Skip to main content

Ransomware recovery


Ransomware recovery is the process of resuming options following a cyberattack that demands payment in exchange for unlocking encrypted data. Having good data backups and a solid disaster recovery (DR) plan are the best ways an organization can recover successfully from this type of attack. With ransomware so prevalent, experts are urging businesses to assume that they will be hit with an attack, so protection and recovery are top of mind.


Ransomware, a subset of malware, typically gets into a system when a user opens an infected email attachment or website. Several major attacks have recently made headlines across the world:


  • WannaCry ransomware in May 2017 hit more than 100,000 organizations. The payment total was not high, considering the scale of the attack, but the downtime for organizations led to big losses.

  • Petya in June 2017 was first detected in Ukraine government systems before spreading to organizations around the world.

  • Bad Rabbit ransomware in October 2017 spread through Eastern Europe.

  • A ransomware attack on the city of Atlanta in March 2018 shut down several departments. The cost of the recovery effort was more than $5 million.

To remain anonymous, attackers often demand payment in the form of virtual currency such as Bitcoin. The FBI does not recommend paying the ransom, as access to encrypted files may not be guaranteed and the victim then becomes known as an organization that will pay, opening itself up to the possibility of more attacks. Paying also encourages the business model. The government recommends immediately contacting authorities, such as a local FBI office.


Proper ransomware recovery is important because an attack can harm or even shut down a business. Even if an organization doesn't pay the ransom, the cost of downtime can be catastrophic, due to lost revenue and loss of reputation. As a result, it's critical to be able to recover quickly from a ransomware attack.


Planning for ransomware recovery is helpful for an organization not just for responding to attacks, but for DR as a whole. The planning stage enables an organization to look at where it may be vulnerable and in need.

Because ransomware constantly evolves, it's important for data protection vendors to stay one step ahead of attackers. For example, a new development is ransomware's ability to attack data backups, in addition to primary workloads, so an organization must ensure that its secondary storage is protected as well.

Recovering from a ransomware attack

Ransomware recovery starts before an attack hit. Organizations following the 3-2-1 rule of backup are in a good position to recover. With this method, there are three copies of the data, on at least two different media types, with one copy offsite or offline.

For example, using tape storage for one of the backup copies provides an offsite and offline option. Storage that is not connected to a network is safe from ransomware. Though tape won't typically have as up-to-date backup data as disk or cloud storage, it does feature an air gap -- which provides isolation through lack of network or internet connectivity -- and ensures an organization can recover at least some of its workloads.

When an attack hits, IT should take over immediately while users stay off the network. In its simplest form, IT would wipe the affected systems, ensure the ransomware is no longer in the network and restore operations from the last known good backup. To get the organization up and running as quickly as possible, IT may want to restore only the most critical data and operations first, and then bring up less important workloads. The cloud is a good option for off-site backup, but it can take a long time to restore a large volume of data.

As part of its backup and DR plans, an organization should identify which workloads are most important to the survival of the business and make sure those are properly and safely backed up. Ideally, an organization will back up files frequently throughout the day, using such methods as data replication.

Testing is key to ransomware recovery. A test can be as simple as running through what each team member will do in the event of an attack. The most comprehensive option involves running a full-scale test of backups and failing over operations as if the attack actually happened.
Security testing is necessary as well. IT should ensure its security -- such as antivirus software -- is up-to-date. DR and security teams, if separate, should be on the same page regarding planning and recovery efforts.

Educating and training users in advance is optimal, but reminders immediately following an attack are also good while the issue is still fresh on everyone's minds. Employees should know not to open attachments or frequent websites they don't recognize as safe. They should also know to inform IT right away if they see something suspicious.

