Ransomware is a new type of threat. As a result it needs a new type of defense. The reason is simple: Backups are not enough to protect against ransomware. They are increasingly victims of the attack themselves, and they don’t capture data frequently enough to enable the organization to recover from an attack.
Why Well Protected Organizations Pay The Ransom
The most obvious victim of a ransomware attack is an organization that either was not backing up data or as the result of the attack finds their backups were not working properly. These companies are left with no other option than to pay the ransom. But even organizations that protect their data and have quality backups often end up paying the ransom anyway.
The problem is the time of day that the ransom attacks and how often an organization performs backups. Most backup jobs are run once a day, at night after everyone goes home. The ransomware is enabled by a user clicking through an email. Because that user is there during the day, that’s when the ransomware goes to work and very quickly encrypts all the data it can find on the network.
While it’s true backup will replace the encrypted data, it is LAST NIGHTS copy of data. Any data changed or modified during the day will not get protection from the backup. That means potentially every order taken, every contract created, or every new presentation will be lost if the organization does not pay the ransom. Recreating the one day worth of data may be an option, but in most cases the amount of data that changes is too large. And in some cases the data can’t be re-created. Imagine a online transactions in a database, video production or even the recording of a simple phone call.
If the organization decides recovery from backup is an option, there is also the time aspect. Most organizations have millions of files, the time it takes to identify the infected files and recover them could take days if not weeks. The organization may decide it is simply not worth the time to recover all the data, it may be faster to pay the ransom and unencrypt it.
If Backups Aren’t Enough Then What is?
To survive the ransomware attack, organizations need to, in near real-time, copy data as users create or move it. The destination system needs to be secure from access. We’d suggest a private connection and that all data written to the second system be read only and be able to maintain multiple versions of a file. Finally, it should notify the system administrator of file anomalies like, for example, a high number of files being changed in a short period of time.
If an alert occurs a system administrator can instantly make data available on a secondary device, essentially recovering without having to move data.
Ransomware is a different animal and it requires different thinking compared to the old techniques of once-a-night backup. Near real-time copies of data and the ability to point users directly to the device are critical to a successful and rapid ransomware recovery. If enough organizations implement such a solution, then the money that drives ransomware investment will dry up and the problem will subside.
Sponsored by Nexsan