Backup has in some sense always been about the security of data. In the event of a data loss or disaster, you could turn to your backup to retrieve the data.
But these days, backup must do much more. Not only must it provide a way to restore data in a timely manner, it must do it securely – and increasingly, users are demanding that it also offers protection against the scourge of ransomware.
“Even if you have a backup, is it consistent and a copy of good data, or is it simply a copy of bad, damaged, infected or corrupt data?” said Greg Schulz, an analyst with StorageIO Group. “Or worse, what if your multiple copies or backups are also all bad?”
His advice is to look for vendors that can adequately protect themselves and their catalog along with metadata from ransomware attacks.
Fortunately, the vendor community is rising to the challenge. There are now backup solutions equipped with additional features to protect against ransomware. They include a variety of capabilities to give users confidence that they will be able to recover data from a ransomware attack.
Further reading on ransomware protection and recovery:
- How to Recover From a Ransomware Attack
- Best Ransomware Removal Tools
- Best Ransomware Removal and Recovery Services
- Building a Ransomware Resilient Architecture
Key Features of Ransomware Backup
When evaluating backup vendors for their ability to offer ransomware protection, here are some key features to look for:
- Ultra-resilient copies of data: The market is hungry for immutability, offline storage, and otherwise air-gapped copies of critical data, referred to as ultra-resilient copies. Some organizations want tape, some use immutability in the cloud, and others prefer backup as a service to solve these needs. The speed of data recovery is always an important backup consideration, so make sure you’re covered.
- The ability to seamlessly implement the 3-2-1 rule or variations of it: 3 copies of data, on 2 different media with 1 copy being off-site, ideally that is ultra-resilient.
- Threat agnostic: Solutions should protect broadly, even offering the ability to recover from zero-day threats and other previously unknown attack vectors.
- Robust protection of backup files: Preventing tampering of backups, and monitoring for suspicious file encryptions and stopping them.
- Additional safeguards: Vendor solutions offer a dashboard view of various possible steps and hardening options. These vary from vendor to vendor, but should include several of the following: WORM (write once, read many), multi-factor authentication, role-based access control (RBAC), encryption, fault tolerance, alerts and more, depending on organizational needs.
- Quick recovery of workloads in a sandbox before moving the data into production.
- The ability to take snapshots of primary storage used by mission-critical servers frequently enough to meet demanding RPOs (recovery point objectives) and RTOs (recovery time objectives).
Top Backup Vendors for Ransomware Protection
We evaluated the ransomware protection features of a wide range of backup vendors, and eight in particular stood out in our analysis. Here are our top picks for ransomware backup protection.
Veeam
Veeam’s flagship product is Veeam Backup & Replication with Veeam ONE. The product gets good marks for ease of use, reliability and flexibility. There is no additional Veeam cost to use cloud storage. All versions of Veeam provide the Hardened Repository and the Veeam ONE Possible Ransomware Activity alarm, including the free Veeam Community Edition.
Veeam’s Key Features
- Hardened Repository: The Veeam Hardened Repository allows any Linux system to store immutable copies of backup data.
- Immutable Cloud Backups: Immutable backup copies can be stored in the public AWS S3 storage as well as in many S3 compatible storage systems.
- Veeam Cloud Connect Backups with Insider Protection: This technology allows organizations to allow service providers to have an out-of-band copy of backup data available for organizations to help fend off ransomware, accidental deletion and malicious actors on the inside.
- Veeam ONE ransomware alarms: A number of Veeam ONE alarms are in place to observe possible ransomware activity from CPU, memory, network upload (for extortion behavior) and suspicious incremental sizes of backups that are taken.
- Veeam DataLabs: There are a number of recovery techniques at Veeam to ensure data is recoverable. DataLabs is a gateway of many features such as SureBackup, on-demand virtual labs, Secure Restore and Data Integration API capabilities to verify recoverability and also to avoid reintroducing ransomware threats during a restore.
Acronis
With Acronis Cyber Backup, any file interaction is monitored and analyzed by a machine intelligence behavioral algorithm to determine if files are being encrypted. If suspicious tampering is detected, then the malicious process is stopped. Any modified files are restored from a local backup automatically. If the attacker somehow still manages to encrypt data, the protected backups can be used to quickly restore any affected system without the need for paying a ransom for a decryption key.
Acronis Key Features
- Combines backup with anti-ransomware technologies in an integrated package.
- AI-driven anti-malware capabilities.
- Blockchain-based data integrity authentication.
- Backs up critical files and configurations on a schedule or on demand.
- Restores workloads in seconds.
Cohesity
Cohesity DataProtect offers a defense-in-depth architecture that protects organizations against ransomware. It includes immutable backups, WORM (DataLock), multi-factor authentication, granular role-based access control, two-person control, Security Advisor, and data isolation to protect the backup data and the platform.
Cohesity’s Key Features
- WORM (DataLock), multi-factor authentication, granular role-based access control, two-person control, data isolation.
- Quick anomaly detection to identify a potential ransomware attack on the production environment.
- The ability to rapidly recover at scale to reduce downtime and data loss.
