9 ransomware backup best practices

| By:
Sagar Kamat

Ransomware is nothing new, but it’s more prominent than ever for your clients. A recent figure from BlackFog showing that 89% of ransomware attacks in June 2023 exfiltrated data is  particularly alarming. The stakes increase even more when considering that more than 90% of attacks specifically target data backups to increase the chances of organizations paying the ransom.

Ensuring robust backup solutions for ransomware protection is a critical priority for MSPs. If a ransomware attacker gets access to the MSP environment, their attack vector spreads to the MSP itself as well as all client assets. Incorporate backup industry best practices into your overall strategy, aligning it with the specific needs of your clients. 

Focusing on backup techniques can strengthen your defense against ransomware, ensuring that data recovery is always possible even in the face of an attack.

Protecting your backups against ransomware

A backup plan is vital in safeguarding against ransomware attacks for your clients. It provides a means to restore lost or encrypted data, but it's essential to recognize that backups alone are not a complete defense against ransomware. Tailoring your strategy to protect your clients against this unique threat is crucial.

Ransomware backup best practices should be part of a comprehensive security approach that includes prevention, detection, and response measures to ensure your clients’ data remains safe and accessible.

Ransomware backup best practices

Ransomware is an evolving threat, and MSPs must remain vigilant to keep their clients' data secure. Tailoring your backup and disaster recovery strategy to be prepared for ransomware is essential, as even a well-crafted backup plan needs to consider this unique challenge. 

To help you minimize and mitigate threats, here are nine ransomware backup best practices you should consider.. 

1. Use unique credentials for backup storage

One of the most effective ways to protect your backup storage is also one of the simplest: using unique credentials. Restricting access to your backup storage is not just about thwarting ransomware, it's an essential component of maintaining overall data integrity and security. Implementing unique credentials ensures that only authorized individuals can access backups, providing an additional layer of protection against ransomware and other potential threats.

Your goal should be to keep everyone out of backup storage unless they’re conducting backup processes or operations. This might involve working in dedicated service accounts instead of administrator or root accounts, as that can restrict access for unnecessary users. Whatever you do, using unique credentials for backup storage is an effective strategy that doesn’t take many resources to employ.

2. Implement the 3-2-1 backup rule

The 3-2-1 backup rule is simple, but there’s a reason it’s high up on this list. The “3” refers to three copies of your data, the “2” refers to two different types of media containing your backup data, and the “1” refers to the one type of media you keep off-site.

So why is the 3-2-1 backup rule so crucial when mitigating ransomware attacks? You can use this backup method without adding new software or technology to your repertoire. You can also be sure that the 3-2-1 backup rule will work for almost any type of ransomware scenario in which your other lines of defense fall.

You can further bolster your 3-2-1 backup strategy by adding an extra “1,” creating a 3-2-1-1 backup rule. This usually involves an offline copy of your data, but semi-offline copies work as well. Cloud data storage can work as a semi-offline data backup in this scenario, but you might prefer a method that’s 100% offline.

3. Regularly test your backups with ransomware in mind

Even if you’ve implemented the best tools and practices, there’s only one way to find out if your backup plan works: testing. And if you haven’t tested your backup plan lately, there’s no better time than now.

Aside from finding out if your data backup plan is functional, testing can reveal just how effective your strategy is. For example, proper backup plan testing can yield data that helps you calculate how accessible your data is, recovery time, and other figures. These numbers can then show you where your backup plan is effective and where it can use some improvement.

The only thing worse than a ransomware attack is one that catches you off-guard. It's too late to discover your data backups are insecure. Test your data backup plan and figure out where its strongest points are. The longer you wait, the more at risk you are.

4. Have some form of offline storage

We touched on offline storage before, but its importance can’t be overstated. Offline storage is physically separate from every other form of storage, but it also doesn’t share connections. This means offline storage is completely separate and is much harder to infect with ransomware through any method.

Offline storage comes in many forms—here are a few of the most important for ransomware defense:

  • Hard drives: These devices are typically offline unless they’re in use, making ransomware attacks less likely most of the time they’re in your possession.
  • Tapes: Tapes from a tape library are offline and can easily be stored off-site, making them a reliable choice to store your backups.
  • Primary storage snapshots: These snapshots can be configured to work offline, using unique authentication frameworks, providing a read-only backup for recovery. When configured properly, they are not susceptible to ransomware infection.
  • Cloud target backups: Using a specific authentication method, cloud-based backup, also known as SaaS backup, keeps your data stored in the cloud.

5. Understand a storage snapshot is not true backup

Primary storage snapshots can serve as a useful tool for data recovery, but their functionality ends there—they’re not legitimate backups. Snapshots of primary storage can be useful when restoring lost data, but their capabilities are limited.

Here are a few things to consider:

  • Storage snapshots don’t provide substantial benefits in terms of retention management and reporting. They aren’t designed to track historical data or provide analytics.
  • Storage snapshots are stored on the same system as your primary data. A cyberattack on your primary data can spill over into your storage snapshot, a vulnerability that's especially concerning when it comes to ransomware.

