{"id":55532,"date":"2026-03-31T09:35:22","date_gmt":"2026-03-31T13:35:22","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=55532"},"modified":"2026-03-31T09:35:39","modified_gmt":"2026-03-31T13:35:39","slug":"preventing-ransomware-attacks-on-backups-of-home-users","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/preventing-ransomware-attacks-on-backups-of-home-users\/55532\/","title":{"rendered":"Ransomware now taking aim at personal backups"},"content":{"rendered":"<p>Today \u2014 March 31 \u2014 is World Backup Day. And every year, most people tell themselves, \u201cI\u2019ll get around to that tomorrow\u201d. But even if you\u2019re one of the responsible ones who regularly backs up their docs, photo archives, and the entire operating system \u2014 you\u2019re still at risk. Why? Because ransomware has learned how to specifically target everyday users\u2019 backups.<\/p>\n<h2>Why home users are in the crosshairs<\/h2>\n<p>In the not-so-distant past, ransomware was mostly a big business problem. Attackers focused on corporate servers and enterprise backups because freezing a major company\u2019s production process or stealing all their information and customer databases usually meant a massive payout. We\u2019ve seen plenty of those cases over the last few years. However, the \u201csmall-fry\u201d market has become just as tempting for cybercriminals \u2014 and here\u2019s why.<\/p>\n<p>For starters, attacks are automated. Modern ransomware doesn\u2019t need a human operating it manually. These programs scan the internet for vulnerable devices and, upon finding one, encrypt everything indiscriminately without the hacker getting involved. This means a single attacker can <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/qlocker-ransomware-shuts-down-after-extorting-hundreds-of-qnap-users\/\" target=\"_blank\" rel=\"noopener nofollow\">effortlessly hit<\/a> thousands of home devices.<\/p>\n<p>Second, because of this broad reach, the ransom demands have become more \u201caffordable\u201d. Regular users aren\u2019t asked for millions, but \u201conly\u201d a few hundred or thousand dollars. Many people are willing to pay that amount without involving the police \u2014 especially when family archives, photos, medical records, banking documents, and other personal files are on the line, with no other copies in existence. And when you multiply those smaller payouts by thousands of victims, the hackers walk away with very tidy sums.<\/p>\n<p>And finally, home devices are usually sitting ducks. While corporate networks are guarded really well, the average home router most likely runs on factory settings with \u201cadmin\u201d as the password. Many people leave their network attached storage (NAS) wide open to the internet with <a href=\"https:\/\/technijian.com\/cyber-security\/cyberattacks\/millions-of-synology-nas-at-risk-patch-for-cve-2024-10443\/\" target=\"_blank\" rel=\"noopener nofollow\">zero protection<\/a>. It\u2019s low-hanging fruit.<\/p>\n<h2>How personal backups get attacked<\/h2>\n<p>A home NAS drive \u2014 often called a personal cloud \u2014 is essentially a mini-computer running a specialized Linux or FreeBSD-based operating system. It houses one or more large-capacity hard drives, often combined into an array. The storage connects to a home router, making files accessible from any device on the home network \u2014 or even remotely over the internet if you\u2019ve configured it that way. Many people buy a NAS specifically to centralize their family\u2019s backups and simplify access for family members, thinking it\u2019s the ultimate safe haven for their digital archives.<\/p>\n<p>The irony is that these very storage hubs have become the primary target for ransomware gangs. Hackers can break in relatively easily either by exploiting known vulnerabilities or simply brute-forcing a weak password. Over the last five years, there were several major ransomware attacks specifically targeting home NAS units made by QNAP, Synology, and ASUSTOR.<\/p>\n<p>Targeting NAS isn\u2019t the only way hackers can get to your files. The second method relies on social engineering: basically tricking victims into launching malware themselves. Take the massive AI hype of 2025, for example. Scammers would set up malicious websites distributing fake installers for ChatGPT, Invideo AI, and other trending tools. They would lure people in with promises of free premium subscriptions, but in reality users ended up <a href=\"https:\/\/thehackernews.com\/2025\/05\/cybercriminals-target-ai-users-with.html\" target=\"_blank\" rel=\"noopener nofollow\">downloading and running ransomware<\/a>.<\/p>\n<h2>What ransomware looks for once it\u2019s inside<\/h2>\n<p>Once the malware infiltrates your system, it starts surveying its environment and neutralizing anything that could help you recover your data without paying up.<\/p>\n<ul>\n<li><strong>It wipes Windows shadow copies.<\/strong> The Volume Shadow Copy Service is a built-in Windows feature for quick file recovery. Deleting this data makes it impossible to simply roll back to a previous version of a file.<\/li>\n<li><strong>It scans connected drives.<\/strong> If you leave an external hard drive permanently plugged into your computer, the ransomware will spot and encrypt it just like any other files.<\/li>\n<li><strong>It searches for network folders.<\/strong> If your home cloud is mapped as a network drive, the malware will follow that path to attack that too.<\/li>\n<li><strong>It checks cloud sync clients.<\/strong> Services like Dropbox, Google Drive, or iCloud for Windows all keep local sync folders on your computer. The ransomware encrypts the files in these folders, and the cloud service then \u201chelpfully\u201d uploads the encrypted versions to the cloud.<\/li>\n<\/ul>\n<h2>The golden rule of backups<\/h2>\n<p>The classic 3-2-1 rule for backups goes like this:<\/p>\n<ul>\n<li>Three copies of your data: the original plus two backups<\/li>\n<li>Two different media types: for example, your computer and an external drive<\/li>\n<li>One copy off-site: in the cloud or elsewhere, like at a relative\u2019s place<\/li>\n<\/ul>\n<p>However, this rule predates the era of ransomware. Today we need to update it with one vital condition: another copy must be completely isolated from both the internet and your computer at the time of an attack.<\/p>\n<p>The new rule is 3-2-1-1 \u2014 a bit more of a mouthful, but much safer. Following it is simple: get an external hard drive that you plug in once a week, back up your data, and then unplug it.<\/p>\n<h2>What you actually need to back up<\/h2>\n<ul>\n<li><strong>Photos and videos.