{"id":12749,"date":"2019-10-26T05:52:55","date_gmt":"2019-10-26T05:52:55","guid":{"rendered":"https:\/\/www.sandbox.backupassist.com\/blog\/?p=12749"},"modified":"2022-05-25T23:18:33","modified_gmt":"2022-05-25T23:18:33","slug":"can-ransomware-infect-your-backup","status":"publish","type":"post","link":"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup","title":{"rendered":"Can ransomware infect your backups? That&#8217;s like a leaking life raft!"},"content":{"rendered":"\n<p>There&#8217;s nothing worse than having a backup, getting hit with ransomware and <strong>still having to pay the ransom<\/strong>. So can ransomware infect and destroy your backup?<\/p>\n\n\n\n<p>Looking at the epidemic of ransom payments, it&#8217;s obvious that backups can fail with alarming regularity. And if you become a victim, it&#8217;s no different to skydiving with torn parachute &#8211; at best you have illusion of resilience, only to find out the truth too late.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">&#8220;Ransomware killed my backup!&#8221; &#8211; but how can this happen?<\/h2>\n\n\n\n<p>A few years ago, a sysadmin called our tech support hotline &#8211; and he was not having a good day. His company had suffered a ransomware infection, and this rapidly encrypted files on the victim&#8217;s computer. <\/p>\n\n\n\n<p>So he stepped in to help&#8230; isolating the computer, booting into a recovery environment and running malware removal tools. After the computer passed all the tests, he rebooted and undertook the next step &#8211; to plug in the backup (which was a USB disk) and restore the encrypted files.<\/p>\n\n\n\n<p>And as he plugged in that backup USB disk&#8230; <strong>BANG.<\/strong> The ransomware sprang back to life, and started to encrypt the backup.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">So yes, your backups can be infected by ransomware.<\/h2>\n\n\n\n<p>As the hapless admin found out that day, ransomware can infect and corrupt any file connected to the infected machine, whether locally or via a network.<\/p>\n\n\n\n<p>This is an example of the <strong>most obvious way that ransomware can infect your backups &#8211; from the outside<\/strong> &#8211; encrypting the backup file(s) just like it would any other file. (In fact, we issued an alert about this back in December 2013, together with suggestions on how to mitigate the risks &#8211; <a href=\"https:\/\/www.sandbox.backupassist.com\/blog\/cryptolocker-and-the-backup-impact\">Cryptolocker and the backup impact<\/a>)<\/p>\n\n\n\n<p>This incident raises many questions:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>What mistakes did he make?<\/li><li>What should he have done?<\/li><li>How else can ransomware infect your backup?<\/li><li>Can someone else&#8217;s ransomware infection affect me?<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Backups should mitigate against having to pay ransoms. But how else can things fail?<\/h2>\n\n\n\n<p>There are obviously situations where backups can fail to recover &#8211; user error, silent failures, hardware failures&#8230; all these are great subjects for another blog.<\/p>\n\n\n\n<p>But when it comes to crypto ransomware, there are also many situations where the backups can be useless.<\/p>\n\n\n\n<p>It&#8217;s obvious with hindsight, but one key mistake is that the administrator trusted the malware removal tool too much. <\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>What was done right<\/td><td>What was done wrong<\/td><\/tr><tr><td>1. Doing backups, and having an &#8220;air gapped&#8221; copy of data<br>2. Isolating the computer upon infection<\/td><td>1. Trusting the malware removal tool<br>2. Plugging a backup into a previously infected machine<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>We discuss the recommended ways of dealing with ransomware in our article, <a rel=\"noreferrer noopener\" aria-label=\"The Definitive Ransomware Protection Guide for Business in 2019 (opens in a new tab)\" href=\"https:\/\/www.sandbox.backupassist.com\/blog\/ransomware-protection-guide\" target=\"_blank\">The Definitive Ransomware Protection Guide for Business in 2019<\/a>.<\/p>\n\n\n\n<p>In the rest of this blog, let&#8217;s look at the other ways that ransomware can infect and destroy the effectiveness of your backups. Hint: they are not all not obvious.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The hidden infection from within<\/h2>\n\n\n\n<p>Ransomware destruction <strong>inside<\/strong> of backups is just as big a problem, with similar consequences.<\/p>\n\n\n\n<p>It&#8217;s well known that ransomware will not just encrypt files on the locally infected machine, but it will also look for connected network shares and encrypt files on those shares. That&#8217;s precisely how a company&#8217;s server backups can get infected with sabotaged data.