Ransomware attacks have been worryingly increasing and causing significant damage to businesses in recent years. They target critical data and render it inaccessible to owners until a ransom is paid. In many cases, even after payment, the data is not restored and the perpetrators continue to hold it hostage. Therefore, the best way to protect against ransomware is to have a solid backup plan in place.
Veeam’s latest reports on both Data Protection and Ransomware Trends revealed that 85% of global companies surveyed experienced at least one ransomware attack in the last year. Of those companies, 16% managed to recover without paying the ransom, while 21% of companies paid the ransom, but could not recover their data. This is why secure and clean backups are crucial to surviving ransomware attacks. Organizations need to be confident in their ability to recover quickly from an attack of any magnitude.
It is essential that companies continue to incorporate backup and ransomware recovery into their security program to ensure that data is resilient and protected. They should look at creating a security program that is comprehensive and requires the combination of people, processes and technology in a way that focuses on continuous improvement and allows organizations to move from a reactive defense to a proactive posture.
The goal of a recovery plan is to minimize downtime in the event of a ransomware attack and automate the process to reduce risk of long downtime and potential reinfection. Before an attack occurs, organizations should ensure they are equipped with the most comprehensive set of capabilities available in the market to counter any potential threat. This should include:
- Data resilience: When it comes to data protection, the industry standard approach is the 3-2-1 rule, something that many organizations practice by default. While this was the standard for many years, it is no longer sufficient in the age of ransomware. Organizations must go the extra step and make sure they have an immutable copy of their data and perform thorough testing to ensure there are no data errors. In other words, the new industry standard is the 3-2-1-1-1-0 backup rule. That is, there should always be at least three copies of important data, on at least two different types of media, with at least one offsite and one offline, with zero unverified or error-ridden backups.
- Design for agile recovery: In times of crisis, having backups is only the first step to recovery. Business downtime results in financial losses and consequent damage to the organization. To get business operations up and running as quickly as possible, it is critical that a robust strategy with resilient solutions is designed.
- Apply multi-layered security: Any security professional will tell you that the first step is to lock the front door. Whether it is a physical or metaphorical door, a defense-in-depth strategy must be used. To that end, Veeam provides a number of tools that enterprises can use to help them raise their shields against threats. Multi-factor authentication (MFA) should be enabled whenever possible. From an operating system perspective, infrastructure components such as proxies, repositories, and the backup server itself should require some form of MFA to log in.
- Monitor emerging threats: Almost all attacks have precursors that can be identified, and being alerted to them and acting accordingly can make the difference between winning or losing the battle against ransomware.
Commonly, attackers often leave markers in their environment. This allows them to verify that their stolen credentials are valid and check what permissions they have and on which systems. These kind of changes can be tracked and identified as part of a prevention program and risk assessment.
5. Identify unauthorized access and changes: If credentials are stolen, attackers can start logging into various workloads on the network. This allows them to verify that their stolen credentials are valid and test what permissions they have and on which systems. An infrastructure change report should be run and reviewed regularly, as it can help identify changes within your virtual environment. Changes can be tracked on virtual machines, hosts and datastores where details such as how many and what changes have occurred, who performed the actions and when are provided. This can quickly identify unauthorized behavior that can be stopped.
- Automate documentation, security and testing: Although critical, keeping disaster recovery plans up to date is a challenge that affects businesses of all sizes. No IT department wants to find itself in a situation where it executes a disaster recovery plan only to discover that the documentation is outdated, missing steps or even completely wrong not helping to get business operations up and running.
When a ransomware attack occurs, backups are your last but at the same time best line of defense. Unfortunately, malware often lingers in environments. It’s a certain period of time in advance before the attack where it is spreading in the background, just waiting to be activated. For this reason, backups may unknowingly contain a copy of the threat. There is therefore a risk that restoring backups will reintroduce threats into the environment. Having the ability to check that those copies are clean before restoring them is an absolute necessity.
- Use API-based threat detection: Here, a common challenge faced by enterprises is the impact of performing resource-intensive detection scanning on production workloads. Scanning files for threats or indicators can lead to excessive CPU utilization and degraded disk performance. These drawbacks can be avoided while scanning for threats with offline scanning against backups.
One of the key differentiators we offer with Veeam Recovery Orchestrator is its ability to restore VMware workloads and Veeam Agent backups directly to Microsoft Azure in addition to VMware environments. Enterprises can plan for recoverability by creating orchestration plans to combat downtime, whether due to ransomware or aftermath such as restrictions imposed by law enforcement.
- Plan for an inaccessible data center: Having a place to restore workloads is a critical task that must be planned for in advance. Whether production servers are offline due to a forensic investigation or you don’t have the resources available to restore to your data center, companies need to make sure they can get back online as quickly as possible.
By following each of these steps, executives can ensure that their organization is well prepared following a successful ransomware attack and recover quickly without paying a ransom. While there is no foolproof way to prevent ransomware attacks, having a clear understanding of best practices for protecting data and the steps involved in successful ransomware recovery will reduce the attack surface and gain visibility into emerging threats.
The end result, a response team better equipped with the knowledge and tools necessary to defend data by developing radical resilience that protects any business from the threat of ransomware.