Ferro Backup System - The best Backup Software
Network Backup & Restore Software Solution for SMBs
 
  EN    PL    ES   


Article ID: FS-FBS-20170715-I01
Last Reviewed: February 15, 2021
Version: 1.1

How to Protect Your Computer from Ransomware Encrypting Files

This article describes how to protect against malicious programs that encrypt files for ransom (ransomware). It discusses methods to secure files (documents) stored on workstations and NAS servers. It also explains how to protect backups from encryption and what to do after detecting a threat.



Introduction

The most reliable protection against file encryption or deletion is to perform regular and automatic backups. Backups allow you to restore files even if other protections—such as antivirus software—have failed. In addition to securing the files themselves (documents), it's important to properly protect the backup files (archives), which can also be encrypted or deleted by ransomware.


Protecting Files (Documents) from Workstations and NAS Servers

The most dependable protection against file deletion or encryption is to perform regular and automated backups. Backups of important documents should be made at least once a day, preferably just before shutting down the computer. Since you may discover file deletion or encryption with some delay, remember to enable Rotational Copies (Retention). This option allows you to specify how long backups should be stored, giving you the ability to "go back in time" and restore the disk state on a specific day. For example, if you perform backups daily and set Rotational Copies to 30, you'll always be able to revert up to 30 days back.




Securing Backup Files (Archives)

If malicious software infiltrates your internal network, not only documents but also archives containing their backups can be encrypted. Therefore, it's crucial to secure the backup server itself and the directories where backups are stored.

Windows computers are the most popular and thus most frequently targeted by malware. If your backup server runs on a Windows computer, it's essential to secure it by disabling file sharing and blocking all incoming network ports except TCP 4530 (control console) and TCP 4531 (backup/recovery) used by Ferro Backup System. More about securing the backup server can be found in the article Securing Network Connections – Implementing Security on the Backup Server.

Another good solution is to install the backup server on a Linux system (e.g., directly on a QNAP NAS or Synology NAS) and disable services like file sharing (SMB, AFP, NFS, FTP, TFTP, rsync) and remote access services (Telnet, SSH, RDP).

The next step in protecting archives—regardless of the operating system running the backup server—is to enable protection against file modification or deletion. This option is described in the user manual: Protect Access to Destination Directories.

Effective protection against malware also includes archive replication. Replication involves automatically duplicating archives to another location. The most effective protection in this case is replicating archives to media inaccessible to ransomware, such as LTO tapes, DVDs or Blu-ray discs, cloud storage, removable USB drives, RDX cartridges, etc.




Security of Network Resources

When saving archives (or replicas) on a shared network resource, remember several important principles to reduce the risk of files being encrypted or deleted.

Full access (read and write) to the shared folder should be granted to only one user. It's best to create a special user account on the NAS server for this purpose, e.g., FerroBackup. Provide the login credentials for this network resource (username and password) exclusively in the program console under Settings -> Network Resources. This way, only the backup server will have access to the archives. The password created must be strong!

Additionally, when connecting to the network share, avoid assigning a local drive letter, as such mapping can be visible to other computer users, including encrypting programs. With this configuration, the destination path for saving or replicating archives is entered in UNC form (\\server\share\[folder]).

  • Create a special account for the backup server
  • Use UNC paths instead of mapping the network resource to a local drive letter



What to Do When a Threat Is Detected

After detecting and eliminating the threat, you can recover files (or the entire system) from the backup. To do this, go to the Recovery tab, select the computer where the files were encrypted, and then choose the archive from the day before the attack. After selecting the folder with documents or the entire disk, click Restore or Unpack, check the option Replace existing files, and click OK. If you're restoring documents from a file server, additionally select the option Restore saved security descriptors to restore DACL permissions to files and folders.


See Also

Home   Help   Where to Buy    Download    Contact Us   Partners   |  Printable version  |  Language: EN EN   PL PL

How to Protect Your Computer from Ransomware Encrypting Files
All rights reserved. Terms and Conditions | Privacy Policy
Copyright © 2000-2024 FERRO Software