<\/p>\n\n\n\n<p>Let&#8217;s take this example &#8211; which is common among professional services firms such as accounting and legal.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>A small business runs an on-premise file server<\/li><li>Multiple workstations connect to that file server, and employees uses a shared drive to store their data<\/li><li>Image backups are done on that file server, backing up the entire machine<\/li><\/ol>\n\n\n\n<p>One of the workstations then gets infected with ransomware. But it doesn&#8217;t spring into life immediately. Instead, it waits until the end of the day, when everyone has gone home, and it starts to encrypt the files on the file server.<\/p>\n\n\n\n<p>The problem is, the next time the backup runs on the file server, the backup will contain encrypted files. And as we know, backing up ransomed data is as useful as a torn parachute.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How backups can be rendered useless by ransomware<\/h2>\n\n\n\n<p>This scenario poses particular problems that can render the entire backup useless:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Most backup software will just dutifully back up what it&#8217;s told to back up. It doesn&#8217;t recognize that the source data might be corrupted. It just takes a copy of the source data.<br><\/li><li>If the size of the infection is huge, it might mean that all historical versions of the backups get automatically deleted because the backup destination doesn&#8217;t have enough room. <br><br>Normally, systems such as the built-in backup programs in Microsoft Windows and Apple Macs keep as much backup history as the backup destination allows, deleting old versions as needed. But because ransomware can infect large amounts of data very quickly, the next incremental backup will be huge and can displace all historical backups.<br><br>The other hidden fact is that encrypted data will not compress. So if your backup software uses compression, you&#8217;ll find that backups of infected data will occupy typically twice as much space as real data &#8211; again displacing old backups with garbage.<\/li><\/ol>\n\n\n\n<p>This leaves the unfortunate victim in the situation where the backups are useless.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">It&#8217;s not me; it&#8217;s you. Being a victim of someone else&#8217;s infection.<\/h2>\n\n\n\n<p>And while you might not have been hijacked by ransomware, the chances are &#8211; you know someone who has.<\/p>\n\n\n\n<p>And here&#8217;s why that&#8217;s a problem &#8211; as a friend of mine recently found out.<\/p>\n\n\n\n<p>Today we live in an interconnected world. We use file sync tools like OneDrive (which is even built into Windows) and Dropbox, which automatically sync between the cloud and your hard drive. <\/p>\n\n\n\n<p>If you are using such a file sync tool among a group of friends or colleagues, if <strong>anyone<\/strong> in that group gets infected with ransomware, their copies of files will be encrypted. Their file sync app will then upload the garbage copies of the files to the cloud&#8230; and then your file sync app will sync those garbage copies from the cloud to your computer. Then the next time you back up, you&#8217;ll have garbage in your backups instead of the original files.<\/p>\n\n\n\n<p>Sometimes there are ways to retrieve the original files (if for example, some premium plans offer extended historical file versioning) but often it&#8217;s difficult or time consuming to restore large sets of data to a particular point in time, as you would do if restoring from backup.<\/p>\n\n\n\n<p>That&#8217;s simply the risk of living in a connected world. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">So what solutions are possible to preserve the backups?<\/h2>\n\n\n\n<p>As the creator of <a href=\"https:\/\/www.backupassist.com\/\">BackupAssist<\/a>, I&#8217;m well aware that backups need to be dependable. By 2016, it was clear to me that backup software was now playing a different role to what it had done traditionally, with far greater emphasis on resilience to cyber crime.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>The old risks of data loss<\/td><td>The new risks of data loss<\/td><\/tr><tr><td>Natural disaster<br>Fire<br>Theft<br>Employee sabotage<br>Hard drive theft<\/td><td>Ransomware<br>Hacking<br>Account compromise<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>So we embarked on an R&amp;D project to see what we could do to assist in the situation. Our ultimate goal was to protect the backups from corruption due to ransomware.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Innovation 1: the shield<\/h2>\n\n\n\n<p>Knowing that the only purpose of a backup is to enable a recovery, the foremost priority is to make sure that the backup remains intact and <strong>does not get corrupted from the outside<\/strong>.