BackupAssist CryptoSafeGuard

CryptoSafeGuard is a BackupAssist tool that protects backups from ransomware attack and prevents ransomware-encrypted files from being backed up. CryptoSafeGuard is available for BackupAssist 10.1 (or newer) users with valid BackupCare.

What is ransomware?

Ransomware is malware that encrypts files and demands payment to provide the decryption key so you can access those files again. Some ransomware can spread across connected machines and some can disable your system completely, so infected machines will often need to be recovered from a backup. It is therefore important that your backups are not infected, which is why CryptoSafeGuard is such an invaluable feature.

What does CryptoSafeGuard do?

To protect your systems against ransomware attacks, it’s critical that you have reliable backups so you can restore data or recover your entire system to ensure business continuity. However, when ransomware attacks your systems, it can also infect your backups, leaving them unusable. CryptoSafeGuard protects your backups from ransomware using two important features: the CryptoSafeGuard Detector and the CryptoSafeGuard Shield.

Running CryptoSafeGuard

The first time you run a job with CryptoSafeGuard enabled, it will scan files modified in the last 3 months. This scan may take some time depending on the amount of data being backed up. Subsequent scans will be incremental and a lot faster, with minimal impact on the jobs’ run times. When you start using CryptoSafeGuard there will be a per-job grace period, and if a job detects possible ransomware, a warning will be displayed but the backup jobs will not be blocked. The grace period for a job lasts until the job has 3 consecutive clean scans.

Grace period warnings will display a yellow banner in the BackupAssist UI. After the grace period, the banner will be red and indicate that all backup jobs have been blocked from running. Both banners can be clicked on to open the dialog that is used to confirm if there is an infection by selecting Yes or No. If you select No, the dialog will allow you to whitelist the suspicious files. The current whitelist can be opened from both the Backup home page and the Settings tab, and allows you to review and edit the existing whitelist.

CryptoSafeGuard banner

CryptoSafeGuard alerts

When a backup job’s CryptoSafeGuard scan believes there may be ransomware, an alert will show next to the job in the Monitor UI and a red banner will appear at the top of BackupAssist’s UI. If you have configured email and SMS notifications, an email and SMS alert will also be sent. BackupAssist’s alert banner is clickable and has a help link to the CryptoSafeGuard documentation.

Responding to a CryptoSafeGuard alert

When a possible ransomware infection is detected, all backup jobs will be blocked from running until the CryptoSafeGuard alert has been resolved. If you are not aware of a ransomware infection, BackupAssist will allow your IT systems administrator to review the suspected files. Safe files can be whitelisted.

Managing the whitelist

If you respond to a CryptoSafeGuard alert by whitelisting files, you can review and change your whitelist using the Manage Whitelist section of the CryptoSafeGuard Settings dialog. You can also use this dialog to add to your whitelist without an alert, but it is recommended that you use the alert list to inform your whitelisting decisions.

Hyper-V and SQL limitations

CryptoSafeGuard scans Hyper-V guests on Windows Server 2012 and later hosts that use locally supported file systems and basic partitioned volumes. SQL Protection jobs do not currently run with CryptoSafeGuard detection.