so that you have clean versions you can restore.
    Deleted files retention for ransomware
    Some ransomware programs change file extensions, causing the CrashPlan app to think the original files were deleted. This results in the original files being removed at the time set by the Remove Deleted Files value in the Frequency and Versions settings. Therefore, leave Remove Deleted Files at the default setting of Never to prevent removal of files in the event of a ransomware attack.
  9. Click the Lock button on both Frequency and Version retention to apply the settings and push them to users.
    Changes to frequency and version settings
    Changes to frequency and version settings are applied to each backup archive after the user's device connects to the CrashPlan cloud.

Require the account password to open the CrashPlan app

Since recovering from ransomware depends on the integrity of the backed-up files, it's important to prevent unauthorized access to the CrashPlan app. Requiring the account password to open the CrashPlan app helps protect backed-up files from being accessed or deleted by an unauthorized user.

To require the account password to open the CrashPlan app:

  1. Sign in to the CrashPlan console.
  2. Select Administration > Environment > Organizations.
  3. Select an organization.
  4. From the action menu in the upper right, select Device Backup Defaults.
  5. Select the Security tab.
  6. Enable the setting to Require password to access the CrashPlan app.
  7. Click Save.

Use USMT to retain Windows settings

Users' files are only one part of the data that might be compromised when a ransomware attack occurs; Windows users may also find that their settings are lost. To prevent losing Windows users' settings, back up Microsoft's User State Migration Tool (USMT) data. This allows you to restore users' Windows settings in the aftermath of an attack.

Verify file selection

You can change inclusion rules to expand the set of backed up files. For example, if a users' settings only back up the user's home directory (the default), then data that resides outside of that directory is not backed up. You can choose additional folders to back up, if desired.

When changing these rules, ensure that you have appropriate exclusions applied to ensure that only desired files are backed up; for example, it is typical to exclude system and application files and folders from backup.

Exclude known ransomware file types

You can proactively add file exclusions of known ransomware file types to ensure that infected files are not stored in archives. While not all ransomware attacks change the file extensions, excluding these file types can assist in keeping backup archives clear of at least some infected files.

Test restores

After you have made all the preparations, you should test restoring files to ensure that it works as expected in the event of a ransomware attack. You can restore files using the CrashPlan app.

Ensure all endpoints are backed up

Your ability to recover from ransomware is only as good as your backups. You are only adequately prepared if all your endpoints are backed up continuously without interruption.

Install the CrashPlan app on all endpoints

  1. Prepare deployment packages for the CrashPlan app.
  2. Push installations from a central server to devices in your CrashPlan environment using software deployment tools such as SCCM.

Ensure backups are running

To ensure backups are running, you can use a number of methods, such as reports and alerts, to identify devices that may require administrator action.

Run reports

To determine if any endpoints are not getting backed up, you can view device status using the device status report. The report shows the percentage of backup completed, the last date and time backup was completed, and the last time any backup activity occurred, among other information.

  1. Sign in to the CrashPlan console.
  2. Select Administration > Status > Reporting.
  3. On the Device Status Report tab, click Run Report.
Generate warning emails

Organization administrators automatically receive email reports if a CrashPlan app isn't able to reach any backup destinations after a certain time period. However, if there are additional users you wish to receive these reports, add their email addresses:

  1. Sign in to the CrashPlan console.
  2. Select Administration > Environment > Organizations.
  3. Select a specific organization.
  4. From the action menu in the upper right, select Edit.
  5. Select the Reporting tab.
  6. Add email addresses in Recipients.
  7. From Alerts > No backup for, select the number of days that must pass before warning emails are sent.
Monitor with the CrashPlan console

You can use the CrashPlan console to get an overview of users and devices or to view connection and backup statistics.

Use the CrashPlan API

You can view device backup status using the CrashPlan API by using theDeviceBackupReport resource.

General information

Non-backup measures

Backup is not the only defense. In a public service announcement, the United States Federal Bureau of Investigation (FBI) provides additional recommendations for defending against ransomware. The recommendations include:

  • Patch software (operating systems, Java, Flash, web browsers, software, firmware).
  • Schedule regular antivirus and anti-malware scans.
  • Disable macros for email attachments.
  • Restrict execution permissions in known ransomware locations.
  • Use the principle of least privilege.
  • Train your users to:
    • Open attachments only from known parties.
    • Download software only from trusted sites.

File sync is not backup

File synchronization, offered through a variety of products, provides a way for your organization to share files among teams or throughout the enterprise. At first glance, you might think that file synchronization would be a good way to back up files. But backup and sync are not the same thing:

  • File synchronization only accounts for some files, whereas backup can account for all files.
  • File synchronization requires users to actively place files in a specific directory or upload them, whereas backup occurs without user intervention. CrashPlan allows administrators to define backup policies without requiring user interaction.
  • If a synced file is infected by ransomware, and that file is synced with a server, it has the potential to infect any endpoint that accesses it.
  • Synchronization encourages replication of the ransomware throughout the synced file set. Consider the Locky ransomware. It corrupts up to 100 times, and in a synced environment, potentially replaces all older good versions of the synced file. This leaves you with no healthy file for recovery. Even if you are able to recover back to a healthy file, many sync products require to you recover each file individually by rolling back to a previous version.

Therefore, you should not rely on synchronization as a means to back up your files.

 
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more