Ransomware Backup And Recovery

Ransomware recovery: 8 steps to successfully restore from backup

Backups should be protected from malware and quick to recover. They must also include key files and databases as well as key applications and configurations. Backups must be tested thoroughly.

These are eight steps that will ensure you have a successful recovery of backups after ransomware attacks.

1. Keep backups separate

According to a survey by Veritas released last fall, only 36% of companies have three or more copies of their data, including at least one off-site. To keep your data safe from ransomware and other disasters, it is important to maintain an “air gap” between backups and production environments.

Jeff Platt (Vice President for Technical Advisory Services at MoxFive), a technical advisory company, said that some clients have both on-prem and cloud backups. But ideally, people should not have both. It doesn’t matter if the encrypted files are written to a local backup solution, then replicated to the cloud.

Versioning is an option on some cloud-based platforms that comes with the product at no extra cost. Office 365, Google Docs, and online backup systems such as iDrive all keep previous versions of files intact without overwriting them. Even if ransomware attacks, encrypted files are backed up. The backup process simply adds a corrupted new version to the file. It doesn’t overwrite any older backups.

Ransomware attacks are prevented by technology that keeps incremental backups of files. It’s as simple as going back to the original file that was good before the attack.

2. Use write-once storage techniques

You can also protect backups by using storage that cannot be written over. You can use either physical write-once, read-many (WORM), or virtual alternatives that allow data to both be written and not modified. It requires significantly more storage, which can increase the cost of backups. Backup technologies that only save updated and changed files, or other deduplication techniques to prevent multiple copies of the same file in an archive, are not recommended.

3. Make sure you have multiple backups

Platt says that many enterprises don’t have enough storage space or the ability to store backups for an extended period of time. “In one instance, the client had backups for three days. The backups for two days were corrupted, but the third was still valid. All three backup days could have been lost if ransomware had struck during a holiday weekend. “All of a sudden, you come in, and all your iterations are overwritten because we only had three, four, or five more days.”

Platt recommends that companies have different types of backups. For example, full backups should be done on one schedule and incremental backups should be done on a more regular schedule.

4. Backup catalog should be protected

Companies should ensure that data catalogs are secure, in addition to protecting backup files from hackers. Amr Ahmed, EY America’s Infrastructure and Service Resiliency Leader, says that most ransomware attacks are directed at the backup catalog, not the actual media.

This catalog includes all metadata needed to backup, including the index, bar codes for tapes, full paths to data on disks, and the index. Ahmed states that backup media won’t be able to be used without the catalog. It would be difficult or impossible to restore without one. Enterprises should ensure they have a backup solution, including protections for backup catalogs such as an air gap.

5. Backup everything you need

In 2016, ransomware attacked Alaska’s Kodiak Island Borough. The municipality had approximately three dozen servers and 45 employees PCs. Paul VanDyke (IT supervisor) who managed the recovery effort said that all servers were backed up. Except for one, all servers were backed up. He says, “I didn’t find one server that had assessed the property values.”

Today’s ransom demands were small. It was only half of a Bitcoin. That was $259. He paid the ransom but used only the decryption keys on one server because he was unsure about the integrity of the systems that were restored by the attackers. He says, “I assumed that everything was corrupt.” Backup technology has made everything possible.

Larger companies also face difficulties in ensuring that all data that is needed to be backed up is actually backed up. According to Veritas’ survey, IT professionals believe that they would not be able to recover 20% of their data if there was a total data loss. Shadow IT is a problem in many businesses if they are not all.

Randy Watkins (CTO, Critical Start) says that people are looking for the best way to accomplish their jobs. “Often, this means going under the radar and doing it yourself.”

Companies can only do so much to protect critical data that is stored on servers in back rooms. This is especially true if it is internal data. Watkins says that production is often on the company’s radar. Watkins says, “There’s a brand new application or new revenue-generating service.”IT cannot find all systems, so it is not possible to back them up. Ransomware can cause problems and make things stop working. Watkins suggests that all companies conduct a comprehensive inventory of their assets and systems. Leaders from all functions will be involved in this exercise. They can then ask their employees for a list of critical systems and data.Companies often discover that certain things are being stored in places they shouldn’t, such as payment data stored on employees’ laptops. Watkins states that backup projects often go hand in hand with data loss prevention projects.

