BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Ransomware recovery is the process of resuming options following a cyberattack that demands payment in exchange for unlocking encrypted data. Having good data backups and a solid disaster recovery (DR) plan are the best ways an organization can recover successfully from an attack. With ransomware so prevalent, experts are urging businesses to assume that they will be hit with an attack, so protection and recovery are top of mind.
Ransomware, a subset of malware, typically gets into a system when a user opens an infected email attachment or website. Several major attacks have recently made headlines across the world:
- WannaCry ransomware in May 2017 hit more than 100,000 organizations. The payment total was not high, considering the scale of the attack, but the downtime for organizations led to big losses.
- Petya in June 2017 was first detected in Ukraine government systems before spreading to organizations around the world.
- Bad Rabbit ransomware in October 2017 spread through Eastern Europe.
- A ransomware attack on the city of Atlanta in March 2018 shut down several departments. The cost of the recovery effort was more than $5 million.
To remain anonymous, attackers often demand payment in the form of virtual currency such as Bitcoin. The FBI does not recommend paying the ransom, as access to encrypted files may not be guaranteed and the victim then becomes known as an organization that will pay, opening itself up to the possibility of more attacks. Paying also encourages the business model. The government recommends immediately contacting authorities, such as a local FBI office.
Proper ransomware recovery is important because an attack can harm or even shut down a business. Even if an organization doesn't pay the ransom, the cost of downtime can be catastrophic, due to lost revenue and loss of reputation. As a result, it's critical to be able to recover quickly from a ransomware attack.
Planning for ransomware recovery is helpful for an organization not just for responding to attacks, but for DR as a whole. The planning stage enables an organization to look at where it may be vulnerable and in need.
Because ransomware constantly evolves, it's important for data protection vendors to stay one step ahead of attackers. For example, a new development is ransomware's ability to attack data backups, in addition to primary workloads, so an organization must ensure that its secondary storage is protected as well.
Recovering from a ransomware attack
Ransomware recovery starts before an attack hits. Organizations following the 3-2-1 rule of backup are in a good position to recover. With this method, there are three copies of the data, on at least two different media types, with one copy offsite or offline.
For example, using tape storage for one of the backup copies provides an offsite and offline option. Storage that is not connected to a network is safe from ransomware. Though tape won't typically have as up-to-date backup data as disk or cloud storage, it does feature an air gap -- which provides isolation through lack of network or internet connectivity -- and ensures an organization can recover at least some of its workloads.
When an attack hits, IT should take over immediately while users stay off the network. In its simplest form, IT would wipe the affected systems, ensure the ransomware is no longer in the network and restore operations from the last known good backup. To get the organization up and running as quickly as possible, IT may want to restore only the most critical data and operations first, and then bring up less important workloads. The cloud is a good option for off-site backup, but it can take a long time to restore a large volume of data.
As part of its backup and DR plans, an organization should identify which workloads are most important to the survival of the business and make sure those are properly and safely backed up. Ideally, an organization will back up files frequently throughout the day, using such methods as data replication.
Testing is key to ransomware recovery. A test can be as simple as running through what each team member will do in the event of an attack. The most comprehensive option involves running a full-scale test of backups and failing over operations as if the attack actually happened.
Security testing is necessary as well. IT should ensure its security -- such as antivirus software -- is up-to-date. DR and security teams, if separate, should be on the same page regarding planning and recovery efforts.
Educating and training users in advance is optimal, but reminders immediately following an attack are also good while the issue is still fresh on everyone's minds. Employees should know not to open attachments or frequent websites they don't recognize as safe. They should also know to inform IT right away if they see something suspicious.
Major ransomware recovery tools and vendors
Data protection vendors have recently been adding features specific to ransomware recovery.
- Actifio OnVault technology provides an air gap by creating an unchangeable backup copy on object storage, on premises or in the cloud.
- Acronis software uses machine learning to help prevent a ransomware virus from corrupting data. It attempts to detect suspicious application behavior before the corruption of files. Acronis Active Protection enables customers to roll back and recover from a point in time before a ransomware attack.
- Asigra Cloud Backup prevents ransomware from getting into backups by embedding malware engines in the backup and recovery stream. The engines are designed to identify a ransomware virus, quarantine it and notify the user.
- BackupAssist CryptoSafeGuard works with existing anti-malware software. It scans and detects suspicious activity in source files that can be related to ransomware, sends alerts and blocks backup jobs from continuing to run until resolution of the issue.
- CloudBerry Backup protects file-level backups when it finds ransomware. It prohibits existing backup data from being overwritten until an administrator confirms an issue.
- Druva inSync includes built-in monitoring and detection tools. Automated alerts flag unusual activity with data in desktops, laptops, mobile devices and cloud applications. The software also helps identify the last safe snapshot.
- Iron Mountain's Iron Cloud Critical Protection and Recovery isolates data, disconnecting it from a network. In the event of an attack, it provides a "cleanroom" to recover data and ensures that ransomware is out of the system.
- Quorum has an appliance specifically designed to recover from ransomware. The Quorum onQ Ransomware Edition takes snapshots of servers and provides server-level recovery.
- Reduxio BackDating serves as a time machine for data, cloning any volume to any point in time for data recovery, and enabling an organization to roll back to the moment before a ransomware attack.
- Unitrends physical and virtual appliances use predictive analytics to help determine if ransomware is operating in a system. Unitrends alerts customers when it detects the ransomware virus, so they can restore from the last safe point in time.
- Zerto's continuous data protection and journaling feature provides the ability to rewind to a point in time before a ransomware attack.
Features to look for in a tool
Backup and recovery vendors can help with ransomware-specific issues in a number of ways.
- Since a ransomware attack can hit at any moment, a tool that can increase the frequency of backups is helpful.
- Increasing the length of backup retention helps an organization that needs to keep files for the long term.
- Data protection products that integrate with malware detection represent an important security crossover.
- Backup software can alert an administrator to unusual rates of change in data, a sign of possible ransomware.
IT should not rely on a backup product for ransomware recovery. A more comprehensive and proactive data protection platform is better. It's important to analyze exactly what a vendor offers, though, as simply saying that an organization can recover from ransomware with a given product is different from providing a tangible means of recovering.