Skip to main content

Ransomware recovery

Ransomware recovery is the process of resuming options following a cyberattack that demands payment in exchange for unlocking encrypted data. Having good data backups and a solid disaster recovery (DR) plan are the best ways an organization can recover successfully from this type of attack. With ransomware so prevalent, experts are urging businesses to assume that they will be hit with an attack, so protection and recovery are top of mind.

Ransomware, a subset of malware, typically gets into a system when a user opens an infected email attachment or website. Several major attacks have recently made headlines across the world:

  • WannaCry ransomware in May 2017 hit more than 100,000 organizations. The payment total was not high, considering the scale of the attack, but the downtime for organizations led to big losses.
  • Petya in June 2017 was first detected in Ukraine government systems before spreading to organizations around the world.
  • Bad Rabbit ransomware in October 2017 spread through Eastern Europe.
  • A ransomware attack on the city of Atlanta in March 2018 shut down several departments. The cost of the recovery effort was more than $5 million.

To remain anonymous, attackers often demand payment in the form of virtual currency such as Bitcoin. The FBI does not recommend paying the ransom, as access to encrypted files may not be guaranteed and the victim then becomes known as an organization that will pay, opening itself up to the possibility of more attacks. Paying also encourages the business model. The government recommends immediately contacting authorities, such as a local FBI office.

Proper ransomware recovery is important because an attack can harm or even shut down a business. Even if an organization doesn't pay the ransom, the cost of downtime can be catastrophic, due to lost revenue and loss of reputation. As a result, it's critical to be able to recover quickly from a ransomware attack.

Planning for ransomware recovery is helpful for an organization not just for responding to attacks, but for DR as a whole. The planning stage enables an organization to look at where it may be vulnerable and in need.

Because ransomware constantly evolves, it's important for data protection vendors to stay one step ahead of attackers. For example, a new development is ransomware's ability to attack data backups, in addition to primary workloads, so an organization must ensure that its secondary storage is protected as well.

Recovering from a ransomware attack

Ransomware recovery starts before an attack hit. Organizations following the 3-2-1 rule of backup are in a good position to recover. With this method, there are three copies of the data, on at least two different media types, with one copy offsite or offline.

For example, using tape storage for one of the backup copies provides an offsite and offline option. Storage that is not connected to a network is safe from ransomware. Though tape won't typically have as up-to-date backup data as disk or cloud storage, it does feature an air gap -- which provides isolation through lack of network or internet connectivity -- and ensures an organization can recover at least some of its workloads.

When an attack hits, IT should take over immediately while users stay off the network. In its simplest form, IT would wipe the affected systems, ensure the ransomware is no longer in the network and restore operations from the last known good backup. To get the organization up and running as quickly as possible, IT may want to restore only the most critical data and operations first, and then bring up less important workloads. The cloud is a good option for off-site backup, but it can take a long time to restore a large volume of data.

As part of its backup and DR plans, an organization should identify which workloads are most important to the survival of the business and make sure those are properly and safely backed up. Ideally, an organization will back up files frequently throughout the day, using such methods as data replication.

Testing is key to ransomware recovery. A test can be as simple as running through what each team member will do in the event of an attack. The most comprehensive option involves running a full-scale test of backups and failing over operations as if the attack actually happened.

Security testing is necessary as well. IT should ensure its security -- such as antivirus software is up-to-date. DR and security teams, if separate, should be on the same page regarding planning and recovery efforts.

Educating and training users in advance is optimal, but reminders immediately following an attack are also good while the issue is still fresh on everyone's minds. Employees should know not to open attachments or frequent websites they don't recognize as safe. They should also know to inform IT right away if they see something suspicious.


Comments

Popular posts from this blog

Ghosting

Ghosting is to cease communications without notification. The use of the word "ghost" as a verb originated in social media in reference to dating, but the term is now used by employers to describe employees and potential employees who suddenly disappear. Typically, ghosting is used to describe: Job candidates who suddenly stop responding to messages. New hires who fail to show up for their first day of work. Employees who do not show up for a shift. Employees who leave work in the middle of the day and never come back. Some analysts blame ghosting on millennial entitlement. The reasoning is that members of the millennial generation have been brought up to feel they are special -- so special, in fact, that they do not need to follow conventional rules of behavior. Other analysts, however, maintain that ghosting behavior stems from changes in the job market and the phenomenon is simply a reflection of the laws of supply and demand in a healthy jo...

Data deduplication

Data deduplication -- often called intelligent compression or single-instance storage -- is a process that eliminates redundant copies of data and reduces storage overhead. Data deduplication techniques ensure that only one unique instance of data is retained on storage media, such as disk, flash or tape. Redundant data blocks are replaced with a pointer to the unique data copy. In that way, data deduplication closely aligns with incremental backup, which copies only the data that has changed since the previous backup. For example, a typical email system might contain 100 instances of the same 1 megabyte (MB) file attachment. If the email platform is backed up or archived, all 100 instances are saved, requiring 100 MB of storage space. With data deduplication, only one instance of the attachment is stored; each subsequent instance is referenced back to the one saved copy. In this example, a 100 MB storage demand drops to 1 MB. Target vs. source deduplication Data deduplica...

A Graphics Processing Unit (GPU)

A graphics processing unit (GPU) is a computer chip that performs rapid mathematical calculations, primarily for the purpose of rendering images. A GPU may be found integrated with a central processing unit (CPU) on the same circuit, on a graphics card or in the motherboard of a personal computer or server. In the early days of computing, the CPU performed these calculations. As more graphics-intensive applications such as AutoCAD were developed; however, their demands put strain on the CPU and degraded performance. GPUs came about as a way to offload those tasks from CPUs, freeing up their processing power. NVIDIA, AMD, Intel and ARM are some of the major players in the GPU market. GPU vs. CPU A graphics processing unit is able to render images more quickly than a central processing unit because of its parallel processing architecture, which allows it to perform multiple calculations at the same time. A single CPU does not have this capability, although multi...