Fighting ransomware with tape backup? experts and users weigh in

By Michele Hope

In the age of newfangled backup options, can tape still be the last line of defence against ransomware? Experts and users weigh in on the tape debate.

There's advice aplenty, especially on the internet, for organisations wondering what to do if ever a ransomware cybervillain should darket their digital door. Much of the advice comes from backup software vendors or cloud backup providers who describe the importance of digital backup in addressing attacks like these.

With such digital backup options available, should organisations supplement the fight against ransomware with tape backup? While it might surprise some, experts and users continue to make a compelling case for recovering from ransomware with tape backup.

Prevention Is Worth a Pound of Cure

Typically launched by an unsuspecting user who clicks the wrong link in a spear phishing email, ransomware proceeds to encrypt files on the infected machine while possibly infecting other unsuspecting systems on the network as well. The result can encrypt even some network-attached storage (NAS) servers, web servers, network file shares, connected backup files and even file sync/share services and other cloud shared drives. Ransomware even targets smartphones.

According to Dan Jan, Principal, Product Management at Iron Mountain, the best way to address ransomware is to prevent attacks from happening in the first place. After an attack occurs, organisations often struggle to pick up the pieces.

Ransomware: The Aftermath

Once an organisation's IT department hears of a ransomware attack on one or more of their systems, good security practice suggests disconnecting any infected systems from the network.

Now comes the hard part: What do you do with the encrypted systems? Organisations can either pay a digital ransom to the cyberthieves, who promise to decrypt the now-encrypted systems. Or they can start wiping and restoring infected systems.

Unfortunately, there are challenges with each scenario. Paying the ransom is generally not recommended by authorities. Some companies have even paid the ransom without gaining access to their encrypted files. But the restore option assumes the organisation actually has a backup of an earlier, known good state.

As many backups are now connected to the rest of the network and potentially in ransomware's line of fire, these can become encrypted and unusable, too. In fact, according to a Barkly survey of those who experienced a ransomware attack, only 42% were able to successfully recover from backup. One of the reasons? Backup drives also became encrypted.

Backup's Last Stand: Disconnected and Unplugged

Ransomware is not going away. It's also not always preventable and connected backups can also fall prey to ransomware. So what's an organization to do? The answer goes back to the basics of backup. Combating ransomware with tape backup starts to make sense.

According to Jan, backup's early 3-2-1 rule still applies: "You should have three total copies, two local on two different media (disk and tape, usually). Then, you get one copy off-site, unplugged," he says. "In this age of being plugged in, you still need a copy of your data that's unplugged." Everyone agrees to this in principle, he notes, but organisations still need to follow through and do it.

The Value of the Unplugged Copy

Jan refers to this unplugged copy as "offline", meaning the copy is completely disconnected to any network. A Tape Storage Council memo explains: "With tape, there is a gap' between the cartridge and the computer systems. Disk drives remain on-line and are particularly vulnerable to an attack." The memo goes on to say, "Tape technology prevents electronic cyberattack access to the data because a tape cartridge removed from the system is no longer accessible electronically."

Input From Real-World Users

Administrators on a backup software forum seem to feel particularly strongly about tape in regard to ransomware. "I always recommend using tape whenever possible as the last line of defence," said one poster. "I saw tape backup saving companies from the worst disasters so many times ... and I also saw every line of comprehensive disk-based protection strategy failing miserably, leaving users with unrecoverable data loss."

Another poster chimed in with what they considered the best protection against ransomware: "Offsite copies stored on tapes. Only such scenarios do guarantee that ransomware would not be able to access backup data."

Preplanning Rules the Day

Jan maintains that an unplugged copy could be offsite tape storage in a vault, optical media or even cloud storage that's physically removed from the primary data centre. Whatever offsite medium an organisation chooses, he stressed the importance of "fire drills" and preplanning ransomware recovery steps with a designated partner. "Consider putting together an audit. If you have to restore, how long would it take you?" he asked. "This can tell you if you have the right partner who could provide you the assistance you need at the right time."