Major ransomware recovery tools and vendors

Data protection vendors have recently been adding features specific to ransomware recovery.
  • Actifio OnVault technology provides an air gap by creating an unchangeable backup copy on object storage, on premises or in the cloud.
  • Acronis software uses machine learning to help prevent a ransomware virus from corrupting data. It attempts to detect suspicious application behaviour before the corruption of files. Acronis Active Protection enables customers to roll back and recover from a point in time before a ransomware attack.
  • Asigra Cloud Backup prevents ransomware from getting into backups by embedding malware engines in the backup and recovery stream. The engines are designed to identify a ransomware virus, quarantine it and notify the user.
  • BackupAssist CryptoSafeGuard works with existing anti-malware software. It scans and detects suspicious activity in source files that can be related to ransomware, sends alerts and blocks backup jobs from continuing to run until resolution of the issue.
  • CloudBerry Backup protects file-level backups when it finds ransomware. It prohibits existing backup data from being overwritten until an administrator confirms an issue.
  • Druva inSync includes built-in monitoring and detection tools. Automated alerts flag unusual activity with data in desktops, laptops, mobile devices and cloud applications. The software also helps identify the last safe snapshot.
  • Iron Mountain's Iron Cloud Critical Protection and Recovery isolates data, disconnecting it from a network. In the event of an attack, it provides a "cleanroom" to recover data and ensures that ransomware is out of the system.
  • Quorum has an appliance specifically designed to recover from ransomware. The Quorum on Q Ransomware Edition takes snapshots of servers and provides server-level recovery.
  • Reduxio BackDating serves as a time machine for data, cloning any volume to any point in time for data recovery, and enabling an organization to roll back to the moment before a ransomware attack.
  • Unitrends physical and virtual appliances use predictive analytics to help determine if ransomware is operating in a system. Unitrends alerts customers when it detects the ransomware virus, so they can restore from the last safe point in time.
  • Zerto's continuous data protection and journaling feature provides the ability to rewind to a point in time before a ransomware attack.
Features to look for in a tool

Backup and recovery vendors can help with ransomware-specific issues in a number of ways.
  • Since a ransomware attack can hit at any moment, a tool that can increase the frequency of backups is helpful.
  • Increasing the length of backup retention helps an organization that needs to keep files for the long term.
  • Data protection products that integrate with malware detection represent an important security crossover.
  • Backup software can alert an administrator to unusual rates of change in data, a sign of possible ransomware.
IT should not rely on a backup product for ransomware recovery. A more comprehensive and proactive data protection platform is better. It's important to analyse exactly what a vendor offers, though, as simply saying that an organization can recover from ransomware with a given product is different from providing a tangible means of recovering.

Comments

Post a Comment

Popular posts from this blog

Understanding the Evolution: AI, ML, Deep Learning, and Gen AI

In the ever-evolving landscape of artificial intelligence (AI) and machine learning (ML), one of the most intriguing advancements is the emergence of General AI (Gen AI). To grasp its significance, it's essential to first distinguish between these interconnected but distinct technologies. AI, ML, and Deep Learning: The Building Blocks Artificial Intelligence refers to the simulation of human intelligence in machines that are programmed to think like humans and mimic their actions. Machine Learning, a subset of AI, empowers machines to learn from data and improve over time without explicit programming. Deep Learning, a specialized subset of ML, involves neural networks with many layers (hence "deep"), capable of learning intricate patterns from vast amounts of data. Enter General AI (Gen AI): Unraveling the Next Frontier Unlike traditional AI systems that excel in specific tasks (narrow AI), General AI aims to replicate human cognitive abilities across various domains. I...
Post a Comment
Read more

Normalization of Database

Database Normalisation is a technique of organizing the data in the database. Normalization is a systematic approach of decomposing tables to eliminate data redundancy and undesirable characteristics like Insertion, Update and Deletion Anamolies. It is a multi-step process that puts data into tabular form by removing duplicated data from the relation tables. Normalization is used for mainly two purpose, Eliminating reduntant(useless) data. Ensuring data dependencies make sense i.e data is logically stored. Problem Without Normalization Without Normalization, it becomes difficult to handle and update the database, without facing data loss. Insertion, Updation and Deletion Anamolies are very frequent if Database is not Normalized. To understand these anomalies let us take an example of  Student  table. S_id S_Name S_Address Subject_opted 401 Adam Noida Bio 402 Alex Panipat Maths 403 Stuart Jammu Maths 404 Adam Noida Physics Updation Anamoly :  To upda...
Post a Comment
Read more

How to deal with a toxic working environment

Handling a toxic working environment can be challenging, but there are steps you can take to address the situation and improve your experience at work: Recognize the Signs : Identify the specific behaviors or situations that contribute to the toxicity in your workplace. This could include bullying, harassment, micromanagement, negativity, or lack of support from management. Maintain Boundaries : Set boundaries to protect your mental and emotional well-being. This may involve limiting interactions with toxic individuals, avoiding gossip or negative conversations, and prioritizing self-care outside of work. Seek Support : Reach out to trusted colleagues, friends, or family members for support and advice. Sharing your experiences with others can help you feel less isolated and provide perspective on the situation. Document Incidents : Keep a record of any incidents or behaviors that contribute to the toxic environment, including dates, times, and specific details. This documentation may b...
Post a Comment
Read more