Would limiting write access to a backup directory help protect it from ransomware?

Having a read-only backup directory that is only accessed by a backup user will have a positive impact on the number of ransomware that can destroy/alter your backups. Depending on this solution solely will not fully protect your system.

There's a number of factors regarding ransomware out there, which means that a comprehensive anti-ransomware strategy would have to be used. I did some basic research, and found that while some ransomware would be thwarted by this alone, it's not foolproof. Here some other helpful tips:

Unmount Backups

As long as the files are accessible at the kernel level, there's some chance of a privilege escalation attack that could bypass file permissions. Preferably, your back up should exist on a dedicated machine connected through the network and has to be mounted by the backup user before copying files. This reduces the exposure time for those files to be encrypted.

Network Backups

Don't keep the backup on the same computer as you're using. This is also practical in the sense that when your hard drive crashes, you can go to your backup and restore from there. They do go bad from time to time. I had a hard drive just this year start throwing unreadable sector errors, and it was a backup (but had already been backed up itself before it went bad).

Run As Normal User

Many users decide to run as local administrators (especially Windows users), which makes privilege escalation easier or not necessary. Make sure you're only logged in as root/Administrator to install programs, and run as a normal user at all other times.

Rename Files

Come up with a naming scheme for your file extensions. Most ransomware actually only looks for certain types of files, like pictures, movies, documents, and spreadsheets. Things that you tend to care about. If your backup files have different extensions, most ransomware will happily ignore those files in favor of files it thinks you care about.

Patch Systems

Many ransomware packages depend on exploits in Java, Flash, a specific browser or Operating System, or a driver. Make sure you patch your software as frequently as possible. Drive-by infections are still common, although most drive-by software tends to not use privilege escalation attacks as of late, so simply keeping your software up to date could be a major bonus. This includes third-party software like Magento, Drupal, and so on.

Anti-Virus

Keep an anti-virus program running on your machine, with heuristic matching, if available. Most vendors have learned to tell when a ransomware is up to no good.

Honeypot (?)

I don't know of any off-of-the-shelf products that do this, but you could build a honeypot in your file system in just a few lines of code. Basically, make a folder named "a" in your home directory (/home/a or /Users/a), and write a small program that hooks into the ioctl for that folder. Terminate any program that attempts to read from that directory. Alternatively, just write a daemon that hooks on your backup folder, and terminate any programs that don't have the backup user's id attached to it.


Keep in mind that there's still other ways to mangle your files. In theory, a hypervisor virus could gain control of your hardware and corrupt everything without you even knowing about it, until it was too late. No scheme you could come up with will be 100% foolproof. However, by carefully managing your backups offline, patching regularly, and restricting your user account's privileges, you'll keep the majority of the ransomware in the wild from harming you. This is the same basic strategy you'd use to protect against any other type of virus.

Tags:

Ransomware