<\/p>\n\n\n\n<p>That led us to develop a software component that would shield the backup from unauthorized access. Testing this component proved successful, as we were able to block access to the backup from every strain of ransomware we could throw at it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Innovation 2: early detection<\/h2>\n\n\n\n<p>The second half of the puzzle is to make sure that only legitimate data files are backed up &#8211; that is to say, to make sure the backup <strong>does not get corrupted from the inside<\/strong>.<\/p>\n\n\n\n<p>Detecting the presence of ransomware-encrypted files in the source seemed easy at the start (leaning on my Computer Science background). By definition, encrypted files should be indistinguishable from random, and therefore should have high entropy. The same mathematical tests that determine if a random number generator is secure should also determine if a file is encrypted.<\/p>\n\n\n\n<p>However, while that sounded great in theory, in practice it was not very effective at detecting an infection. We found that many strains of ransomware actually produced files where the entropy was not that high. <\/p>\n\n\n\n<p>There are of course, other signs that we can look for. For example, ransom notices repeated in multiple directories. There&#8217;s factors such as examining the nature of changes to a file system &#8211; volume, patterns, and so on.<\/p>\n\n\n\n<p>It turned out that looking for clusters of behaviour was the best way to detect an outbreak.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Putting it together<\/h2>\n\n\n\n<p>It&#8217;s our belief that ransomware should not be allowed to infect your backup if you truly want a dependable recovery point.<\/p>\n\n\n\n<p>In 2017, we launched our <a href=\"https:\/\/www.sandbox.backupassist.com\/solutions\/cryptosafeguard\" target=\"_blank\" rel=\"noreferrer noopener\">CryptoSafeGuard<\/a> feature in BackupAssist. It combines a shield and an early detector to help keep our clients safe, and their backups intact when they need it the most.<\/p>\n\n\n\n<p>The shield works 24\/7, monitoring access to the backup devices and blocking unauthorized access. It adds another layer of protection on top of the regular NTFS access control lists, which are not particularly effective against ransomware given that ransomware often has administrator or system level access.<\/p>\n\n\n\n<p>And the early detector works by looking for malicious activity at the time of backup. As soon as such activity is found, CryptoSafeGuard will send an SMS to the registered administrator, and lock-down the backups.<\/p>\n\n\n\n<p>When combining CryptoSafeGuard with multiple air-gapped backups (which come as default settings in BackupAssist), it maximizes the chance of a successful recovery, with no need to pay the ransom.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">So will things be safe forever?<\/h2>\n\n\n\n<p>Can anyone be absolutely sure that ransomware will never infect their backup? I don&#8217;t believe so &#8211; only death and taxes are truly guaranteed. But this is in fact, the wrong question to ask.<\/p>\n\n\n\n<p>Some better questions are &#8211; how can we reduce the risks of data loss and business downtime due to ransomware, and have we done all that we can? Is a solution like CryptoSafeGuard effective against practical attacks? Prior to widespread release, we commissioned an independent security test laboratory to verify the effectiveness of the solution, and we were very pleased with the results.<\/p>\n\n\n\n<p>And the work continues.<\/p>\n\n\n\n<p>We&#8217;ve entered a new age of computing where interconnectedness means we have both huge productivity and convenience benefits (such as the Cloud), but equally we have an entirely new set of risks to contend with.<\/p>\n\n\n\n<p>The reality is that whether we like it or not, we <strong>have<\/strong> entered an arms race, where the good guys and bad guys continually have to innovate and try to stay one step ahead. What is &#8220;safe&#8221; this year may not be safe next year, which is why it&#8217;s so important to stay up to date with security &#8211; including OS updates and of course, updates to backup software.<\/p>\n\n\n\n<p>In our labs, we&#8217;ve continued our R&amp;D to protect backup data against ransomware, and we have many exciting avenues that are proving promising. But that&#8217;s a story for another time&#8230; <\/p>\n\n\n\n<p>CryptoSafeGuard Ransomware Protection is only available with an active <a href=\"https:\/\/www.sandbox.backupassist.com\/classic\/backupcare\">BackupCare<\/a> subscription, or with a <a href=\"https:\/\/www.backupassist.com\/er\/overview\">BackupAssist ER<\/a> license.