If ransomware gets through an organization’s defenses, they have two choices. Recover or pay. Given the growth in the number of ransomware attacks, many organizations choose to pay, which only further fuels the industry making the next round of ransomware attacks even more vicious. Why are organizations feeding the beast?
In most cases, the reason an organization pays a ransomware ransom is not that the organization doesn’t have a backup. While the state of backup is concerning, it is not that bad! The reason that an organization typically pays is that the backup the organization has is either incomplete, not recent enough or is too slow to deliver a fast recovery. As Storage Switzerland’s blog “Are You Ready for Ransomware’s Next Phase?” discusses, the backup software may also not be ready for the next phase of attacks, which includes removing backed up malware files from individual restores so that data isn’t re-encrypted after recovery.
In most disaster recovery efforts, there is no faster alternative waiting in the wings. If water floods an organization’s data center, it has no other choice but to wait on IT to recover data and applications. However, with ransomware there IS a faster alternative waiting in the wings. Recovery from ransomware is only a BitCoin transaction away, assuming there is honor among thieves and the bad actor delivers the encryption codes when they receive the BitCoin payment.
To stop the temptation to pay the ransom, organizations need to tighten up their data protection efforts.
First, all data needs frequent protection, regardless of importance. Frequent protection means backing up both application data and unstructured user file data with the same level of criticality. The backup solution must leverage block level incremental technology to backup data, which enables backups to occur at-least every hour but every 15 minutes is better.
Second, application vendors should secure both the data protection software and its stored data from attack. Modern ransomware solutions specifically target backup software configuration files as well as the protected copies of data they store.
Third, the backup solution should create a secure copy either in the cloud or on tape. The air-gapped copy enables protection from the ultimate disaster, encryption of all files and the backup solution.
Fourth, the backup solution should protect multiple versions of files every 15 minutes or so. Ransomware is usually set to to trigger only if a specific date has passed or only to encrypt a small number of files each day. It’s usually programmed this way in order to avoid detection of the malware files and ensure they get backed up with the other data.
Finally, the backup solution should provide rapid recoveries including hosting the corrupted volume from backup storage or even hosting the application in the cloud. The ability to mount the volume and start serving files directly from the backed up copy can save hours of recovery.
The organization should have a goal of recovering data rapidly, within 30 minutes with only one hour’s worth of data loss. This type of rapid recovery eliminates the temptation to pay the ransom.
To learn more about Ransomware’s Next Wave and how to protect your organization, watch our on demand webinar “Are You Ready for Ransomware’s Next Wave?” In it, we cover the new capabilities of ransomware and provide you with a checklist of steps to take to make sure you are protected.