Re: in a way, but
Ransomware can also permeate into backup media
True, but keeping an eye on the backup process can help detect large deltas.
The way I do backups has been the same for many years:
- Use Linux and ext* file system
- increments start by making a hard-linked (cp -l) copy of previous snapshot
- Use rsync or similar tool that only overwrites/transfers changed files
- Similar arrangement for 2nd, 3rd generation backups
If something were to start encrypting files en masse, I would see it pretty soon, either in the rsync summary (being longer/larger than usual) or in the size of the increment as stored on the disk---after the backup, I calculate the delta size by counting files that only have a single hard link; these must be the changed files. Because hard-linking takes up relatively little space, I maintain these "snapshots" going back for quite a long time and only delete them manually, so that gives me a second chance to notice any damage and to roll back when it does happen.
I also use a hand-rolled file integrity system based on the same idea as the "shatag" tool. I will periodically update SHA256 hashes for all files and store them in the file system as extended attributes. I also collate these hashes across all machines and use the metadata to enforce a replication policy across multiple machines (or at least to verify that it's working). I've also got a separate scheme (using erasure codes to give a high level of redundancy with modest overheads) for cold/archival data.
One other thing I've toyed with is using the LVM snapshot facility. It could replace the hard-linking scheme I use to some degree. In this case, larger-than-expected deltas would overflow the copy-on-write buffer, alerting me to something strange/unusual via a message about a failed backup. I prefer the hard-linking scheme, though, since it's more permanent and gives better historical integrity. LVM's snapshot facility is perfect for backing up volumes with databases on them, though, since you get an atomic backup without needing to lock the database first.