Ransomware is becoming the number one threat to data, which makes it essential to ensure that bad actors don\u2019t encrypt your backup data along with your primary data when they execute ransomware attacks. If they succeed at that, you will have no choice but to pay the ransom, and that will encourage them to try it again.\nThe key to not having to pay ransom is having the backups to restore systems that ransomware has encrypted. And the key to protecting those backups from ransomware is to put as many barriers as you can between production systems and backup systems. Whatever you do, make sure that the only copy of your backups is not simply sitting in a directory on a Windows server in the same data center you are trying to protect. Let\u2019s take a closer look at a few key elements of that sentence: \u201cWindows\u201d, \u201csame data center\u201d, and \u201csitting in a directory\u201d.\nProtect Windows\nThe majority of ransomware attacks are against Windows hosts, and they spread to other Windows hosts in your computing environment once a single host is infected. Once the ransomware has spread to enough hosts, the attacker activates the encryption program and suddenly your entire world is shut down. Therefore, the most obvious thing to do would be to use something other than Windows for your backup server.\nUnfortunately, many popular backup products run primarily on Windows. The good news is that many of them also offer a Linux alternative. Even if the main backup software must run on Windows, it might also have a Linux media-server option. The media servers are the key because that is where the data is that you are trying to protect. If your backups are only accessible via Linux-based media servers, ransomware attacks against Windows-based servers will not be able to attack them.\nIn addition to storing your regular backups behind a Linux-based media server, make sure the backups of your main backup server are stored there as well. It doesn\u2019t do any good to have your backups unencrypted if the database needed to access those backups is encrypted by the ransomware.\nYou should also harden Windows-based backup servers as much as possible. Learn the services ransomware uses to attack servers (such as RDP) and turn off as many of them as possible. Remember this server is your last line of defense, so think security,\u00a0not convenience.\nGet backups out of the data center\nWhatever backup solution you choose, copies of backups should be stored in a different location. This means more than simply putting your backup server in a virtual machine in the cloud. If the VM is just as accessible from an electronic perspective as it would be if it were in the data center, it\u2019s just as easy to attack. You need to configure things in such a way that attacks on systems in your data center cannot propagate to your backup systems in the cloud. This can be done in a variety of ways, including firewall rules, changing operating systems and storage protocols.\nFor example, most cloud vendors offer object storage and most backup software products and services are capable of writing to it. Ransomware attackers may be sophisticated, but so far have not figured out how to attack backups stored on object-based storage. In addition, such providers often offer a write-once, read-many option, meaning that you can specify a period during which backups cannot be modified or deleted, even by authorized personnel.\nThere are also backup services that can write data to their storage that isn\u2019t accessible except via their user interface. If you can\u2019t directly see your backups, then neither can the ransomware.\nThe idea is to get your backups\u2014or at least one copy of your backups\u2014as many hops away from an infected Windows system as they can be. Put them in a provider\u2019s cloud protected by firewall rules, use a different operating system for your backup servers, and write your backups to a different kind of storage.\nRemove file-system access to backups\nIf your backup system is writing backups to disk, do your best to make sure they are not accessible via a standard file-system directory. For example, the worst possible place to put your backup data is E:backups. Ransomware products specifically target directories with names like that and will encrypt your backups.\nThis means that you need to figure out a way to store those backups on disk in such a way that the operating system doesn\u2019t see those backups as files. For example, one of the most common backup configurations is a backup server writing its backup data to a target deduplication array that is mounted to the backup server via server message block (SMB) or network file system (NFS). If a ransomware product infects that server, it will be able to encrypt those backups on that target deduplication system because those backups are accessible via a directory. You need to investigate ways to allow your backup product to write to your target deduplication array without using SMB or NFS. All popular backup products have such options.\nWhat about tape?\nOf course, there is always our old friend tape. One thing tape is really good at is copying last night\u2019s or last week\u2019s backup to another medium that can then be sent off-site for safekeeping against ransomware attacks. Even the best ransomware product would be completely unable to infect your backups if you take them out of the tape library and hand them to an Iron Mountain driver. Sometimes the old ways are the best ways.\nPut in some roadblocks\nDon\u2019t make it easy for ransomware to see and encrypt your backups. Don\u2019t store them on a Windows server if possible and have at least one copy stored somewhere that is not electronically accessible from your data center. Finally, configure your backup system in such a way that backups can\u2019t be seen as files on your backup server. Give yourself at least a fighting chance in the case of a ransomware attack.