<\/strong> Wedding photos, a baby\u2019s first steps, family archives \u2014 these are the memories people will pay for to get back.<\/li>\n<li>Digital scans or photos of essential documents for every family member \u2014 everything from passports to medical records, including old archives.<\/li>\n<li><strong>Two-factor authentication data.<\/strong> If your authenticator app only lives on your phone and you lose it, you may also lose access to all your protected accounts. Many apps let you back up your authentication data.<\/li>\n<li>If you use a password manager, make sure it\u2019s syncing to a secure cloud or has an export function.<\/li>\n<li>Privacy-focused messaging apps don\u2019t always store your history in the cloud. Business correspondence, important agreements, and contacts could vanish if they aren\u2019t backed up.<\/li>\n<\/ul>\n<h2>What to do if your data is already encrypted<\/h2>\n<p>Don\u2019t panic. Check out our <a href=\"https:\/\/noransom.kaspersky.com\" target=\"_blank\" rel=\"noopener\">Free Ransomware Decryptors<\/a> page. We\u2019ve collected a library of decryption tools that might help you get your data back without paying up.<\/p>\n<h2>How to secure your backups<\/h2>\n<ul>\n<li>Don\u2019t leave your external backup drive plugged in all the time. Connect it, copy your files, and unplug it immediately.<\/li>\n<li>Set up automated cloud backups, but make sure your cloud provider keeps a version history for at least 30 days. If your current plan doesn\u2019t offer this, it\u2019s time to upgrade or switch providers.<\/li>\n<li>Stick to the 3-2-1-1 rule: original files on your computer, plus an external drive that you only plug in periodically, plus cloud storage. That\u2019s three copies, two media types, one copy offline, and one off-site.<\/li>\n<li>Cut off internet access to your network storage. If you have a home network drive, make sure that it\u2019s inaccessible from the internet without a password \u2014 and that the password isn\u2019t \u201cadmin\u201d. Disable any remote access features you don\u2019t actually use, and make sure your firmware is up to date.<\/li>\n<li>Actually, keep everything up to date. Most attacks exploit known vulnerabilities that have long been patched. Enabling auto-updates for your router, NAS, and computer only takes a few minutes of setup but effectively slams the door on hundreds of known security holes.<\/li>\n<li>Steer clear of \u201cfree\u201d versions of paid software. Fake installers for pirated software or game cheats are some of the primary delivery channels for ransomware. By the way, <a href=\"https:\/\/www.kaspersky.com\/premium?icid=gl_bb2023-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Premium<\/a>\u00a0sniffs out these threats and blocks them before they even launch.<\/li>\n<li>Be sure to enable the <a href=\"https:\/\/support.kaspersky.com\/kaspersky-for-windows\" target=\"_blank\" rel=\"noopener\">System Watcher<\/a> feature in <a href=\"https:\/\/www.kaspersky.com\/home-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_blo_lnk_sm-team______\" target=\"_blank\" rel=\"noopener nofollow\">our Windows security suites<\/a>. This feature logs every operating system event to help track down threats like ransomware and either block them or roll back any damage they\u2019ve already done.<\/li>\n<li>Back up your authenticator app. The easiest move is to <a href=\"https:\/\/www.kaspersky.com\/blog\/kaspersky-password-manager-authenticator\/48841\/\" target=\"_blank\" rel=\"noopener nofollow\">migrate your authentication tokens<\/a> to <a href=\"https:\/\/www.kaspersky.com\/password-manager?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Password Manager<\/a>. It keeps them securely encrypted in the cloud alongside your passwords and sensitive docs, while syncing them across all your devices. That way, if your phone gets swiped or fried, you aren\u2019t locked out of your accounts and vital data.<\/li>\n<li>Test your backups. Every few months, try restoring a random file from your archive. You\u2019d be surprised how often a seemingly successful backup turns out to be corrupted or glitchy. It\u2019s better to catch those glitches now while you still have the originals to fix the problem.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>Personal backups and home NAS are now in cybercriminals\u2019 crosshairs. We break down exactly how hackers encrypt your data \u2014 and how you can stop them.<\/p>\n","protected":false},"author":2775,"featured_media":55533,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[9],"tags":[586,4315,363,43,420,97],"class_list":{"0":"post-55532","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-tips","8":"tag-backup","9":"tag-cryptomalware","10":"tag-personal-data","11":"tag-privacy","12":"tag-ransomware","13":"tag-security-2"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/preventing-ransomware-attacks-on-backups-of-home-users\/55532\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/preventing-ransomware-attacks-on-backups-of-home-users\/25403\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/preventing-ransomware-attacks-on-backups-of-home-users\/30200\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/preventing-ransomware-attacks-on-backups-of-home-users\/30590\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/preventing-ransomware-attacks-on-backups-of-home-users\/41608\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/preventing-ransomware-attacks-on-backups-of-home-users\/14444\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/preventing-ransomware-attacks-on-backups-of-home-users\/23799\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/preventing-ransomware-attacks-on-backups-of-home-users\/30469\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/preventing-ransomware-attacks-on-backups-of-home-users\/36089\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/preventing-ransomware-attacks-on-backups-of-home-users\/35741\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/backup\/","name":"backup"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55532","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2775"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=55532"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55532\/revisions"}],"predecessor-version":[{"id":55535,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55532\/revisions\/55535"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/55533"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=55532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=55532"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=55532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}