Keep in mind that ransomware can play the long game, waiting in the shadows for the perfect moment to strike. You should be mindful of the double exposure of your primary data and snapshots to possible threats as a result.

6. Consider immutable storage

Immutable storage is a concept that stores data without providing the ability to modify it. You might not have thought of this as a novel idea, but its application in data backup is relatively new and has become more feasible in recent years, despite its complexity.

In conjunction with storage providers (mainly cloud storage), Write-Once-Read-Many (WORM) storage has made immutable storage a practical option for the average data backup plan. If you're looking for unmodifiable data in your backups, exploring immutable storage could be a worthwhile consideration.

7. Invest in backup encryption

If encryption is good, more encryption is better. After all, another layer of encryption means an extra round of decoding for any ransomware. 

If you want the most comprehensive backup encryption, encrypt your local, cloud, and transmitted data. That might sound like a tall order, but it’s worth the peace of mind when ransomware attacks loom. As a general rule, opt for at least AES-256 encryption for stored data and SSL/TLS for transmitted data.

8. Educate your team and the client on protocol

Backing up your data to fight against ransomware attacks can be a comprehensive process. Employing any of these best practices can affect your organization, from entire systems all the way to individual employees. Because of this, you should educate everybody involved with your operations, including team members and clients.

Managing and restricting access to your data backups is also essential. The fewer people with direct access to your data, the better. Even when educating all your team members about backup data and ransomware attack protocol, it's wise to maintain restricted access where possible.

9. Be ready to adapt your strategy as ransomware evolves

Technology keeps advancing exponentially, and ransomware is included in that growth. That’s the unfortunate truth, but you’re not out of luck if you’re trying to keep up with ransomware attacks. One of the best things you can do is adapt your strategy as often as you can.

This can be as simple as updating your policies, but that’s not to say you should stop there. Still, if you’ve implemented effective data backup policies, you should keep them up-to-date. Otherwise, they may not be effective at all.

Your entire strategy might also be in vain if your backups get infected, so make sure that your backup teams are working alongside your cybersecurity teams to discuss ransomware changes and how to adapt.

Backup and ransomware recovery

Backing up your data is only half of dealing with ransomware. In the unfortunate event of a ransomware attack, you need to recover your client’s critical data with minimal downtime and impact. Effective data storage is great, but data is useless if you can’t access or retrieve it due to a catastrophic event.

That’s why proper data backup is so important for an effective ransomware recovery plan. When you secure your data in multiple locations and through multiple methods, at least one of those media is likely unharmed. Depending on the type of ransomware attack, you should be able to identify which form of data is intact.

Ransomware-ready backup solutions

The right ransomware backup tools and solutions can help MSPs combat security gaps and support business continuity in the face of a catastrophic event. This is especially complex because ransomware attackers will target your backup data first, and if they can’t access the data, they will try to delete it. As a result, your team needs to look into solutions that offer both encryption and soft delete functionality for backup.

BCDR solutions from ConnectWise feature a suite of backup and disaster recovery solutions supported by 24/7 NOC to help MSPs deliver best-in-class backup and recovery support. For example, our ConnectWise Continuity Backup solution offers soft delete option for backup data. 

When the backup of a protected machine is deleted, it is soft deleted and a notification goes to both your client and any NOC services to ensure this is a legitimate deletion. If the deletion is done by a ransomware attacker or malicious insider, MSPs can recover the data within 72 hours.

Watch an on-demand demo today to take the next step toward comprehensive ransomware protection.


Four of the best forms of offline storage are:

  • Cloud target backups: Copies of data from a local system stored in a remote cloud-based storage service. 
  • Hard drives: Conventional offline devices that use magnetic storage to store and access digital data. They are available in different formats, including HDDs (Hard Disk Drives) and SSDs (Solid State Drives). 
  • Tapes: Magnetic tapes used as a medium for data storage. They have become less common in personal computing due to their relatively slow access times. However, they are still widely used in enterprise environments for long-term data archiving and backup purposes. 
  • Primary storage snapshots: A form of data protection provided by storage systems, primary storage snapshots capture the state of a file system or storage volume at a specific point in time. These snapshots are typically taken more frequently than traditional backups and can be restored quickly,

If you want the best chance of securing your data, you should opt for offline storage in conjunction with your other forms of storage. 

The 3-2-1 rule is a core component of effective data backup for MSPs servicing clients. It refers to keeping three copies of data, using two different forms of media, and keeping one storage medium off-site, with an optional one form of media offline. This approach ensures diverse and redundant data storage solutions.

Every data storage type has its benefits and disadvantages for MSPs and their clients. The best data storage occurs across different methods and media, both online and offline, on-site and off-site, tailored to the specific needs and requirements of each client.

Within an MSP’s client environment, access to data backups should be limited to personnel responsible for data backup processes. Restricting access minimizes entry points for ransomware attacks, providing robust security tailored to clients' needs.

Proper backups are vital for MSPs to ensure their clients have at least one uninfected copy of data. This facilitates recovery in case of data loss or corruption, enhancing the overall resilience of the services provided.