If ransomware doesn't make you lose sleep at night, you're lucky. It's scary to think that a hack can tie up your data in knots, and the only way to achieve ransomware recovery is to pay a fee for a decryption key.
What typically happens in a ransomware situation is that a careless employee loads a Trojan of some sort that then encrypts the data on drives or in the file system that points to objects. Without the company paying for the proper decryption key, the data is effectively lost. It doesn't matter if your data is already encrypted; the hack counts as a superencryption, layering on top of the legal one already in place. On the list of disasters to prepare for today, a ransomware attack is number two behind a straight hack that exposes mission-critical data.
Ultimately, some percentage of ransomware attacks will get through firewalls and intrusion detectors. There is only one way to guarantee protection against this type of attack. Ransomware recovery and protection is achieved by keeping up-to-date snapshots of your data sets outside of your main storage pool.
Use the cloud to get back to a working state
Ideally, a company will keep a set of rolling snapshots in a public cloud. These are "almost" offline, and since they can only be accessed via the backup software, they are out of the reach of ransomware bandits.
This sounds like it will consume a lot of space and a lot of WAN traffic, but deduplication and compression help a lot. Moreover, a disciplined approach to full backups can be used to reset the snapshots and allow older ones to be deleted safely.
The result of using the cloud DR process to protect against ransomware is that you can get back to a working state, less the recovery point objective (RPO) time. Of course, the ransomware recovery time depends on how much data needs to be transferred to get things up and running.
This indicates the best place for the recovery effort is in the cloud zone where the data is stored. Building instances in the cloud, if the apps are properly cloud-ready, should take little time compared with purging and rebuilding local systems. Remember, it takes time to be sure the Trojan is out of your system and, frankly, until that's done, you can't trust any of the hacked systems to behave as expected.
Furthermore, transferring huge data sets is a painfully slow process over today's antiquated WANs. If the hack is extensive, it's probably much better to get disks or tapes from your public cloud provider. A sync process will be needed after the local systems are restarted safely.
Clearly, the cloud approach, with the right backup software, can be used to repair selective files or folders. Overall, this should make ransomware recovery fairly easy to achieve. The benefit of this isn't limited to hack-proofing the system, though, since we are following good DR and backup practices with the snapshot method.
There is an alternative, which is to use an incremental backup software tool instead of snapshots. This can reduce the RPO, but at the cost of more WAN traffic.
Implement tight security controls
There are a few security issues that need to be addressed for proper ransomware recovery and protection. Data at rest in the cloud needs to be encrypted and government rules, such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, must be followed carefully. Though many IT operations try to dodge this work, data in the cloud is a target, too.
Your backup storage also needs some very tight controls if it is to be safe.
- No passwords like "password."
- The authentication should change monthly. The biggest risk for exposing data is a disgruntled or terminated admin who knows a secret code.
- Two or even three-factor authentication should be used, and those with access rights should be a small subset of the IT staff. Putting tight access controls on the backup appliance is important. Preferably, it should be locked away from most people and should only be controlled by someone directly connected via a keyboard and a screen.
Cloud DR techniques can, with some care, safeguard against ransomware attacks. Your CEO will thank you.
A guide to preventing and recovering from ransomware
Survey: Many are not aware of ransomware
Cloud rises as possible health IT ransomware protection