Hi, in preparation of getting a new mac I made up a backup strategy that should fit my needs (that is: automatic backup to one always attached SSD and manual backup to two HDDs, one onsite, one offsite, each only attached when necessary. I may be adding an online backup via ChronoSync, preferably to iCloud+).
However, at the moment there’s no protection against ransomware included - other than me recognizing that between swaping the on-/offsite HDDs a backup HDD was infected.
I know one should verify backups by testing some files, but that doesn’t protect against a partially successful ransomware attack as one could test files that were not encrypted yet, leading to the wrong assumption that the backup is fine.
Researching I found that some tools use canary files:
Similar to how miners used canaries in coal mines to detect carbon monoxide, this feature deploys canary files in various directories and monitors them for changes. When the Huntress Agent detects that a canary file has been altered, renamed, or deleted (such as by ransomware encryption), it will alert our Threat Operations Team.
It should be possible to build something similar (and to run this before a backup is done, or even better before a backup HDD is even attached), however before trying that I’d first like to know:
How do you protect your backups against ransomeware?
My backups are incremental versions
The versions go back weeks/months/…
The latest versions may be corrupted, but I can restore a previous version
I use Arq Premium, storing backup files in the cloud
Remember to consider the viability of a synced iCloud folder system as backup. Change something on the local drive (you or the bad guys), and the change automatically ripples up to iCloud on next sync.
I don’t rely on any synced service for backup. Just me, though.
I don’t. Simply because I do not think that I might be a victim. May be naively, but I think the ransomware people have bigger fish to fry. Although the number of macOS installations has grown considerably in the last 10 or so years, Windows is by far more interesting to attack simply because of its sheer number.
Maybe I’m naïve or careless.
BTW, the dead canaries didn’t really help many miners, afaik. Better ventilation did.
Thanks! I didn’t really look into online backup yet (and it would be just an additional layer), however I read that one should use an extra iCloud account. As one (probably) can’t use two iCloud accounts in parallel the second account would be only accessible for ChronoSync backups. However, no idea yet whether that’s true and even possible.
I’m not really afraid about ransomware … but in case my mac would be infected and I didn’t recognize it before swaping the on-/offsite backup HDDs then I would be in real trouble. Better safe than sorry
Ha! I’ve read a lot of your posts about backups and thought you were using tape instead of Blu-ray. Even looked into tape backup, however the hardware seems quite expensive, so this was no option.
Would you share what Blu-ray drive and software you use? Seems one could simply use Finder or Disk Utility, no idea whether an extra app would have benefits over those built-in ways to burn Blu-ray.
As long as you look into and accept the real risks of using a sync service for backup as not providing backup, … well, I wouldn’t do it.
Remember: with a sync service, if you, a computer flaw, or bad guys mess up your computer (accidentally delete files, deliberately delete files but then need back, file corruption, ransomware, whatever …) on next sync that problem goes into your backup on the synch service which eliminates your backup as being viable.
Research and use the 3-2-1 backup method. Well documented and discussed for years on the 'net.
Not sure I understand. I’m not planning to use any cloud storage to actually sync. Online backup via ChronoSync would be just that: a backup (with archive), the same way one can use ChronoSync to backup to SSD or HDD.
I’ve now checked in ChronoSync in which way an iCloud account can be set as the backup destination. Unfortunately it’s only possible to select the destination via the open dialog’s sidebar, i.e. the iCloud account needs to be “mounted”. Which probably means ransomware could access this account too, so using a second iCloud account isn’t a good idea.
But ChronoSync also offers online backup to e.g. amazon, and for those other online storage vendors it’s only necessary to provide an URL, a password etc., i.e. it seems these could be used without mounting them in the Finder. Which means the only place where this online storage could be accessed would be thru ChronoSync - and I doubt (and hope) that ransomware somehow would use ChronoSync to destroy online storage that’s used to back up via ChronoSync.
I have
one SSD (always attached)
two HDDs (on-/offsite, only attached when necessary)
I’ll add
Blu-ray
I’ll probably add
online backup via ChronoSync
With that the 3-2-1 backup should be covered, I think.
Sure, in the first place iCloud is a bidirectional sync service. However, as far as I know there’s no need to use it like that. I don’t see a reason why one couldn’t use it for backups (apart from the fact that ChronoSync expects a iCloud account to be “mounted”, which probably makes it accessible for ransomware).
I’m really not sure whether I’m missing something. Is it generally a bad idea to use services like iCloud or Dropbox (which of course are both sync services - but in this context I’m looking at them as online storage providers) for backups? There would be only ever a one way sync from the mac via ChronoSync into the cloud. No other device would be connected to this online storage.
You sound like you have a handle on it. So many people, though, seem to think using a sync (bi-directional) is backup and I was just wanting clarify that. go for it I guess. [I prefer other remote backup services, though. just me.]
I use a VERBATIM 43888 Externer Slimline Blu-ray-Writer with VERBATIM BD-R DL Blu-ray 50 GB Inkjet printable disks (links to both can be provided by PN on request). I use Finder to burn; my databases are encrypted, so I just copy and burn.
In order to have (at least) one backup medium that can’t be affected by ransomware
I first thought of online backup via ChronoSync.app
However, simply backing up to some cloud storage does probably not guarantee that clever ransomware could destroy that backup
Thanks to @Blanc I then thought about Blu-ray
However, that would be a backup I would only do every month or so and it’s not automatic. But it’s surely a great option for an additional WORM backup and I’ll probably use it.
I now started a Arq Premium demo
Arq Premium
Arq Premium seemed to be an easy way to backup (especially as one doesn’t have to choose a cloud storage provider).
But it seems one can only be sure that Arq 100% protects against ransomware if one uses Immutable Backup Records:
AWS S3 and some S3-compatible storage providers like Backblaze B2, Minio, and Wasabi offer a feature called “object lock”. Arq can use this feature to make your backup records immutable and therefore immune from ransomware attacks.
Ransomware Protection
If an extra-clever ransomware attack finds a way to access your backup data at S3/B2/Wasabi, it will be unable to permanently delete the backup data.
… so Arq Premium which is advertised as “easiest” can not create immutable records - which is very disappointing.
@DTLow, I’ve got no idea whether ransomware now (or in the future) could find a way to destroy Arq Premium backups, but it’s propably possible. So Arq’s “easiest” solution might not be what you (and I) have in mind when thinking of online backup that protects against ransomware.
So it seems if one wants to be 100% safe then looking for a cloud storage provider that offers “object lock” is the way to go.
Very disappointing … I only started the Arq Premium demo because it seems to be a “set and forget” option and I did not want to look for another could storage provider.
If someone can recommend a cloud storage provider for Arq that got simple conditions (looking at you Amazon) then please share!
But which one of those support “object lock” and got simple conditions?
If other users use a storage provider that got both,
object lock
and
“simple” conditions
(I know that’s subjective, however Amazon’s conditions are from my point of view definitely not simple).
please let me know.
(I could of course check each provider, however I’ve already spent too much time for this whole “finding a good backup strategy” thing, so I’ll first wait whether other users recommend providers.)
