Ransomware continues to dominate the IT landscape, and it is getting smarter. This two-part series will explain what vendors will have to do to improve their ransomware recovery products, and what customers will need to do to keep up. Part two will detail the importance of endpoint backup software and access control.
Many of us have seen ransomware in action. The first inkling of trouble is usually a webpage that says your server has been contaminated and then offers, for a sizable fee, to recover your data. I've been lucky. The couple of times it has happened to me, my firewall prevented the payload from loading. But more sophisticated attacks can get past that, and really mess life up.
Ransomware typically gets into a data center through an infected client. This malware encrypts all of the data it can see, including networked and cloud data, so its impact extends far beyond the original attack point. This leaves an administrator with just two choices: restore from an unencrypted backup, if one still exists, or pay up and pray you found an honest crook who actually has the right key.
Usually, the crooks offer a ransomware recovery tool with their encryption key for anything from a few hundred dollars on up. This isn't a laughing matter. Your data is locked up, at least until the proper key is delivered, and the crooks can hustle you with a short time limit before the data is lost forever. Unfortunately, the crooks aren't particularly scrupulous about noting down that ransomware recovery key and, often, once money has changed hands, your data is permanently toasted.
Disconnect data before ransomware connects
Antivirus software and packages targeting ransomware offer quite a bit of protection, but ransomware evolves rapidly, and it's always a catch-up game. Since entry is often through one of the attached mobile clients, keeping an up-to-date level of protection is difficult, at best. Exhortations to employees to only go to trusted sites are futile, too, as anyone who has looked at their data center's connection history knows!
Today, the best answer lies in a proper, robust backup and recovery operation. The key in backup is that the backed-up images are stored outside of the address space owned by all of the servers. Those images should be invisible to the ransomware, with data either offline or mounted solely to the backup servers. This is a crucial issue, especially with the pool of storage approach now becoming common in data centers. If the ransomware can see it, it is at serious risk of being corrupted.
This is where tape backup may still retain value: in a ransomware recovery situation. Tapes retrieved from storage in a salt mine take so long to mount and overwrite that any ransomware attack will be discovered well before they are damaged!
For those who have moved on to more modern approaches, a separate cloud storage pool accessed only from the backup systems does a pretty good job of achieving isolation, but under no circumstances should the main networks in the data center be connected to that storage.
Now, not all backups are equal. A procedure that backs up critical files just once a week could leave you vulnerable to a huge ransomware recovery task.
Moreover, all of the endpoint devices today have sizable files, some business related and some personal. To prevent your company's employees from all trying to get their mobile devices back (and, so, not doing useful work), there has to be fast reimaging for their devices, too.
Frequent backups can be essential to ransomware recovery
Stop a ransomware attack before it starts
Ransomware payments and protection: By the numbers