Anti-ransomware must-haves: Immutable backups and air-gap security

According to research from Cybersecurity Ventures, ransomware crooks claim another victim every 11 seconds, using advanced techniques that are increasingly difficult to detect. Your backup system is a critically important piece of your defense against ransomware attacks because it ensures that if ransomware encrypts or steals your data, you can recover it without paying a ransom.

The criminals know this, which is why they try hard to exploit and corrupt your backup system as part of their modern, multi-vector ransomware attacks. If they can gain administrative control of your backup system — either by exploiting the system’s management console or by directly accessing your backup data storage — they can eliminate your last, best line of defense against ransomware. If you become a victim, you are left to choose between paying the ransom and losing your data forever.

Hardening your data protection

To minimize ransomware risk to your data, implement a backup system like Barracuda Backup that combines multiple, advanced protective capabilities — including at the structural level — to prevent unauthorized access. Two of the most important ones for combating ransomware are immutable backups and air-gap security for cloud storage.

Immutable backup protection

A backup file that operates as a snapshot in time that cannot be altered ensures that intruders cannot seize them for ransom.

For example, Barracuda Backup maintains immutable backup copies by preventing direct access to the data, and protects against data modification or removal via API. You can only access and remove data through the secure Barracuda Backup interface. The interface can be secured using multifactor authentication (MFA) to help prevent unauthorized access. Data in the Barracuda Cloud is written once and never updated.

Secure cloud storage (air gap)

Creating an air gap between backup storage and the internet makes data extremely secure. A physical air gap — such as tapes stored off-site — is highly secure, but comes with significant problems, including unacceptably slow data recovery, high resource overhead, deteriorating media, and high potential for human error.

The encrypted backup files in the Barracuda Cloud can only be accessed through the secure Barracuda Backup interface, effectively creating a logical air gap between your backup appliance and the cloud. And a built-in delay before purging files in the cloud ensures you won’t lose data in case of accidental or malicious deletion from the local appliance.

By securing cloud data storage with this logical air gap, you get the benefits of physical removable media without the attendant problems.

Defense in depth

Full security against today’s highly evolved ransomware attacks — which operate across multiple vectors, exploiting email, network, application, and data storage security gaps — requires defense in depth (DiD). This approach uses integrated, comprehensive systems to secure your entire infrastructure.

Backup is a critical element in a complete DiD strategy, and in addition to immutable backups and air-gapped cloud storage, Barracuda Backup delivers a full stack of security capabilities:

·       Multifactor Authentication (MFA) prevents attackers from accessing the system with stolen login credentials.

·       A hardened Linux platform makes it less susceptible to malware and ransomware attacks and prevents any unauthorized services from running.

·       Integrated backup software, storage, and offsite storage slashes risk by eliminating network sharing protocols and shrinking the overall attack surface, making comprehensive security easier.

·       Role-based access control follows the principle of least privilege, making it easy to assign various user roles with varying permissions, minimizing the credentials with full admin privileges.

·       No network sharing protocols — backups stored on network-attached storage devices using network file system (NFS) or common internet file system (CIFS) are easily found and hacked. With no file sharing protocols exposed, Barracuda Backup storage cannot be attacked in this way.

·       End-to-end AES 256-bit encryption of data at rest on the appliance, in transit whenever it is sent offsite, and stored at rest on the replication destination means it’s never readable by an attacker. All communication with the appliance is via encrypted VPN tunnel.

·       IP/network access restrictions specified for each user who has access to Barracuda Backup prevent access to the web interface from an IP address outside of your specified range.

Multiple backup copies

As ransomware increasingly demands strong backup as a critical security element, IT security professionals and their executive colleagues are focusing on how to optimize backup security and minimize the risk of a devastating ransomware attack.

Barracuda Backup strongly recommends that you follow the 3-2-1 rule to create a successful data protection and disaster recovery plan:

• 3. You must have at least 3 copies of your data: the original production data and 2 backup copies.


• 2. You must use at least 2 different types of media to store the copies of your data. For example, the local Barracuda Backup device and Barracuda Cloud storage.


• 1. You must keep at least 1 backup offsite. For example, in the Barracuda Cloud or on another physical or virtual Barracuda Backup appliance at a remote site.

As ransomware grows ever more complex, no single layer of security can give you full protection. A defense in depth strategy is best for protecting against ransomware attacks. Learn more about complete ransomware security at the Barracuda website.

Ransomware protection can be as easy as 1-2-3