BackupAssist CryptoSafeGuard

CryptoSafeGuard is a cyber-resilience feature designed to protect backups from ransomware attack and prevent ransomware-encrypted files from being backed up. CryptoSafeGuard is available for BackupAssist 10.1 (or newer) clients with valid BackupCare.

What is ransomware?

Ransomware is malware that encrypts files and demands payment to provide the decryption key so you can access those files again. Ransomware can spread across connected machines and can disable them completely, so infected machines will often need to be recovered from a backup. It is therefore important that your backups are not infected, which is why CryptoSafeGuard is such an invaluable feature.

What does CryptoSafeGuard do?

To protect your systems against ransomware attacks, it’s critical that you have reliable backups so you can restore data or recover your entire system. However, when ransomware attacks your systems, it can also infect your backups, leaving them unusable. CryptoSafeGuard protects your backups from ransomware using two important features: the CryptoSafeGuard Detector and the CryptoSafeGuard Shield.

CryptoSafeGuard overview

The first time you run a job with CryptoSafeGuard enabled, it will scan files modified in the last 3 months. This scan may take some time depending on the amount of data being backed up. Subsequent scans will be incremental and a lot faster, with minimal impact on the jobs’ run times. When you start using CryptoSafeGuard there will be a per-job grace period, and if a job detects possible ransomware, a warning will be displayed but the backup jobs will not be blocked. The grace period for a job lasts until the job has 3 consecutive clean scans. Grace period warnings will display a yellow banner in the BackupAssist UI.

After the grace period, the banner will be red and indicate that all backup jobs have been blocked from running. Clicking on the banner opens a dialog that can be used to confirm an infection by selecting Yes or No. If you select No, the dialog will allow you to whitelist the suspicious files. The current whitelist can be opened from both the Backup home page and the Settings tab, and allows you to review and edit the existing whitelist.

Enabling CryptoSafeGuard

CryptoSafeGuard is available for all BackupAssist users who have BackupAssist 10.1 or later and an active BackupCare subscription. Not sure if your BackupCare has expired? Find out here. If you’ve updated your BackupCare subscription, your installation of BackupAssist will need to be online so the licensing server can tell your BackupAssist installation to make CryptoSafeGuard available.

Once CryptoSafeGuard is available in BackupAssist, you should check that you have CryptoSafeGuard enabled by following the steps outlined in this section. If your backup jobs are currently blocked due to a potential ransomware infection, they will be unblocked if CryptoSafeGuard is disabled.

Note: When your backup destination is a NAS or network share, it should be secured using best practice data security. This means only machines running BackupAssist and CryptoSafeGuard should have access to the folders that the backups are in, and those folders should only allow access to the Backup User Identity.

CryptoSafeGuard's Grace Period

CryptoSafeGuard has a grace period, within which a job's failed scan will display a warning banner, instead of blocking all jobs. This grace period provides time to review any failed scans and whitelist any false positives. After 3 consecutive safe scans, the grace period for that job will end and any failed scans will result in a red warning banner and all jobs will be blocked.

CryptoSafeGuard notifications

When a backup job’s CryptoSafeGuard scan believes there may be ransomware, an alert will show next to the job in the Monitor UI and a red banner will appear at the top of BackupAssist’s UI. If you have configured email and SMS notifications, an email and SMS alert will also be sent.

Responding to a CryptoSafeGuard alert

When a possible ransomware infection is detected, all backup jobs will be blocked from running until the CryptoSafeGuard alert has been resolved. If you do not have a ransomware infection, BackupAssist will allow your IT systems administrator to review the detected files and whitelist them if they are safe.

To respond to a CryptoSafeGuard alert:

Step 1 - Click on the CryptoSafeGuard banner.

In this screenshot, the banner is yellow because the detection occurred during the grace period. Clicking on the banner will open the CryptoSafeGuard user interface.

CryptoSafeGuard Detection

Step 2 - Determine if there is a ransomware infection

To help determine if there is an infection, the UI shows all file(s) that CryptoSafeGuard detected as potentially infected, so they can be reviewed. Right-clicking a file allows you to open the folder the file is in. Right-clicking a folder allows you to open the folder in Windows.

CryptoSafeGuard detection options

Step 3 - Select Yes or No.

Your IT systems administrator will determine if you have a ransomware infection or not, and respond accordingly by selecting the Yes (have an infection) or No (no infection) button.

If you select Yes

You have a ransomware infection.

A dialog will open and advise that all backup jobs have been blocked and will not run until the infection has been resolved. If the IT systems administrator determines that your system has a genuine ransomware infection, you may need to perform a bare-metal recovery from your last successful backup.

If you select No

You need to whitelist or delete the detected files.

If there is no infection, select No. A dialog will advise that you need to remove or whitelist the detected files. To help you do this, new options and buttons will appear in the CryptoSafeGuard UI.The backup job that was stopped by CryptoSafeGuard will not automatically rerun. You can manually run the job or allow it to run at its next scheduled run-time.

CryptoSafeGuard whitelist options

Infection detection with no whitelist option

CryptoSafeGuard may generate a possible ransomware alert and display the banner without detecting an infection in the files you are backing up. This could happen if CryptoSafeGuard detects certain patterns of behavior consistent with a ransomware infection. If this happens, clicking the alert banner will open the following dialog.

Managing the whitelist

If you respond to a CryptoSafeGuard alert by whitelisting files, you can review and change your whitelist using the Manage CryptoSafeGuard Whitelist tab. You can also use this tab to add to your whitelist without an alert, but it is recommended that you use the alert list to inform your whitelisting decisions.

Running a manual scan

The Run Ransomware Scan feature allows you to scan a system on demand for potential ransomware, and to whitelist any files that cause a false-positive response. This is useful when you first enable CryptoSafeGuard or run a new backup job because any false-positive detections can be actioned before they block your backup jobs from running.

Hyper-V and SQL limitations

CryptoSafeGuard scans Hyper-V guests on Windows Server 2012 and later hosts that use locally supported file systems and basic partitioned volumes.

Note: SQL Protection jobs do not currently run with CryptoSafeGuard detection.