Scheduled Mirroring Provides Backup Protection Against Cryptolocker and other viruses

Scheduled Mirroring Provides Backup Protection Against Cryptolocker and other viruses

How do you provide backup protection from Cryptolocker? This virus has the potential to not only lock you out of your server files, but potentially encrypt files located at network shares as well.  Which means it could have devastating impact on backup data hosted on a local  backup appliance if you keep the backup data online at all times.  Even encrypting the data on your backup wouldn’t guarantee that a virus couldn’t scramble it further. It’s true Cryptolocker doesn’t backup every file type it finds…  a list of files it encrypts can be found through an internet search.   But  future variants could potentially encrypt any file the user has access to.

For this reason it is important to make sure user workstations do not have access to the backup volume  (or that access is limited to just during backup time, which would be a limited-risk, although still a risk).  We’d recommend using a single account to access network shares on the backup device.  This account would have permission to access all network files, and would be the ONLY account allowed to access the backup appliance. Be careful mapping network drives and make sure only the backup software uses the backup account (i.e don’t use administrator account or regular user account that could be logged in at other times).   Regular daily drive swaps will also protect against cryptolocker by having a variety of drives offline and updated at all times.

You should also consider taking advantage of scheduled mirroring – a feature unique to High-Rely  backup appliances. The feature was created for customers who forget to swap their secondary drive(s) or do so rarely.  It’s available on 2, 4, or 8-bay NetSwap and RAIDFrame devices.   You can setup a mirror to occur say on Friday night at 5pm, have mirroring click on – remirror the entire main storage volume at a rate of around 300Gigabytes per hour (which actually goes up to more like 800 Gigabytes per hour on bigger systems or with RAIDPacs), and then it drops offline when it’s done.  It repeats this next Friday at the same time (or nightly if you set it up that way).   You can have it email you when mirroring is complete if you want.

Scheduled mirroring can provide a physical “point in time” redundant volume to supplement the backup software strategy. If you only had 2 drives and Cryptolocker hit during the “mirror window” it could still be a problem.    But, you can buy a 4 or 8 bay NetSwap and do something crazy like use drive 1 and 2 as a “continuous” mirror pair and set scheduled mirror to drive 3, 4, 5, 6, 7, 8. You could set each drive with a different mirror schedule. For example drive 3 would mirror drive 1 nightly, drive 4 mirrors it weekly, drive 5 mirrors it monthly.  In other words we can “mirror” to multiple locations on different schedules (meaning mirroring isn’t necessarily a 2 drive thing).

Yes, that’s a lot of drives and a bit of brute force but it would provide the protection needed. The graphic nearby shows the section of the NetSwap web configuration page used to set this all up.