Speed of recovery from any disaster is always important, but it is most critical in terms of recovering from a ransomware attack. Most ransomware fees are typically a few thousand dollars, and are rarely more than $20,000. For the organization, the decision of whether or not to pay the ransom becomes a return on investment (ROI) calculation. Will it take longer and will more data be lost by trying to recover backed up files than if they just paid the ransom?
Risk vs. Reward
Of course, paying the ransom comes with risks. First, the organization is exposing itself as one that is vulnerable to attacks. Secondly, it is demonstrating a willingness to pay rather than demonstrating the resolve to recover. Thirdly, there is always potential risk that the person or organization behind the attack won’t actually release the decryption keys to unlock the encrypted data.
There are many cases where an organization exposes its vulnerability and willingness to pay a ransom, which results in further attacks. If your organization gets hit with ransomware and decides to pay, expect to be targeted again.
There are also cases where a business pays the ransom, but never receives the decryption keys – those cases seem to be extremely rare – maybe there is honor among thieves?
Creating a Fast Ransomware Recovery Strategy
There are two aspects to a fast ransomware recovery recovery strategy: frequent backups and in-place recovery.
Many ransoms are paid because the organization changed and/or created so much data since the last backup job, that they couldn’t afford to lose the data held for ransom. A more frequent backup policy solves that problem.
Frequent backups requires smart backup software. Certainly IT can’t do a full backup of the environment every 15 to 30 minutes. Even an incremental backup would create too much disturbance.
A 15 to 30 minute backup frequency requires a granular approach. Fortunately block level incremental and change block tracked access are now well established in most operating systems and hypervisors. Modern backup software should be able to leverage these APIs to make frequent, small data capture events.
The second aspect of a rapid ransomware recovery strategy is in-place recovery. Recovery from a ransomware attack is unique compared to any other type of disaster. In most cases, the entire environment is not wiped out. Just a portion, and often just the file servers. The problem is those file servers have millions of files and if a few hundred thousand are encrypted before IT stops the ransomware, then a massive recovery effort looms.
Identifying which files need to be recovered and then individually restoring those files is an almost impossible request. In most cases, the organization is actually better off restoring the entire server. The problem is, if frequent backups were not done then the recovery may wipe out a lot of changes that happened during the course of the day. If frequent backups are done, then a full recovery of the server is less of a data-loss concern, but it is a time concern.
The problem recovering the entire server is the time it takes to transfer a million files over the network, even if the files themselves are small. Each file has to be individually copied from backup storage to primary storage. An alternative is to use one of the recovery-in-place technologies to start the file server from the backup storage.
In the case of a massive infection, a good option to have in IT’s pocket is a cloud-based recovery solution like disaster recovery as a service.
The combination of frequent backups and in-place recoveries lead to rapid restoration of data and services. It should lead to no data loss of more than 30 minutes and restoration of services within 15 minutes. That speed is much faster than the time it takes to pay and unlock encrypted data. It is also much less expensive.
To learn more about preparing, preventing and recovering from a ransomware attack watch our on demand webinar “Ransomware: How to Limit Downtime when Infected“.