Ransomware Mitigation using NAS Snapshots

[Novox]

I tried to search for this before I posted it and I while I found many ransomware suggestions, I didn't find this exact suggestion and wanted to run it by folks.

In my environment I back up to my Synology NAS. I recall reading about scheduled air-gaps by using home-automation smart-switches to power on/off network switches. However, in this scenario, there is always a period of time that the network is connected and susceptible to ransomware.

Along these same lines, since ransomware can attach to NAS shares, instead, I schedule a daily BTRFS snapshot, on the NAS itself, soon after my backup completes.

In this way, I expect that if ransomware were to attempt to encrypt my NAS data, I could restore a previous snapshot, unknown to the ransomware because the snapshots are not exposed over the network.

How do people feel about this solution? I'm looking for flaws in my logic and welcome any education as to why this is a bad idea or isn't as protective as I am assuming.

Thank you!

[HannesK]

Hello,
yes, snapshots in general are something customers use. That solution makes sense as snapshots are out of range from an ransomware perspective.

The main point to take care of is: what happens if you run out of snapshot space (meaning ransomware encrypts backups and causes high change rate)?

If the system stops working, then everything is fine. Problems occur if it just drops old snapshots. In that case, they don't help.

Best regards,
Hannes