Ransomware Recovery: The Need For Modern Data Protection

By   Wes van den Berg
, Pure Storage | Dec 13, 2021 03:18 am PST

The cyber-threat landscape is constantly evolving, and ransomware is undeniably one of the biggest threats to businesses today. According to PWC, by September 2021 alone, there had been more ransomware incidents globally than in the whole of 2020. Prominent attacks include Acer and Kaseya falling victim to the REvil ransomware group and Ireland’s Health Service Executive (HSE) attacked by Conti.

With ransoms typically in the millions, it’s hardly surprising that attacks continue to rise. Businesses must face up to the fact that being targeted is an inevitability. However, preparing for attacks should not just be about prevention, businesses should ensure they have a reliable, robust data protection strategy in place so if the worst happens, they can restore and recover from an attack quickly and with confidence.

Of course, when a business is attacked, being able to restore data from backups forms a critical part of its recovery strategy. But unfortunately, cyber-criminals are adapting too and the solution is not always so straightforward as attacks get more sophisticated and complex. 

Targeting backups

Hackers recognise that backups are a business’s last line of defence, and if an organisation can successfully recover from an attack, then the ransom won’t be paid out. In fact, the average hacker spends over 200 days on a network before encrypting anything – they try to get access to as many systems as possible before making their move, and this includes the backups.

Once hackers have successfully penetrated the network, they focus their efforts on trying to access compromising credentials. This is the key to their attack. Once they have the right credentials, they can do practically anything.

Prepare, minimise and recover: adopting a three-pronged strategy

How can businesses protect themselves? They need to adopt a three-pronged strategy to prepare for, minimise the impact of, and recover from an attack.

Firstly, businesses need to review their overall security hygiene. This will help safeguard against an attack and make detection faster. Basic best practices include updating software and operating systems with the latest patches; training staff to be cautious of links or attachments in emails, especially unsolicited ones; backing up data on a regular basis, and keeping backups on separate devices from production data (air gaps). Always make sure backups are protected and immutable so that if hackers do get access, they’re limited by what they can do. 

Secondly, businesses need to be aware of what to do during an attack. Awareness of what is ‘normal’ in how infrastructure operates is essential. Without this, it could take weeks to see something ‘abnormal’ to flag data or systems might be compromised. 

Third is enabling a fast recovery following an attack. Organisations need valid, immutable backup copies of their data which are protected and can’t be eradicated, modified or encrypted. This, coupled with the ability to rapidly restore data is paramount. IT leaders should look at Service Level Agreements (SLAs) for restoring data as well as backing it up when choosing suppliers.

Air gapping: promise vs. reality

Air gaps are a useful way to keep production and backup networks separate – isolating critical data from local networks and production areas that are more vulnerable to attacks. Allowing data in from the production network at regular intervals means that backups are regularly updated, but the two sides are not always connected.

That said, there are issues with air gaps that need to be considered. Firstly, they can be expensive to implement and difficult to manage and maintain. There are also issues with scalability and they can prove to be slow to recover large volumes of data. Secondly, they don’t solve the problem of internal threats – such as storage or backup admins having their credentials compromised.

While air gaps are a step in the right direction for security, to be fully prepared for ransomware attacks, businesses need valid, immutable backup copies of their data which are protected and can’t be eradicated, modified, or encrypted.

This, coupled with the ability to quickly restore data is paramount. Unless your data can be restored fast enough to avoid major organisational, reputational, and financial impact, all the work you’ve done around protection is worthless.

Combat ransomware with Rapid Restore

Even with immutable snapshots and air gaps in place, businesses will be limited by the speed at which they can restore data. If a large enterprise is down for even one hour, it could cost them millions, and cause irreparable damage to customer trust and loyalty. On top of this, a ransomware attack is not a typical data recovery scenario – businesses may need to restore all their files, or several databases. It’s not uncommon for a database restore to take several hours, sometimes days. Imagine there are 50 or 100 databases to restore…it becomes clear just how important recovery speed is in the wake of an attack.

When assessing storage and backup vendors, it’s critical that businesses establish SLAs and choose a backup solution that can restore data at a rate of hundreds of terabytes per hour for maximum recovery speed in case the worst happens. 

Ultimately businesses need a strategy that marries proper preventative measures, regular immutable data snapshots, and a rapid restore solution to enable a swift return to operations. Unless their data restores are fast enough to avoid major organisational, reputational, and financial damage, all the work put into protection is worthless.