Ransomware Protection

What is Ransomware?

Ransomware is a specialized means of malicious software that encrypts files, renders them inaccessible and holds the data hostage until the user pays a ransom. Basically, ransomware attacks are performed using a Trojan, entering a system through:

  • Malicious attachments.
  • Embedded links in phishing emails.
  • Vulnerabilities in network services.

Protecting Your Backup Using Retention Policy Feature Retention policy appears as an efficient tool to secure your backups from ransomware. You can protect your backups by customizing the retention policy.

Best Practice Retention settings

To set up your backups protection against ransomware, customize the retention policy for your backup. Follow the hints below to create the custom retention policy that suits your needs and requirements.

  1. Select the backup plan you want to modify for protection, then click Edit.
  2. Follow the Setup Wizard step until Retention policy step opens.
  3. Customize the following retention settings according to your preferences.
  4. Сlick Next once you finished settings.

Specify custom retention policy for backup plan option allows you to create a customized retention policy which helps you to keep your files safe from ransomware attacks. Select it to activate the retention policy settings.

Delete versions older than option allows you to customize the periods of your file versions deletion. Select the appropriate check box to make the detailed settings available.

Use the spin boxes to specify the period of keeping your file versions for the required period of time to secure them from ransomware attacks. Specify the counting mode by selecting the corresponding item (modification date or backup date) from the drop-down menu to the right.

Keep number of versions (for each file) option enables you to specify the number of file versions that are kept in your backup plan. This secures your files in case they are encoded by ransomware, as you can easily restore clean file version. It is recommended to keep at least 3 versions. You can specify the number of versions kept using the Number of versions spin box.

Delay purge for: option allows you to customize the period within which your file versions are not purged from backup. Select the corresponding check box, then specify the purge delay period (for example, 2 weeks).

Delete files that have been deleted locally option allows you to manage the deletion of files in your backup storage that are deleted locally. To secure your backup against ransomware attacks, it is recommended that you keep this check box clear.

Do not show warning for files to be deleted is an option that allows you to avoid receiving warnings about the deletion of files stored locally. In the context of ransomware protection settings, it is not recommended to keep this check box selected.

Ransomware Detection (for versions earlier than 6.0.1)

The ransomware detection method is based on certain knowledge (heuristics) about certain attributes that might be typical for ransomware such as file size entropy. Each attribute has a weight coefficient which determines the level of its severity and reliability. The weight coefficient can be positive if the corresponding attribute is indicative of a ransomware attack or negative if the attribute is uncharacteristic. The heuristic analyzer calculates the probability of ransomware attack and, if the threshold is exceeded, it generates the conclusion that the analyzed object is probably under attack. However, several false positive reactions have occurred which led to ransomware protection feature cancellation in the latest Cloudberry Backup version.

Protecting Your Backup Using Cloudberry Backup Features (for versions earlier than 6.0.1)

You can protect your backups against ransomware attacks by enabling the detection of suspicious encryption activities over locally stored files in your backup.

Ransomware protection only applies to locally stored backups and CloudBerry Backup will not analyze files that are already stored in the cloud.

With this feature enabled, CloudBerry Backup performs a full initial backup and uses heuristic analysis to find out whether the byte structure of files in the backup has changed in subsequent backups because of encryption.

Ransomware protection is currently supported only for file-level backups.

If your files were already encrypted during the first processing of your backup, CloudBerry Backup will still be able to detect any changes in the encryption applied by subsequent backups.

On detecting suspicious encryption applied to your files, CloudBerry Backup prevents deletion of existing backups regardless of the current retention policy settings to ensure that at least one undamaged version of your backup is still available, and prompts you about which action to take next.

Note that if ransomware detection option is enabled, you can select the Advanced backup mode in the Backup Wizard only.

Ransomware protection could significantly increase the size of your backup because of the need to keep additional versions of suspicious files until the backup administrator confirms their deletion. This is because the backup service analyzes source files on the fly, while a backup is being processed. It is able to detect a possibly corrupted file only after it has already been uploaded to the destination storage. For this reason, using the Simple backup mode would result in a corrupted file overwriting its previous, uncorrupted version before the backup service is able to detect and prevent this. This is not the case with the Advanced mode, in which a corrupted file becomes uploaded as a new version, with keeping the previous file version intact.

When the backup service suspects that your files may be affected by ransomware, it completes the current backup task and sends you an email containing the list of supposedly affected files and prompting you to take action.

The "lock" icon displayed on the backup plan's title becomes red. Clicking this icon invokes a dialog window listing all suspicious files. You can open the folder containing these files by clicking the corresponding context link in this dialog. Next, you can either approve that such a file is not affected by ransomware or delete it by clicking the corresponding button.

You can click Cancel to postpone the investigation and keep the affected files intact.

False positives may occur when the backup service mistakenly attributes legitimate changes to ransomware. Please pay attention to the flagged files reported by the backup service and ensure whether or not such files are actually corrupted before deleting them.

This feature is most effective for preventing you from ransomware attacks when used as part of a broader protection strategy that includes appropriate lifecycle and retention policies.

Enabling Ransomware Protection in the Existing Backup Plan

To enable the ransomware protection in the existing backup plan, proceed as follows:

  1. Switch to Backup Plan tab in the main pane of your Cloudberry Backup application, then click Edit. Backup Plan Wizard launches.
  2. Select the Enable ransomware protection check box, located at the bottom of the wizard box, then click Next.

  1. Refer to Step 1 - Backup Route and Ransomware Protection section to configure your backup plan.
  2. After saving your backup plan, it displays a "lock" icon on its title, indicating that ransomware protection is enabled for this backup plan.

With the ransomware detection enabled, you can select the Advanced backup mode in the Backup Wizard only.

Note that enabling ransomware protection may increase the size of your backup because of the need to keep additional versions of suspicious files until the backup administrator confirms their deletion.

Enabling Ransomware Protection in the New Backup Plan

To enable the ransomware protection in the new backup plan, proceed as follows:

  1. Switch to Backup Plan tab in the main pane of your Cloudberry Backup application, then click Local to Cloud. Backup Plan Wizard launches.
  2. Select the Enable ransomware protection check box, located at the bottom of the wizard box, then click Next.

  1. Refer to Step 1 - Backup Route and Ransomware Protection section to configure your backup plan.
  2. After saving your backup plan, it displays a "lock" icon on its title, indicating that ransomware protection is enabled for this backup plan.

With the ransomware detection enabled, you can select the Advanced backup mode in the Backup Wizard only.

Note that enabling ransomware protection may increase the size of your backup because of the need to keep additional versions of suspicious files until the backup administrator confirms their deletion.