Ransomware recovery is a complex task. Make sure you're doing all the right things, from protecting unstructured data to testing your recovery capabilities.
Though statistics vary about the number of businesses hit and the amount paid to attackers, planning for recovery from ransomware should be top of mind for all organizations, no matter the size or type.
A good ransomware protection strategy includes ensuring security is up to date and using backup software that can alert your organization of a potential attack, according to George Crump, founder and lead analyst of IT analysis firm Storage Switzerland, as well as a TechTarget contributor.
Ransomware typically gets into an organization through a user clicking on a bad link or opening an infected attachment. The ransomware then starts encrypting data. The attacker requests the organization pay a ransom in order to get files back. Ransomware can spread fast, across an organization and across the world, as seen in the WannaCry attack in May.
But an organization with the proper backup and recovery system in place should be able to fend off a ransomware attack. And, Crump notes, planning for recovery from ransomware can help your organization with disaster recovery as a whole.
"Don't be complacent," Crump said. "Get out in front of this."
And remember to test your recovery from ransomware.
"Going through that process and understanding how long it will take becomes very, very critical as part of your overall testing processes," Crump said. "The actual process is just different than a full-blown disaster recovery, where you're essentially recovering everything from scratch."
In this podcast with SearchDisasterRecovery, Crump explains the nature of ransomware recovery and protection today, best practices for organizations to bounce back from an attack and what we might see next from vendors. The following transcript has been edited for clarity and condensed.
What are some tips for how organizations can best protect their systems and recover in the event of a ransomware attack?
George Crump: The key thing is to look for a backup product that does a good job of protecting unstructured data. A lot of times, that means it's going to do incremental forever backups so it doesn't always have to back up all the data. Secondly, make sure that you have the ability to rapidly recover that data. So, in some cases, that might be what we call 'in-place' recovery so that the data doesn't have to be transferred back.
But one of the challenges that you'll see in a ransomware attack is hundreds of thousands of files might be infected. And recovering 100,000 files one at a time through a backup product can be very time-consuming. It'd be faster just to mount the whole volume.
One thing to do, but not necessarily count on, is snapshots. Most storage systems and even most operating systems today have some sort of snapshot capability. The problem is: The ransomware will often attack these protection methods directly. Ransomware can attack known backup products, so you also have to make sure you're protecting your backups from being infected.
One of the best ways to protect backups is to use a different protocol to store your backup data on than what you back up from. For example, if you have a Windows-based backup server and you can have those backups either copied or stored on a Linux-based system, that tends to make it more difficult for the ransomware to be successful.
Though ransomware has technically been around for a while, its presence has really elevated in the last couple of years, thanks in part to cryptocurrency payments that are largely untraceable. So, it still feels somewhat new. And it seems like data protection vendors are still trying to figure out the best paths to take for their products. What are vendors doing now to tackle protection and recovery from ransomware?
Crump: We're seeing an increasing number of backup and recovery vendors monitor system activity. One of the attributes of ransomware is that it has to open a file to encrypt it. And then, once it's encrypted, it has to save that file. So, if you can look for an unusually high number of file opens and file saves within a short period of time, you should be able to detect ransomware with extreme consistency. There are stand-alone software products that will specifically look for this sort of file-open pattern, and it doesn't take much. All you have to do is say, for example: 'Alert me if 1,000 files in the home directory are opened and closed within a three-minute period of time.'
Other backup vendors are alerting you to a large amount of changes at the point of backup, and that's helpful. The challenge is that, even if you're backing up every four hours, it could be four hours of encrypted data. That's also one of the reasons we recommend that people who are concerned about ransomware -- and everybody should be -- back up noncritical systems more frequently.
Typically, these systems are backed up once a night. If you could increase that backup frequency to every 15 minutes, these alerting applications become more effective because now you're catching a ransomware hit within 15 minutes, as opposed to within eight hours.
What's the next phase in ransomware protection? Is there anything you'd like to see backup and recovery vendors implement regarding ransomware protection going forward?
Crump: I think that the next phase is the detection of the activity and then the caching of changes as they occur. We're seeing a couple vendors head down this path, but I'd like to see it more broadly. But what they're doing, essentially, is caching all changes to a group of files and then also detecting for that ransomware pattern. If they see the pattern occur, they find the service that has started it, and they kill that task.
They also have a record of what files have been changed, and then, they can immediately apply those back without having to go through a restoration process or anything like that. So, the result, then, is that a ransomware activity is stopped before it gets too far, and then, any damage it caused is immediately caught and replaced.
The way to eliminate ransomware is to stop paying ransoms, because the ransoms are what fund the activity. The way to stop paying ransoms is increasingly effective protection and recovery, as it relates to unstructured data, in particular.
Testing is an important element of disaster recovery planning that is often overlooked. How can an organization test to ensure it's ready to recover from a ransomware attack?
Crump: Testing is something that people will think of from a more traditional disaster point of view, such as a whole data center going down, and recovery from ransomware is different. You generally are dealing with a relatively small amount of data spread across an incredibly high number of files; that's the nature of most unstructured data today. So, you have to know how to recover a specific volume, a specific set of subdirectories, things like that. You need to know how to quickly identify what's been changed.
Backup software is getting better at reporting that to you. Going through that process and understanding how long it will take become critical as part of your overall testing processes. And the actual process is just different from a full-blown disaster recovery, where you're essentially recovering everything from scratch.
Do you find that organizations are testing enough for ransomware at this point?
Crump: Most organizations aren't testing enough for anything. And that's not necessarily the fault of IT; it's just the nature of the speed at which organizations move nowadays. So, we see lack when it comes to traditional disaster recovery testing, and so, the amount of ransomware-specific recovery testing is even worse.
Is there anything else that businesses should be aware of regarding ransomware recovery and protection that you want to mention or any other trends you are seeing in the market?
Crump: The big issue is complacency. We haven't seen a big ransomware attack for a few months now, but we will. It's easy to lull yourself into thinking, 'OK, well, that trend has passed.' Ransomware is hitting companies every single day. Most ransomware attacks aren't reported, and that's on purpose, because nobody wants to admit that they've paid a ransom.
Don't be complacent. Get out in front of this. The good news is: Everything you do to protect against a ransomware attack will also help you in general operational recoveries. The concept of backing up more frequently and testing recoveries has far-reaching benefits beyond just recovery from ransomware.