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.sandbox.backupassist.com\/company\/contact-us\">Contact our Client Success Team<\/a> today to help you get started, or you can renew your BackupCare subscription <a href=\"https:\/\/www.sandbox.backupassist.com\/classic\/renew-backupcare\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When ransomware strikes, your backup should save you from paying the ransom. But can ransomware infect and corrupt your backup? The answer may surprise you.<\/p>\n","protected":false},"author":2,"featured_media":13045,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[757,4,22],"tags":[546,93,623,311],"class_list":["post-12749","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-resilience","category-dev","category-interest","tag-anti-ransomware","tag-backup","tag-cryptosafeguard","tag-ransomware"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Can ransomware infect your backup? - Cyber Resilience Blog<\/title>\n<meta name=\"description\" content=\"When ransomware strikes, your backup should save you from paying the ransom. But can ransomware infect and corrupt your backup? Yes, in multiple ways.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Can ransomware infect your backup? - Cyber Resilience Blog\" \/>\n<meta property=\"og:description\" content=\"When ransomware strikes, your backup should save you from paying the ransom. But can ransomware infect and corrupt your backup? Yes, in multiple ways.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup\" \/>\n<meta property=\"og:site_name\" content=\"Cyber Resilience Blog\" \/>\n<meta property=\"article:published_time\" content=\"2019-10-26T05:52:55+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-05-25T23:18:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.sandbox.backupassist.com\/app\/uploads\/sites\/3\/2019\/10\/ransomware_infection.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1855\" \/>\n\t<meta property=\"og:image:height\" content=\"766\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Linus Chang\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Linus Chang\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup\"},\"author\":{\"name\":\"Linus Chang\",\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/#\/schema\/person\/523a9a01769da254de228dbd4b1328d3\"},\"headline\":\"Can ransomware infect your backups? That&#8217;s like a leaking life raft!\",\"datePublished\":\"2019-10-26T05:52:55+00:00\",\"dateModified\":\"2022-05-25T23:18:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup\"},\"wordCount\":1894,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.sandbox.backupassist.com\/app\/uploads\/sites\/3\/2019\/10\/ransomware_infection.jpg\",\"keywords\":[\"Anti Ransomware\",\"Backup\",\"cryptosafeguard\",\"ransomware\"],\"articleSection\":[\"Cyber Resilience\",\"Developer\",\"Interest\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup\",\"url\":\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup\",\"name\":\"Can ransomware infect your backup? - Cyber Resilience Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.sandbox.backupassist.com\/app\/uploads\/sites\/3\/2019\/10\/ransomware_infection.jpg\",\"datePublished\":\"2019-10-26T05:52:55+00:00\",\"dateModified\":\"2022-05-25T23:18:33+00:00\",\"description\":\"When ransomware strikes, your backup should save you from paying the ransom. But can ransomware infect and corrupt your backup? Yes, in multiple ways.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#primaryimage\",\"url\":\"https:\/\/www.sandbox.backupassist.com\/app\/uploads\/sites\/3\/2019\/10\/ransomware_infection.jpg\",\"contentUrl\":\"https:\/\/www.sandbox.backupassist.com\/app\/uploads\/sites\/3\/2019\/10\/ransomware_infection.jpg\",\"width\":1855,\"height\":766},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.sandbox.backupassist.com\/blog\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Can ransomware infect your backups? That&#8217;s like a leaking life raft!\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/#website\",\"url\":\"https:\/\/www.sandbox.backupassist.com\/blog\/\",\"name\":\"Cyber Resilience Blog\",\"description\":\"Protect Your Cloud Data with BackupAssist\",\"publisher\":{\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.sandbox.backupassist.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/#organization\",\"name\":\"Cyber Resilience Blog\",\"url\":\"https:\/\/www.sandbox.backupassist.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.sandbox.backupassist.com\/app\/uploads\/sites\/3\/2019\/09\/BA-Logo-Full-Logo.svg\",\"contentUrl\":\"https:\/\/www.sandbox.backupassist.com\/app\/uploads\/sites\/3\/2019\/09\/BA-Logo-Full-Logo.svg\",\"caption\":\"Cyber Resilience Blog\"},\"image\":{\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/#\/schema\/person\/523a9a01769da254de228dbd4b1328d3\",\"name\":\"Linus Chang\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.sandbox.backupassist.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/58a69ed0d0b9928d91dec6132dccfb646cc4230839af779f185531c722b0d017?