Ransomware Protection in CloudBerry Backup 5.8

Ransomware has been a growing problem for businesses and consumers this past year. Ransomware attacks disrupt normal business continuity by encrypting important business documents (or personal files like pictures, video, and documents) and demanding ransom to recover the data. You either recover by paying the ransom or manually restoring backups, if you have them. To help protect customer backups, we implemented ransomware protection functionality in CloudBerry Backup 5.8.

Ransomware Protection in CloudBerry Backup 5.8

The new feature is designed to protect a customer's existing, good backups, from being overwritten by encrypted ones because of a ransomware attack. If you are ever infected with this type of malware, the last thing you want to happen is to have your good backups overwritten with ransomware encrypted ones.

CloudBerry Backup now detects encryption changes in files and prevents existing backups from being overwritten until an administrator confirms if there is an issue. Let’s dive a deeper into the underlying process.

When you enable ransomware protection in a backup plan, two things happen:

  1. CloudBerry performs the initial backup and efficiently analyzes the bit structure of each file to determine if the file is encrypted.
  2. During subsequent backups, we compare the original byte structure to the current byte structure. This allows us to identify any newly encrypted files. The backup plan completes normally, however, we prevent existing backups from being deleted regardless of retention policies. This way, existing good backups are protected and are available for restore. 

Enabling Ransomware Protection

Ransomware protection must be enabled in the Backup Wizard and is currently supported only for File-Level Backup. Launch the Backup Wizard and select the Enable ransomware protection option.

Once the plan is saved, you'll see a "lock" icon for any plan with ransomware protection enabled.

If encryption changes are detected, any deletes from backup storage will be disabled for flagged files. Admins can quickly see a list all of all affected files and approve any false-positive detections.

You manually inspect those files in Windows / File Explorer using the Show in Folder option. If you want to remove the most recent backup of an affected file from backup storage, select the file and click Delete.

If you click Cancel, purge settings for any affected files will continue to be disabled and those files will remain in the list.

You can also be notified with an email that lists of all flagged files.