UrBackup protects against ransomware

UrBackup protects your devices against ransomware if you keep a few things in mind when setting it up

• Use a unique password for the users on the UrBackup server. Especially for the “admin” user. We are not aware of any ransomware that actively deletes backups from UrBackup servers via web interface but theoretically it is possible if the users on the server use a weak password or the same password that the ransomware already used to spread
• Don’t connect the server OS, storage, etc. to your Active Directory. Ransomware may already be spreading via using admin accounts on your Active Directory. You don’t want it to be able to spread to your backup server this way! If you run the UrBackup server in a VM you also don’t want to connect the VM hyper-visor to Active Directory.

In general it is useful to have this image in mind when evaluating risks w.r.t. backups:

There are many risks to the data stored on the clients, for example (red section):

• The client disk may break
• If it is a laptop it might get stolen, lost or get damaged by accident
• Ransomware attack encrypts all data on the client

Similarly there are many risks to the data stored on the server, for example (blue section):

• Server disks may break
• Electrical surge
• Someone hacks in and deletes all the data

You want to eliminate/reduce those risks (e.g. by using RAID), especially those that occur frequently or are easy/low cost to reduce.

What you should be most concerned about, however, are the risks that affect both simultaneously, for example (intersection between red and blue section):

• Ransomware attack encrypts all data on client and server because it can get access to both via taking over Active Directory
• Electrical surge destroys both client and server disks
• Asteroid destroys both client and server, because they are on the same continent

Make a list of those risks, reduce them if possible (e.g. by having a unique, separate admin password or surge protection for client or server) and then judge if they are rare enough or can be ignored (one probably has other problems if an asteroid destroys a continent).

UrBackup is better than other backup software at protecting you from ransomware

Again, looking at the picture above, other backup software often fails at keeping backup (server) and backup source (client) sufficiently independent:

• Backups are stored to attached/local disks: Randomware encrypts/formats all attached disks
• Backups are stored to network attached storage: Ransomware encrypts network attached storage
• Backup software that allows deletion of past backups from the backup source (client): Ransomware deletes backups
• In general if the client can delete old backups, they are not sufficiently independent. Even if the backup software obfuscates deletion it is only a matter of time or cost/benefit till ransomware authors circumvent the deletion protection

The independence goes the other way, as well. If an attacker/ransomware takes over your backup server it should not be possible to affect data on the backup source (client), specifically:

• Setup arbitrary pre-/post backup scripts from the server that may delete/encrypt data on the client
• Initiate restores from the server, which may restore garbage/encrypted data to the client
• Run arbitrary software on the clients via an update mechanism
• Backing up via an arbitrary command channel (e.g. SSH) that allows the server to destroy data on the client

Other important configuration w.r.t. UrBackup and ransomware

In general, but also to protect against ransomware:

• Backup as frequently as possible, otherwise you might only have out-dated backups in case they are needed
• Make sure that all the data that needs backups/is sufficiently important is actually included
• Keep enough old backups around, so that if affected by ransomware you have a backup that you can go back to before infection. If necessary use the archival feature
• Make sure backups run. Configure e-mail notifications, use the alert feature and set it up to mail you backup failures in the “Logs” section