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/58a69ed0d0b9928d91dec6132dccfb646cc4230839af779f185531c722b0d017?s=96&d=mm&r=g\",\"caption\":\"Linus Chang\"},\"description\":\"*Founder &amp; Creator, BackupAssist* Linus Chang has been writing software since he was eight years old. He founded BackupAssist in 2002 \u2014 making him one of the longest-standing voices in Windows backup and data protection \u2014 and has spent the decades since talking to IT administrators around the world about what actually goes wrong, and why. His interest in data loss isn't abstract. Early in his career, he was working at the Monash University help desk when a student came in with a floppy disk that wouldn't read. They tried everything. None of their drives could read it either. The disk held her entire PhD dissertation \u2014 years of work \u2014 and it was the only copy. She broke down in tears. There was nothing he could do. Five years later, he wrote the first version of BackupAssist. Linus holds a Bachelor of Science in Computer Science and has held Microsoft Certified Solution Developer and Sun Certified Java Programmer credentials. More recently, he has completed digital forensics and cyber-security courses through the Black Hat Conference. He has spoken on information security and cryptography at Infosecurity Europe, addressed politicians and policymakers at Australian Parliament House, presented to SMB IT administrators at the IT Pro Experts Conference, and served as a guest lecturer to Cyber Security master's students at the University of Melbourne. On this blog, Linus writes about backup strategy and the technical side of cyber-resilience \u2014 drawing on 24 years of product development and direct conversation with the IT professionals BackupAssist is built for. [Connect with Linus on LinkedIn](https:\/\/www.linkedin.com\/in\/linuschang\/)\",\"url\":\"https:\/\/www.sandbox.backupassist.com\/blog\/author\/linus-chang\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Can ransomware infect your backup? - Cyber Resilience Blog","description":"When ransomware strikes, your backup should save you from paying the ransom. But can ransomware infect and corrupt your backup? Yes, in multiple ways.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup","og_locale":"en_US","og_type":"article","og_title":"Can ransomware infect your backup? - Cyber Resilience Blog","og_description":"When ransomware strikes, your backup should save you from paying the ransom. But can ransomware infect and corrupt your backup? Yes, in multiple ways.","og_url":"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup","og_site_name":"Cyber Resilience Blog","article_published_time":"2019-10-26T05:52:55+00:00","article_modified_time":"2022-05-25T23:18:33+00:00","og_image":[{"width":1855,"height":766,"url":"https:\/\/www.sandbox.backupassist.com\/app\/uploads\/sites\/3\/2019\/10\/ransomware_infection.jpg","type":"image\/jpeg"}],"author":"Linus Chang","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Linus Chang","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#article","isPartOf":{"@id":"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup"},"author":{"name":"Linus Chang","@id":"https:\/\/www.sandbox.backupassist.com\/blog\/#\/schema\/person\/523a9a01769da254de228dbd4b1328d3"},"headline":"Can ransomware infect your backups? That&#8217;s like a leaking life raft!","datePublished":"2019-10-26T05:52:55+00:00","dateModified":"2022-05-25T23:18:33+00:00","mainEntityOfPage":{"@id":"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup"},"wordCount":1894,"commentCount":0,"publisher":{"@id":"https:\/\/www.sandbox.backupassist.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#primaryimage"},"thumbnailUrl":"https:\/\/www.sandbox.backupassist.com\/app\/uploads\/sites\/3\/2019\/10\/ransomware_infection.jpg","keywords":["Anti Ransomware","Backup","cryptosafeguard","ransomware"],"articleSection":["Cyber Resilience","Developer","Interest"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup","url":"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup","name":"Can ransomware infect your backup? - Cyber Resilience Blog","isPartOf":{"@id":"https:\/\/www.sandbox.backupassist.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#primaryimage"},"image":{"@id":"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#primaryimage"},"thumbnailUrl":"https:\/\/www.sandbox.backupassist.com\/app\/uploads\/sites\/3\/2019\/10\/ransomware_infection.jpg","datePublished":"2019-10-26T05:52:55+00:00","dateModified":"2022-05-25T23:18:33+00:00","description":"When ransomware strikes, your backup should save you from paying the ransom. But can ransomware infect and corrupt your backup? Yes, in multiple ways.","breadcrumb":{"@id":"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#primaryimage","url":"https:\/\/www.sandbox.backupassist.com\/app\/uploads\/sites\/3\/2019\/10\/ransomware_infection.jpg","contentUrl":"https:\/\/www.sandbox.backupassist.com\/app\/uploads\/sites\/3\/2019\/10\/ransomware_infection.jpg","width":1855,"height":766},{"@type":"BreadcrumbList","@id":"https:\/\/www.sandbox.backupassist.com\/blog\/can-ransomware-infect-your-backup#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.sandbox.backupassist.com\/blog"},{"@type":"ListItem","position":2,"name":"Can ransomware infect your backups? That&#8217;s like a leaking life raft!"