Ransomware - check your backup size daily
People have mentioned about ransomware infecting backups.
One of the things we do for our customers is a set of daily checks (something I expect all you sysadmins out there do...) the results of which we record in a spreadsheet. This includes checking the backups and recording the size amongst other things. If we see anything unusual (such as a size increase is the incremental which bucks the normal trend) we start looking into it and if we have a suspicion something is going on we take a separate copy of the older backups which are inaccessible to domain accounts - including domain admins (preferably subsequently made offline).
It's not absolutely infallible, but it's one of our ways for trying to catch this kind of thing.
Also, we also setup SRP whitelists, file screening, decent AV, etc. where the costomer will let us. Again, not infallible, but can stop a lot of things if implemente correctly.
And, of course, end user awareness and training (a constant battle).
Biting the hand that feeds IT
