Backups prove a vital protection against rising ransomware attacks

When it comes to damaging and disruptive cyberattacks, few spark as much fear as ransomware. Encrypting an organisation’s data and then demanding payment for the key has become a popular and lucrative exercise for cybercriminals around the world.

For an organisation hit by ransomware, the impact can be devastating. As well as steep financial losses, there is the prospect of losing the trust of both customers and business partners.

If a targeted organisation is a utility or service provider, the resulting disruptions can be devastating. Power generators can fail, pipelines stop functioning, and hospitals find themselves unable to care for their patients.

Falling victim to a ransomware attack is alarmingly easy. Often all it takes is for a user within an organisation to fall prey to a phishing attempt, for example, clicking on a deceptive link in an email message or opening an innocently named attachment from someone they know that has been compromised.

This installs the malware code which then proceeds to lock the computer or encrypt important, predetermined files. If the victim organisation ops to pay the financial demand, the attacker will, in theory, unlock the data with a decryption key. However, it doesn’t always work out that way, and file corruption can occur, causing further delays and outages, even when a ransom has been paid up.

During the past few years, ransomware has evolved and can now attack existing network drives and backup data. Sophisticated ransomware can even destroy shadow data copies and restore point data, making recovery all but impossible.

Preventing your business against ransomware attacks

The task of protecting against ransomware attacks requires three key steps. They are:

  1. Protect backup data: It is vitally important to have in place a backup solution that provides multi-layer protection to prevent backups from becoming a ransomware attack target. The solution should offer immutable snapshots, write once read many (WORM), and strict access controls with Role-Based Access Control (RBAC) and multi-factor authentication (MFA).
  2. Quickly detect attacks: Quick discovery of a ransomware attack can significantly improve the chances of being able to prevent it from causing maximum damage. This can be achieved by using automated continuous monitoring and machine learning. Algorithms automatically scan for data anomalies to flag a potential ransomware attack in the production environment.
  3. Recover rapidly:Rapid data recovery is critical when it comes to keeping downtime to a minimum after an attack. An organisation should have a dashboard that shows the health status and cyber vulnerability index of all backups before instantly bringing back all data in one mass restore across locations and environments.

The importance of backups

These steps clearly show the importance of having a reliable and secure backup capability in place to protect critical data.

The most effective backup solutions will be those that offer immutability. Such a solution supports frequent, unlimited immutable snapshots with little to no performance impact. Ransomware will be unable to access or modify the immutable backup snapshots.

The backup solution should also have strict access controls. Most ransomware hackers take advantage of relaxed access policies, so have in place a combination of RBAC and MFA to ensure only authorised users can access the relevant data.

Another worthwhile feature is machine learning-aided detection. This can help to quickly gain control of the situation, access the damage, and rapidly initiate incident response. 

An effective backup solution should also be capable of performing an instant mass restore. Ransomware rarely strikes one machine or just a couple of VMs. Your backup solution should be robust and modern, instantly able to recover hundreds of VMs or large databases, to any point in time.

Rapid recovery

By deploying a backup solution with anti-ransomware capabilities, an organisation can ensure it is well placed to withstand an attack. The solution becomes the last line of defence and can help security teams retain their peace of mind.

Attackers are constantly evolving their techniques and looking for ways to gain access to IT infrastructures. If they manage to succeed, a backup solution with anti-ransomware capabilities can identify attacks and reduce the damage.

Consider how ready your organisation is for the next ransomware attack. What’s your last line of recovery right now? Taking the time and relative inexpense today to deploy and manage a fully-featured backup and recovery system can avoid a world of hurt in the future.

At the same time, for some organisations it might be time to appoint a security forensic expert consultant to conduct a post-mortem on any attack.  Since they can conduct rolling recoveries (in an isolated environment)  this gives your enterprise the ability to follow the course of the attack, pinpoint the initial exploit and support future prevention.  After all, there’s no point rebuilding the castle with the same weakness as before.

Derek Cowan
Derek Cowan is Director of Systems Engineering, APAC for Cohesity where he has a keen focus on data infrastructure management in support of public and private sector enterprise customer organisations. He has 25 years of experience in the IT industry having worked in technology engineering consultant positions for leading organisations, including IBM, EMC, VMware, Nimble Storage and Microsoft.