}]},{"@type":"WebSite","@id":"https:\/\/www.sandbox.backupassist.com\/blog\/#website","url":"https:\/\/www.sandbox.backupassist.com\/blog\/","name":"Cyber Resilience Blog","description":"Protect Your Cloud Data with BackupAssist","publisher":{"@id":"https:\/\/www.sandbox.backupassist.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.sandbox.backupassist.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.sandbox.backupassist.com\/blog\/#organization","name":"Cyber Resilience Blog","url":"https:\/\/www.sandbox.backupassist.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.sandbox.backupassist.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.sandbox.backupassist.com\/app\/uploads\/sites\/3\/2019\/09\/BA-Logo-Full-Logo.svg","contentUrl":"https:\/\/www.sandbox.backupassist.com\/app\/uploads\/sites\/3\/2019\/09\/BA-Logo-Full-Logo.svg","caption":"Cyber Resilience Blog"},"image":{"@id":"https:\/\/www.sandbox.backupassist.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.sandbox.backupassist.com\/blog\/#\/schema\/person\/523a9a01769da254de228dbd4b1328d3","name":"Linus Chang","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.sandbox.backupassist.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/58a69ed0d0b9928d91dec6132dccfb646cc4230839af779f185531c722b0d017?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/58a69ed0d0b9928d91dec6132dccfb646cc4230839af779f185531c722b0d017?s=96&d=mm&r=g","caption":"Linus Chang"},"description":"*Founder &amp; Creator, BackupAssist* Linus Chang has been writing software since he was eight years old. He founded BackupAssist in 2002 \u2014 making him one of the longest-standing voices in Windows backup and data protection \u2014 and has spent the decades since talking to IT administrators around the world about what actually goes wrong, and why. His interest in data loss isn't abstract. Early in his career, he was working at the Monash University help desk when a student came in with a floppy disk that wouldn't read. They tried everything. None of their drives could read it either. The disk held her entire PhD dissertation \u2014 years of work \u2014 and it was the only copy. She broke down in tears. There was nothing he could do. Five years later, he wrote the first version of BackupAssist. Linus holds a Bachelor of Science in Computer Science and has held Microsoft Certified Solution Developer and Sun Certified Java Programmer credentials. More recently, he has completed digital forensics and cyber-security courses through the Black Hat Conference. He has spoken on information security and cryptography at Infosecurity Europe, addressed politicians and policymakers at Australian Parliament House, presented to SMB IT administrators at the IT Pro Experts Conference, and served as a guest lecturer to Cyber Security master's students at the University of Melbourne. On this blog, Linus writes about backup strategy and the technical side of cyber-resilience \u2014 drawing on 24 years of product development and direct conversation with the IT professionals BackupAssist is built for. [Connect with Linus on LinkedIn](https:\/\/www.linkedin.com\/in\/linuschang\/)","url":"https:\/\/www.sandbox.backupassist.com\/blog\/author\/linus-chang"}]}},"_links":{"self":[{"href":"https:\/\/www.sandbox.backupassist.com\/blog\/wp-json\/wp\/v2\/posts\/12749","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sandbox.backupassist.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sandbox.backupassist.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sandbox.backupassist.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sandbox.backupassist.com\/blog\/wp-json\/wp\/v2\/comments?post=12749"}],"version-history":[{"count":30,"href":"https:\/\/www.sandbox.backupassist.com\/blog\/wp-json\/wp\/v2\/posts\/12749\/revisions"}],"predecessor-version":[{"id":18967,"href":"https:\/\/www.sandbox.backupassist.com\/blog\/wp-json\/wp\/v2\/posts\/12749\/revisions\/18967"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sandbox.backupassist.com\/blog\/wp-json\/wp\/v2\/media\/13045"}],"wp:attachment":[{"href":"https:\/\/www.sandbox.backupassist.com\/blog\/wp-json\/wp\/v2\/media?parent=12749"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sandbox.backupassist.com\/blog\/wp-json\/wp\/v2\/categories?post=12749"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sandbox.backupassist.com\/blog\/wp-json\/wp\/v2\/tags?post=12749"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}