6. Backup entire business processes

Ransomware doesn’t just affect data files. Ransomware attackers know that ransomware can affect all business functions. The more they can shut down, then the more likely it is for a company to pay a ransom. Network outages, natural disasters, and hardware failures don’t discriminate.

Kodiak Island’s VanDyke was forced to rebuild all servers and computers after they were attacked by ransomware. This included downloading and reinstalling software, and redoing all configurations. It took over a week to recover the servers and another week for the computers. He also said that he only had three servers left to perform the recovery, so it was quite a bit of switching back and forth. The process could have been completed faster if there were more servers.

According to Dave Burg, EY Americas’ cybersecurity leader, a business process functions like an orchestra. “You can hear noise if there are different parts to the orchestra.

It can be extremely difficult to recover from a data backup without also backing up the components, dependencies, and configurations as well as monitoring, security, and monitoring tools. This is a problem that companies often overlook.

Burg says that there is a lack of understanding of the technology infrastructure and interconnections. “Insufficient understanding of the technology’s workings to allow the business to succeed.”

Burg states that the most difficult infrastructure recovery tasks after a ransomware attack are usually rebuilding Active Directory and reconfiguring configuration management database capabilities. In the past, companies could create a complete backup of their systems and not just data. A disaster recovery site was required. This doubled the infrastructure cost, which made it prohibitive for many companies.

Cloud infrastructure can be used today to create virtual backup data centers. This is a cost-effective way to save money as it is being used. It is even easier to set up backups in another availability zone or cloud if your company is already using the cloud. Burg says that cloud-based hot-swaps are affordable, secure, and offer a lot of promise.

7. To speed up recovery, use hot disaster recovery sites and automated tools

Veritas found that only 33% of IT directors believe they can recover from ransomware attacks within five days. Watkins says, “I know of companies that are spending a lot on tapes and shipping them off to Iron Mountain.” They don’t have time to wait for tapes to be returned and then restore them in an hour.

The recovery time problem could be solved by a hot site. This one can be accessed at the touch of a key. There’s no reason to not have one with today’s cloud-based infrastructure.

Watkins says, “It’s an easy decision.” You can create a script to copy your infrastructure and put it up in another availability area or provider. You can then hit play to have the automation running. It takes only 10 to 15 minutes to turn the automation on. There is no restore time. It could take you a whole day if you do some testing.

Why aren’t there more companies doing this? Watkins states that there is a significant cost involved in the initial setup. He says, “Then you will need that expertise in-house, that automation expertise, and general cloud expertise.” You also need security controls to be in place ahead of time.

Legacy systems are not transferable to the cloud. Watkins cites oil and gas controllers in this example.

Watkins states that the initial cost to set up backup infrastructure should not be an issue. The cost of setting up the infrastructure will be much lower than the ransomware payment and reputation damage.

Tan suggests that companies who are struggling with this issue might consider focusing on the most important business processes first.

India’s principal analyst for data security, ner Johnson. He says, “You don’t want to spend a million dollars to secure a thousand-dollar asset.” “Define your crown jewels. Your security team should have a hierarchy and a priority list.

Johnson acknowledges that there is a cultural barrier to investing in cybersecurity. Johnson admits that we are a reactionary society and cybersecurity is now being recognized as an investment. A pound of prevention is better than a pound cure.

8. Test, test, and test again

According to Veritas, 39% of companies last tested their disaster recovery plan more than three months ago–or have never tested it at all. Mike Golden, Capgemini’s senior delivery manager for cloud infrastructure, says that many people approach backups from a backup perspective, and not from a recovery standpoint. You can backup all you want, but if your restore isn’t tested, your disaster recovery will not be tested. This could lead to serious problems.

Golden says this is the biggest mistake made by many companies. They back it up, then go away without testing it. Because they have not tested the backups, they don’t know how long it will take. He says, “You don’t know everything that could go wrong until it happens.”

Testing technology is not enough. It also needs to test the human element. Golden states that people don’t know what it is they don’t understand. “Or, there isn’t a regular audit to their processes to ensure that people adhere to policies.”

Golden suggests that people should trust but verify their backup procedures and what to do in case of a disaster.