When ransomware hits an organization, it is very tempting simply to pay the ransom instead of going through the time and effort to replace the encrypted data by recovering from a backup. After paying the ransom, the hackers give a key to the organization, which gets immediate access to its data. While there is concern about actually getting the key after paying the ransom, there are very few reported cases of the key not actually being delivered. While ransom payment seems like an easy way out, it is actually full of challenges of its own.
The Problems with Paying Ransomware Ransom
The first problem with paying the ransom is that the organization is guilty of feeding the beast. The funds an enterprise pays to free their data encourage hackers to keep attacking other companies, and some of the money goes to the development of more sophisticated strains of ransomware. The second problem is, there is no way of knowing with certainty if the ransomware was completely removed from the IT infrastructure. It is not uncommon for an organization hit by ransomware to be hit repeatedly. By paying the ransom, the organization self-identifies as a soft target. The third problem is, in many cases, the organization making the ransom payment does not go through the pain of having to recover from a ransomware attack and does not learn how to avoid it in the future.
How to Avoid Paying Ransoms
The first step in ransomware recovery is to make sure the ransomware executable or service is identified and eliminated. The ransomware pattern is relatively easy to identify. IT needs to look for a process in the environment that is opening, modifying (by encrypting) and writing thousands of files per minute, which obviously is not normal behavior. Some tools will look for this pattern and alert IT that it is occurring. There are even tools that will stop the process until IT can investigate. Once the threat is eliminated, IT needs to survey the damage. Essentially the assumption should be that any file modified since the attack started is infected and needs to be recovered.
The objective of a ransomware recovery strategy is that it has to be easier and faster than paying the ransom and with less data loss. This translates into much more frequent backups of data not normally backed up frequently, like NAS shares and home directories. Backup copies of data should occur within 15 to 45 minutes of any data changes. It also means the implementation of rapid recovery techniques.
Frequent backups require backup intelligence. Certainly, full backups are out of the question, and for most environments, incremental backups will take too long and require too much bandwidth. Instead, the organization should look for backup solutions that can either perform block-level incremental (changed block tracking) backups, or solutions that can manage the snapshot technologies built into storage systems; preferably both. In both cases, the more granular data protection of these two techniques facilitates the repeated capturing of data throughout the day.
Ransomware can encrypt an incredibly high number of files in very short order, thousands of files per minute. Recovering all of these files one-at-a-time by copying them across the network back to the NAS or file server will be a slow, painful process. Restoration has to be equally intelligent. The backup software either has to be able to mount volumes directly from the backup device, manage the mounting of a snapshot volume or have an intelligent restore function that only recovers data changes since the last backup.
Of these, the preferred method is to mount data backed up as a volume, directly on the backup appliance or to mount a snapshot copy of the data. The NAS or file server is then directed to these volumes and users can start accessing files almost immediately.
Ransomware attacks make headlines a few times per year, but actual attacks occur on a continual basis (they just don’t make headlines). The problem is a high number of victims pay ransomware ransoms, which only encourages the proliferation of attacks. IT needs to focus on creating a recovery solution that makes paying the ransom unnecessary because it can recover the infected data quickly with minimal data loss. Once organizations develop these capabilities and stop paying ransomware that “industry” will wither and die.
Ransomware is just one of the trends impacting IT. In our on demand webinar, “5 Key Trends That Could Challenge Your Data Protection Plan in 2018,” we cover ransomware in more detail as well as discuss four other trends that could break your data protection plan:
- The Shift to Hybrid IT
- The Proliferation of Mission Critical Applications
- Cloud Storage and Cloud Applications
- The Rise of Remote Office Computing (ROBO)
View now and get a copy of Storage Switzerland’s White Paper, “2018 Business Continuity Risk Analysis.”