WannaCry was a wakeup call. New ransomware strains are now appearing every week because ransomware is a profitable “business.” There will be another attack and the chances of your organization being infected are high. The time is now to take steps to prevent and protect against the next ransomware attack.
Step 1 – Prevent
The best ransomware recovery is the one you don’t have to do, because your systems never get infected. Prevention requires making sure all of the organization’s servers are patched, implementing firewalls and proper antivirus. It also involves training end users to recognize suspicious emails and nefarious web sites.
The challenge with prevention is that it can only do so much. This is especially true when it comes to ransomware. Because of malware’s profitability, developers can afford to invest in new techniques that speed up the attack process and overcome the various countermeasures that IT creates.
Step 2 – Protection
The second step is protection. Ransomware protection requires more than just a good backup. Most backup processes run once per night. Assuming the last backup was successful, that means if an attack occurs towards the end of the next business day, a significant amount of critical data is vulnerable to the attack.
In an era of ransomware, IT planners should design systems that can protect data at least every 30 minutes. And, not just mission critical data. While it is true that applications like MS-SQL have been – and will continue to be — victims of ransomware encryption, most ransoms are paid to release standard file server data from the encryption lock.
A sub-30 minute protection window requires a smarter backup application – one that can efficiently identify changes at a sub-file level and transfer just those changes across the network. Examples include block level incremental, change block tracking and source side deduplication. These more granular backup technologies enable the backup to occur more frequently and with minimal disruption to the application and network infrastructure.
Step 3 – Recovery
Recovery is potentially the most important step toward protecting against ransomware. The first part of recovery is detection. Ransomware works by encrypting files. To encrypt a file the malware must open a file, rearrange its bits, and then re-save that file. Detection is then straightforward. IT must have the right tools that look for the rapid change of a high number of files by any given user within a short period of time.
While there are specific tools to monitor for that type of activity, a proper data protection solution could also be an excellent provider of that capability, especially if it is performing backups every 15 to 30 minutes. If the data protection solution could alert an administrator to a user changing a high number of files in these 15 minute intervals, then it could essentially integrate detection into the application, eliminating the need for yet another tool. Some vendors have integrated this type of “anomaly detection” into their backup solutions.
Once the ransomware is detected and stopped, the final step is recovery. Recovery likely comes in two forms (assuming you’re not paying the ransom). The first is where detection happens soon after the ransomware kicked off. In this situation, the recovery is likely a few dozen to a few hundred files. If the monitoring solution can feed that list to the recovery software it is probably easier to simply recover those files.
The other situation is when the ransomware has had time to work its way through an entire server or even several servers. It does not take long for this to occur. Many ransomware solutions can infect a hundred thousand files in mere minutes.
If it is the latter, assuming that the chosen recovery solution is capable, the simple solution may be to recover the entire server. It is an ideal use case for Disaster Recovery as a Service (DRaaS). With DRaaS, the IT administrator can recover the entire server as a virtual instance – either on-premises or in the cloud – in minutes. Also, if change detection is built into the solution as described above, then IT will also know exactly which version of the server to bring back.
The key with recovery is that it has to be easy enough, and fast enough that there is no temptation of paying the ransom.
When it comes to ransomware, prevention is important. But IT needs to prepare for the likely scenario that something will get through. That means that at some point they will need to recover data (and even running applications) and do so quickly. For most organizations, meeting those demands may require an alternate, more modern solution that can backup frequently and recover rapidly.
To learn more watch our on demand webinar: “Ransomware: How to Limit Downtime when Infected”.