Anti Ransomeware Backup Strategy

[ittayd]

I'm looking for an anti ransomeware backup strategy. The QNap is now off of the internet, and I've managed to restore everything from the cloud. However, I want a physical backup in case this happens again. One way is to attach physically every month or so, run the backup and then detach. Are there better alternatives?

[john.woody]

I have 2 external hard drives which I use on alternate months.
Disk 1: Jan, March, May...
Disk 2: Feb, Apr, Jun...
The disk not being used is in a fireproof safe.
I start the month with a full backup and then do incrementals through the month.
My critical db files for business are also uploaded to my Onedrive vault every month, and all my website files are also on a webserver.
My NAS is in my office so I can connect my laptop over LAN and do backups easy enough, then disconnect the backup drive.
HTH

[buffalo.bills]

I had the similar thoughts, like ittayd, in mind when I was asked to setup a new shared drive for a "client" after their Windows servers were attacked. Since this client was using servers as simple file sharing server, I thought a manageable, intuitive NAS would be better for this business place on how they were using a shared drive. Also, it was important to keep the shared drive the way it was for past 10 years--meaning nothing new, no new drive letter, no sync--just replace the shared drive bringing up to year 2022 without looking different. Everyone in the office is used to drive letter S for shared folder, mapped from each workstation to centralized file server. And server 1 copied to server 2. The client's data (and they were all important) total was 697GB.

So, I purchased 6 bay QNAP and grouped them into 3 groups, each group having RAID 1. For the discussion sake I will call them volume 1, volume 2, and volume 3, each volume with RAID 1. Also purchased 6 IronWolf 8TB--just because of their 7200 RPM spec.

I read that RAID is not a backup.

Volume 1 has main data in the folder named "DATA." And at the end of the day the entire "DATA" is mirrored to "DATA_daily"
Volume 2 has "DATA_Wednesday" for coping from "DATA" every Wednesday. And, "DATA_Sunday" for Sundays copy.
Volume 3 has "DATA_Weekly" for copying "DATA" every Saturday from "DATA."
And Volume 3's "DATA_Weekly" is backed up to a cloud storage before Monday.

My train of thought is to copy main data on Sundays before the work week begins. And the best case scenario is that data can be restored from Wednesday or Sunday because a ransomware would most likely infect and discovered during the week. The loss of the data is only a few days back.

The worse case scenario is if the ransomware went undetected longer than a few days, the weekly copy should provide good restore and only setting back a week's loss. And if they all are compromised the cloud storage would become the only hope. The cloud storage offers 30 days of versioning.

The daily copy of data is instead of data snapshot. All this may be, perhaps, overkill but I will not be managing the setup on a regular basis. And, I cannot depend on someone at the office to physically insert, swap, or do any kind of action to handle a USB drive. And finally, at their request, in case I get hit by a bus someone at the office can follow a written instruction how to restore or retrieve company data if anything goes wrong. This is where the daily copy might come in handy instead of snapshot. Just copy from folder B to folder A.

I am posting to help myself to understand how a ransomware might spread. Am I on the right track of protecting the data? I am solely depending on the hope that a ransomware will not jump from volume 1 to volume 2 because any given workstation is mapped only to volume 1. The only way to spread in QNAP is by copying the infected files from volume 1. Thus, those multiple copies were constructed. QNAP antivirus and malware detect apps are installed. QNAP is not opened to WAN.

Help me to structure better, if not, help me to feel better.

[dolbyman]

Problem is..never backup to internal disks..if the NAS dies those will be inaccessible (you cannot read them like you could external backup drives)

[Moogle Stiltzkin]

I'm looking for an anti ransomeware backup strategy. The QNap is now off of the internet, and I've managed to restore everything from the cloud. However, I want a physical backup in case this happens again. One way is to attach physically every month or so, run the backup and then detach. Are there better alternatives?

honestly, my approach to this is prevention is better than the cure.

here are some of my strategies

- i don't expose my nas online. i don't even do remote over the internet. but if you are someone that needs remote access, use a vpn (vpn server from either router or raspberrypi) ideally

- i run virus/malware scan on stuff i am unsure of before storing on the nas. but most part, i don't download anything dodgy to begin with. less chance for infection.

- network maintenance. i update everything.... and regularly. all devices on the network is updates such as the router, pc, nas, laptops, smartphones, everything. i also segragate my network to separate between the private lan and the guest network (the later used for guest devices, and insecure devices that need the internet)

- i keep backups. But how i do backups is, i do them manually, and i space them out. the reason i don't immediately update is because i leave a time gap. This way if i do detect some sort of malware infection, my backup could have a higher chance of not being affected, because i leave a time gap before i refresh my backup. The downside is, my backups are not always up to date. But for me, as long as the backup is good enuff without me being regretful for losing something, then thats ok. If i need to backup because i don't want to lose something i just stored, i will backup then. but normally i space things out every 2-4 times in a year for a full backup

- when qts is no longer has security patches, i will either upgrade to a new nas or replace it with an alternative os like truenas. or i'll strictly use the nas in lan only. i own some old nas models i still use strictly on lan only, and haven't had a problem with them (but have to be careful they aren't exposed online because of vulnerabilities that may not have been patched)

- if i suspect some sort of infection, i'll just reflash the firmware, factory reset, (maybe even reflash the dom if i have to), and wipe the drives/ssds. but usually before people resort to that, they usually run the malware remover app first, although i'm not sure how effective it is
https://wiki.qnap.com/wiki/Firmware_Recovery

- qnap also suggests using the ransomware protection by enabling snapshots. i enabled snapshots but i'm honestly not sure how effective it will be