Is Cloud Backup Adequate Protection from Ransomware?

I have heard this question many times, so I understand the concern of conscientious IT admins who want to know if they are truly protected from a ransomware infection if using cloud backup. After all, backups are the last line of defense against ransomware and other malware. I understand there are some who really insist on the “air gap” that tape, or other portable media provides. Feel free to augment your data protection methods and implement some level of offsite backup to an air-gaped media once a month and take it offsite. However, even doing offsite media rotation once per week is a cost of it’s own. Portable media introduces lots of other downsides – like trying to get your backups offsite every day, tracking of media, storage of media, encrypting the media etc.

We at Managecast address this concern for an “air gap”, we optionally provide the ability to export backups to air gap media, generally once per month. This allows efficient offsite cloud backup with the added ability to air gap the backups and securely store offsite.

However, most of our clients do not implement the air gap option and strictly use cloud backup with no definable “air” gap. Yet, it is also true that we field a lot of restore requests around ransomware infection.

Ransomware is our #1 reason for restores in the last 24 months!

So should our clients worry if not using the air gap option?

The reality is that it is next to impossible for Ransomware to infect your offsite backups, and we have never seen ransomware leap to a service provider. Let’s say you are backing up to us and get hit with Ransomware. It infects all of your machines and data (knock on wood). Then the backup runs and we backup all the infected data. True enough we will faithfully back it up, but here is what would happen:

Because there was a massive data change because your data got encrypted, we usually see the backups running for a long, long time (the internet bandwidth is usually limited) and 9 times out of 10 we will see this and stop the backups.  Yes, whatever data was backed up could be infected, and the infected data is being stored on the service provider storage.

So does this mean because infected data was backed up it infects the other previously backed up offsite backup? No. Your current backups are just an incremental point in time backup.  There is nothing stopping you from restoring from a previous backup unless you have an unusually short retention policy.  It is possible that if you had a short retention policy of say 2-3 days that your incremental backups could end up overwriting your good data, but it’s rare for clients to have this short of a retention policy and 14 days of backups is usually minimum.  So you would have 14 days to notice you had ransomware. If this isn’t long enough, consider a longer retention policy.

The reason the current backup data does not “infect” the offsite backup data is because it is encrypted at the source and transmitted and stored in encrypted format. The ransomware is encrypted and would have no way to execute on the service provider side, and your past backups would be protected.

To colorfully illustrate the point, I tell people to consider an experiment in which they take the worst ransomware they can find and then ZIP the Ransomware up in a password protected ZIP file (make sure it’s a strong password!). Then email that file (without the password) to every person in your company and see if Ransomware is spread. The answer would be no, because without the password to de-crypt the ZIP file, you have no way to access the Ransomware and it has no way to run or infect anything else.

So, again, I know some people really want an “air gap”, but you are doing so to protect yourself from a non-existent threat while exposing yourself to lots of other downsides of portable media that are real threats! Is it really worth it? If air-gap is really needed I would consider using an air-gap method of backup in addition to automated offsite cloud backup, or leverage the optional Managecast air-gap backup monthly.

In summary, I can tell you that for Managecast the #1 reason for DR restores in the past 2 years is because of Ransomware infections. There has not been one instance those infections affected the offsite backups. We had a client that got hit three times in 1 year with Ransomware and we had to restore them each time! Cloud Backup is a proven, safe, and robust protection against ransomware and other malware.