- If the IT production environment becomes encrypted, it can be used to identify clean backups and recover data after an attack.
- Immutability and reduced attack surface.
- Access control and configurable multi-person control for critical operations.
- End-to-end encryption and zero trust security implementation.
- Ability to identify vulnerabilities in the production environment.
- Ability to instantly recover thousands of workloads using the SnapTree architecture built for instant mass restores.
- Always-on operations for backup infrastructure that ensures backups are never missed.
Arcserve
Arcserve offers a broad set of data protection and recovery solutions to protect and recover from ransomware attacks regardless of data workloads. Arcserve Unified Data Protection (UDP) protects cloud, hybrid and traditional deployments; and all environments — small or large, simple or complex. The company offers a multi-layered approach to prevent, protect, and immunize data from ransomware and other cyberattacks.
Arcserve Key Features
- Backup and/or replication to an offsite location.
- The ability to flag and inform staff of suspicious data change rates.
- Provides immutable storage via OneXafe, which includes a file system based on immutable object store, with every object written only once and never modified. Any modification to the file system always results in the creation of new objects.
- Takes low overhead snapshots every 90 seconds.
- The ability to instantly recover data with orchestrated recovery (ShadowXafe).
- The ability to spin data and IT infrastructures up to the cloud and operate as normal while companies bring their on-premises data back online.
- Available as software, integrated appliance, and cloud backup service.
- Manage and maintain multiple copies of backup data efficiently.
- Reliable disaster recovery with Assured Recovery.
FalconStor
FalconStor’s StorSafe software powers a scalable backup-to-disk target, consisting of any brand of qualified servers and storage. StorGuard software runs on any brand of qualified servers to provide Continuous Data Protection (CDP) to any brand of underlying disk array.
FalconStor Key Features
- Speeds up backups and RTOs by 10 times compared to tapes (RPOs are determined by the customer’s backup frequency).
- Can recover with a 10mS RPO and the fastest RTO possible.
- Takes snapshots of primary storage frequently to provide better RPOs and RTOs after a ransomware attack, compared to doing a restore from a backup.
- Rather than an appliance, StorSafe is 100% software.
- Can scale down to run on a single VM.
- Can scale up to 9 industry-standard servers to deliver 160 TB per hour of throughput while reducing the size of backup data by up to 95%.
- Replicates to a twin StorSafe at a remote site or cloud.
- Records all writes to all LUNs with 10mS granularity.
Commvault
Commvault Ransomware Protect and Recover solutions help businesses prepare for and respond to cyber threats. Utilizing these services along with Commvault software and cloud offerings allows an enterprise to detect, protect, and recover from ransomware attacks and other data breaches as a core component of the Commvault Intelligent Data Services.
Commvault’s Key Features
- Ransomware Protection Design and Plan helps organizations understand potential threats, and includes a readiness scorecard and prioritized action plan.
- Commvault Ransomware Response Service provides the expertise and resources to help recover from an attack backed by the Commvault Recovery Operations team.
- Commvault Ransomware Protect and Recover solutions complement the offerings and deliver the critical capabilities for ransomware data protection.
- Commvault Data Management and Protection products and Compliance and Governance solutions work hand in hand with this data security solution.
- Understand potential threats and risks via a readiness scorecard, key findings, recommendations, and a prioritized action plan.
- Expedite a return to normal business operations.
Rubrik
Rubrik data protection solutions cover workloads across on-premises and the cloud. They easily archive to the cloud, scale to meet enterprise demands, and have built-in ransomware recovery. Rubrik simplifies backup and recovery for hybrid cloud environments. With Rubrik, enterprises can unlock cloud for long-term data retention or DR and deliver automation with an API-based platform.
Rubrik’s Key Features
- Designed to be vendor-agnostic.
- Supports most operating systems, databases, hypervisors, clouds, and SaaS applications.
- Meet demanding backup windows and recovery objectives with a simple policy engine.
- Integrates data orchestration, catalog management and continuous data protection into a single platform.
- Understand who is accessing files and recover rapidly to a known good state.
- Helps generate effective ransomware remediation plans to ensure users can quickly respond to a cyberattack without paying any ransom.
- Backups can’t be encrypted or deleted during a ransomware attack, enabling users to recover quickly.
- Provides visibility into the scope of ransomware damage.
- Alerts about unusual behavior from ransomware infections.
- Immutable file system.
Veritas
Veritas offers ransomware protection with Backup Exec and NetBackup. This ensures that enterprise data and IT infrastructure is protected from the unknown and unexpected. NetBackup Flex 2 can bolster ransomware resiliency without adding hardware.
Veritas Key Features
- Protect workloads across physical, virtual, and cloud with a unified solution.
- Supports over 800 workloads, ranging from traditional databases to workloads in the cloud.
- The NetBackup Flex Scale hyperconverged scale-out deployment option delivers enterprise-wide data protection.
- A new containerized, hyperconverged architecture enables the scaling of NetBackup services, performance, and capacity.
- Administration through automation, accelerating data protection as a service delivery.
Further reading: