Ransomware recovery: 8 steps to successfully restore from backup
Backups should be protected from malware and quick to recover. They must also include key files and databases as well as key applications and configurations. Backups must be tested thoroughly.
These are eight steps that will ensure you have a successful recovery of backups after ransomware attacks.
1. Keep backups separate
According to a survey by Veritas released last fall, only 36% of companies have three or more copies of their data, including at least one off-site. To keep your data safe from ransomware and other disasters, it is important to maintain an “air gap” between backups and production environments.
Jeff Platt (Vice President for Technical Advisory Services at MoxFive), a technical advisory company, said that some clients have both on-prem and cloud backups. But ideally, people should not have both. It doesn’t matter if the encrypted files are written to a local backup solution, then replicated to the cloud.
Versioning is an option on some cloud-based platforms that comes with the product at no extra cost. Office 365, Google Docs, and online backup systems such as iDrive all keep previous versions of files intact without overwriting them. Even if ransomware attacks, encrypted files are backed up. The backup process simply adds a corrupted new version to the file. It doesn’t overwrite any older backups.
Ransomware attacks are prevented by technology that keeps incremental backups of files. It’s as simple as going back to the original file that was good before the attack.
2. Use write-once storage techniques
You can also protect backups by using storage that cannot be written over. You can use either physical write-once, read-many (WORM), or virtual alternatives that allow data to both be written and not modified. It requires significantly more storage, which can increase the cost of backups. Backup technologies that only save updated and changed files, or other deduplication techniques to prevent multiple copies of the same file in an archive, are not recommended.
3. Make sure you have multiple backups
Platt says that many enterprises don’t have enough storage space or the ability to store backups for an extended period of time. “In one instance, the client had backups for three days. The backups for two days were corrupted, but the third was still valid. All three backup days could have been lost if ransomware had struck during a holiday weekend. “All of a sudden, you come in, and all your iterations are overwritten because we only had three, four, or five more days.”
Platt recommends that companies have different types of backups. For example, full backups should be done on one schedule and incremental backups should be done on a more regular schedule.
4. Backup catalog should be protected
Companies should ensure that data catalogs are secure, in addition to protecting backup files from hackers. Amr Ahmed, EY America’s Infrastructure and Service Resiliency Leader, says that most ransomware attacks are directed at the backup catalog, not the actual media.
This catalog includes all metadata needed to backup, including the index, bar codes for tapes, full paths to data on disks, and the index. Ahmed states that backup media won’t be able to be used without the catalog. It would be difficult or impossible to restore without one. Enterprises should ensure they have a backup solution, including protections for backup catalogs such as an air gap.