There is a ransomware victim every 11 seconds. Backup solutions are the last line of defense against a ransomware attack, and ransomware attackers know this. If attackers can encrypt the backup, your organization’s chances of being able to recover without paying a ransom is extremely limited. It is crucial for organizations to take every possible measure to ensure that their backup solution is well protected.
There are two areas of a backup solution that an attacker will attempt to exploit – the management console of the backup solution and the backup storage. If an attacker has administrative access to the backup system, the results could be devastating. With access to the backup system, the attacker can steal the data and use it for blackmail or encrypt it and hold it for ransom. Without a good backup copy of your data, you will not be able to access your data and may be forced to pay to recover your data.
Protecting Your Backup Data from Ransomware
Barracuda Backup (BBS) provides many capabilities to help prevent attackers from gaining access to your backups and protect your backup data from ransomware.
Immutable Backup Protection
Barracuda Backup maintains immutable backup copies by preventing direct access to the data. BBS also offers protection against data modification or removal via API. This means that you can only access and remove data through the secure Barracuda Backup interface, which can also be secured using multi-factor authentication (MFA). In addition, data stored in the Barracuda Cloud is written once and never updated, providing an additional layer of protection.
Secure Cloud Storage (Air Gap)
Data stored in the Barracuda Cloud is encrypted and can only be accessed, modified, or deleted through the secure Barracuda Backup interface. There is also a delay in the purging of data in the cloud so that data can still be recovered if it is accidentally or maliciously deleted from the local appliance. This creates an air gap between the appliance and the cloud, further protecting data against ransomware.
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) provides an additional layer of security to the accounts and credentials used to access Barracuda Backup. With MFA, the attackers not only need the login and password, but they also need a secondary device and application to confirm the identity of the backup administrator.
Hardened Linux Platform
Barracuda Backup runs on a hardened Linux platform, which makes it less susceptible to malware and ransomware attacks compared to other similar Windows-based backup solutions. The platform also prevents any unauthorized services from running, thus preventing the execution and spread of ransomware throughout the backup data.
Integrated Backup Software, Storage, and Offsite Storage
An integrated backup appliance eliminates any network sharing protocols and reduces the risk of the backup storage being attacked. Having an integrated solution that includes the backup software, storage, and offsite storage also reduces the number of attack surfaces making it easier to secure the entire solution.
Role-Based Access Control
Following the principle of least privilege, users accessing the backup system should only be given privileges which are essential to their specific role. With Barracuda Backup, you can assign various user roles from full account administrators to restricted users and users with view-only permissions. This minimizes the chances that an attacker can access the backup system with the most powerful administrative privileges.
No Network Sharing Protocols
It is common to store backups on Network Attached Storage (NAS) devices using a network sharing protocol, such as Network File System (NFS) or Common Internet File System (CIFS). An attacker can easily discover and access these file shares, putting backup data at risk. Barracuda Backup does not expose any network file sharing protocols, thus preventing access to the backup storage.
Barracuda Backup provides AES 256-bit encryption of data at rest on the appliance, in transit whenever it is sent offsite, and stored at rest on the replication destination. All communication with the appliance is also done over an encrypted VPN tunnel. Encryption renders the backup data unreadable to an attacker who has gained access to it.
Restricted IP/Network Access
You can set IP login restrictions for each user who has access to Barracuda Backup. Those restrictions prevent access to the web interface from an IP address outside of the specified range.
Multiple Backup Copies
Barracuda Backup strongly recommends that you follow the 3-2-1 rule to create a successful data protection and disaster recovery plan:
- 3 – You must have at least 3 copies of your data: the original production data and 2 backup copies.
- 2 – You must use at least 2 different types of media to store the copies of your data. For example, the local Barracuda Backup device and Barracuda Cloud storage.
- 1 – You must keep at least 1 backup offsite. For example, in the Barracuda Cloud or on another physical or virtual Barracuda Backup appliance at a remote site.
In addition to the plan above, Barracuda Networks also delays the purging of backup data stored in the Barracuda Cloud, which provides an extra layer of protection in case of an attack or accidental deletion of data.
Ransomware attacks continue to evolve, becoming more complex every day. No organization can be fully protected from ransomware using a single layer of security. A Defense in Depth (DiD) strategy is best for protecting against ransomware attacks. Barracuda can help you build a winning strategy against ransomware, providing solutions that help an organization detect, prevent, and recover from ransomware attacks.