Ransomware, or the people who use it, are very successful in both infecting systems and extracting money from the organizations impacted by the infection. Most organizations we speak to face a ransomware infection multiple times per year, so if your organization has not been infected yet, prepare yourself. It is only a matter of time. And while you can and should train users on how to avoid ransomware, the bad actors that create ransomware only have to get lucky once. Beyond training to prevent ransomware, you need to be prepared for recovery from ransomware.
Historically data protection protected against accidental deletion or corruption or the failure of a system or physical site. In either case data is lost. Ransomware doesn’t actually delete or even corrupt anything. It, ironically, makes it more secure by encrypting it. But, of course, the ransomware creator does not provide you with the keys to this higher level of “security”, they want you to pay for them. To recover from a ransomware attack requires first an admission that it WILL happen to your organization and it requires a different strategy than the traditional once a night backup.
Once you agree that ransomware will impact your organization, the next step is to understand how your data protection process needs to change in order to survive the attack. The most valuable data in your organization is, typically, the data that is changing right now. This data is fully exposed to a ransomware attack and, assuming a typical data protection strategy, it maybe hours before it is protected. It is also the data that, most likely, your organization is willing to pay to unlock. To protect the organization from that attack means increasing how often protection events occur and it requires securing those backups.
Increasing protection events is not as simple as it sounds. Each time a protection event occurs data needs to be ready to be protected, this means that the protection process needs to be able to get clean copies of data so that the data stored can be read. Second, it means the smallest amount of data possible should be copied across the network so as to not impact performance. The more frequently data can be protected the less likely an organization will need to pay a ransom fee.
Primary storage snapshots are not typically a safe protection against ransomware. Many ransomware developers have added the capability to delete or encrypt snapshot copies of data. A separate copy of data, typically created from a backup is required.
These backups should be stored on a separate storage system and a separate physical location. If the organization is using a cloud-based solution, that solution should have a local copy (hybrid-cloud backup) in addition to the cloud copy. Restoring data in the event of a ransomware infestation should not require waiting on the recovery of cloud copies. In addition, these backups should be encrypted and set to a read-only mode so that the ransomware attack can not infect them.
The amount of bad actors using ransomware to infect companies is increasing. The cure for ransomware is to never need to pay the ransom. The answer for never paying the ransom is to perform frequent backups that don’t impact performance. Those backups though should be local to speed in recovery. But local backups need encryption and protection to make sure that they themselves are not infected by the attack. Frequent copies to a protected store should enable the organization to recover from almost any attack.
QuorumLabs, Inc. is headquartered in San Jose CA with offices all around the world. Quorum “Disaster Recovery as a Service” (DRaaS) solutions provide organizations with both local and remote instant recovery capabilities for their servers, applications and data. Quorum onQ provides the fastest on premises backup and recovery appliance combined with the most flexible DRaaS in the industry. This hybrid approach allows Quorum customers to enjoy high performance and cloud scale in a single product. To learn more, visit www.quorum.com/product for details.