backup against ransomware - Printable Version +- ASK NC (https://ask.nascompares.com) +-- Forum: Q&A (https://ask.nascompares.com/forumdisplay.php?fid=1) +--- Forum: Before you buy Q&A (https://ask.nascompares.com/forumdisplay.php?fid=2) +--- Thread: backup against ransomware (/showthread.php?tid=11828)

backup against ransomware - Enquiries - 03-18-2025 Hello there, i love your youtube channel. it helped me a lot in choosing my NAS. i did not find a video on how to secure data against ransomware attacks. (that might be an interesting toppic?) Could i get your advice on how to setup a backup system that ist safe against ransomware attacks? how much can i send you via paypal in return for your help? i have a Qnap TS-410E NAS with 2x 2TB SSD. My idea was to setup 2 volumes on one drive for my wifes and my time machine backup and then use the other drive to do a qudedupe backup of the time machine files. That way our data should be safe, even if a ransom ware attack deletes the time machine backup and encrypts our files. right? i also have a few other questions concerning the encryption and the volume sizes i hope you can help me with that. cheers simon RE: backup against ransomware - jeremyclark - 03-20-2025 Glad you’re loving the YouTube channel and your TS-410E—great choice! A video on securing data against ransomware is a solid idea; I’ll pass that along. For now, let’s tackle your backup setup. Your plan—2 volumes on one 2TB SSD for you and your wife’s Time Machine backups, then a deduplicated backup on the other 2TB SSD—has potential but needs tweaking to really protect against ransomware. Here’s my take: Ransomware Risk: If ransomware hits your Mac and encrypts or deletes the Time Machine volumes, it could also wipe the dedupe backup if it’s online and accessible. Having both drives in the same NAS might not be enough separation. Better Setup: Use one 2TB SSD (Volume 1) for Time Machine backups (split it into two 1TB volumes for you and your wife). Then, configure the second 2TB SSD (Volume 2) as a snapshot reserve or offline backup. Enable block-based snapshots on Volume 1—the TS-410E supports this—and replicate them to Volume 2 with QNAP’s Snapshot Replica. Snapshots are ransomware-resistant since they’re read-only and separate from the file system. Deduplication: You can enable inline deduplication on Volume 2 via QuTS hero (switch from QTS if you’re on it—needs 8GB RAM, which the TS-410E has). This saves space but isn’t critical for safety. Encryption: Turn on AES-256 volume encryption for both volumes in QTS/QuTS hero. It’s hardware-accelerated on the TS-410E, so no performance hit, and it keeps data safe if the NAS is physically stolen. Volume Sizes: 1TB each for Time Machine should work if your Macs don’t exceed that. Check your current backup sizes in Time Machine prefs to confirm. Volume 2 can stay 2TB for snapshots and dedupe storage. Extra Layer: For max protection, back up snapshots to an external USB drive (via USB 3.2 ports) and disconnect it when done. Ransomware can’t touch offline storage. This setup ensures that even if Time Machine files get trashed, you’ve got snapshots and an offline copy to recover from. No PayPal needed—happy to help a fellow NAS fan! If you’ve got more questions (encryption setup, etc.), just holler. RE: backup against ransomware - ed - 03-21-2025 Recommended Setup for Ransomware-Resilient Backups 1. Separate Storage Pools or Volumes Good: You’re isolating backups from live data. Even Better: Use separate storage pools if your NAS allows. That way, ransomware or accidental deletion on one pool won't affect the other. 2. Use QuDedup Smartly Set up QuDedup to back up Time Machine folders daily (or even hourly). Store the deduplicated backups on a separate volume (as you're doing), ideally in a folder with read-only access for Time Machine users. 3. Enable Snapshots Snapshots are a powerful anti-ransomware tool. Create daily (or twice-daily) snapshots on the Time Machine volume. Retain them for 1–2 weeks. Enable snapshot directory protection so that even if ransomware hits, the snapshots can't be deleted without admin access. 4. User Permissions and Isolation Create dedicated users for each Time Machine backup. Restrict those users from accessing the QuDedup volume or any critical admin areas. 5. Offsite or Cold Storage Option If your NAS supports USB backup, connect an external drive and schedule weekly backups of your deduplicated folder. Store it unplugged when not in use — this gives you an "air-gapped" layer. Alternatively, sync to cloud (like Backblaze B2 or Wasabi) with versioning enabled. 6. QNAP Security Settings Disable admin login via internet. Enable 2FA for all admin users. Use Security Counselor on QNAP to harden settings. Disable all unnecessary services (FTP, UPnP, etc.).