Another New Year, another new series of ransomware attacks. Barely one full month into 2020 and already numerous institutions throughout the US report ransomware attacks. The fact that ransomware attacks continue to occur should not surprise anyone. The surprise may be the growing number of organizations that are now prepared to respond and recover from them.
Ransomware Happens … But so Does Ransom-free Recoveries
In the first few weeks of 2020, numerous governmental agencies and companies have already reported ransomware attacks. These include: Enloe Medical Center in Chico, CA; Richmond Community Schools near Detroit, Michigan; and the Contra Cost County Library in Martinez, CA.
In reading these three reports, I did glean some good news out of them. Two of these institutions recovered their data and applications at some level in a day or two and resumed operations. Only one had downtime longer than a couple of days and may not recover all its data. In none of these cases did any of these institutions elect to pay a ransom.
These reports illustrate that organizations can and do recover from ransomware attacks without paying a ransom. While these reports did not detail how they recovered, one can arrive at the answer without too much difficulty. They had backups of their data
Cybersecurity Software Only a Starting Point
Every organization should deploy anti-malware and antivirus software to detect for ransomware and alert to its presence. Ideally, cybersecurity software will detect and prevent a ransomware attack from ever occurring.
However, as these recent attacks illustrate, cybersecurity software cannot detect every form of ransomware and prevent attack. There are simply too many strains of ransomware and too many ways that ransomware can enter an organization. These variables make it nearly impossible for cybersecurity software to detect every occurrence of ransomware before it attacks.
To augment cybersecurity software, organizations need a reliable backup solution in place to recover from ransomware attacks. However, this strategy only works if an organization puts backup in place before ransomware attacks occurs. Here are four basic steps that organizations can adopt now to increase the odds that they can recover from a ransomware attack if one occurs.
Step 1 – Back up your data
Simply backing up data is the simplest and easiest step that organizations can take to recover from a ransomware attack. Most strains of ransomware only attack and encrypt production data.
If an organization backs up its data before a ransomware attack, successfully recovering from an attack becomes more probable. One simply restores the backup data. This is not rocket science nor magic. This is a proven technique that will work. However, backups only work if one creates them before a ransomware attack occurs. In this case, the one hesitates is truly lost.
Step 2 – Store backups on immutable media
Even assuming an organization performs backups, it must give thought to how it stores its backups. Due to the insidious nature of ransomware, if it can find data on a corporate network, it can potentially infect or encrypt it.
Many backup software products now store backups on network drives. If the backup software stores its backups on shared network folders or drives, the ransomware can potentially encrypt them and render them useless.
To mitigate this possibility, store backups on immutable media. Immutable media may consist of cloud-based or on-premises object stores or tape. Object stores have specific appeal. Modern backup software recognizes them as backup targets. They usually have disk behind them so backups and restores can complete quickly.
Perhaps most importantly, one can turn on versioning for data kept in an object store. By turning on versioning, if backup data changes, the object store keeps a previous version of the backup. Versioning addresses the possibility that if ransomware finds the backup data and encrypts it, the backups are not lost. A company may go into the object store to access and restore previous versions of the backups. It can then use these unencrypted previous versions of the backups as the source for recovery.
Step 3 – Keep some backups offline
Ransomware can only infect and encrypt the data that it can touch. By keeping some backup copies offline and inaccessible to the corporate network, ransomware cannot access or encrypt.
Many companies still store some or all their backup data on tape. This provides a suitable means to store backup data offline and inaccessible from ransomware.
The number of backups that organizations should keep offline will vary by organization. Minimally, an organization may want to create at least one copy of their data per month to keep offline.
Step 4 – Regularly test recoveries of your data
Backing up your data is no guarantee that you can recover it. To ensure you can recover backups when you need thtem, one should regularly test recovering their backups. Ideally one will want to test recovering their backups at least once a quarter and no less than once a year.
The Foundation for Ransom-free Recovery
Unfortunately, recovering from ransomware is not always as easy as following these four steps. These four steps will not provide a 100% guarantee that an organization will recover from a ransomware attack. There are some very nasty, sophisticated strains of ransomware that can potentially negate the following of even these four steps.
That said, these four steps will put organizations on the path to a ransom-free recovery should they experience a ransomware attack. Further, even the more advanced backup software products on the market that detect and alert to the presence of ransomware in backup data still start with these four steps. By taking these four steps, organizations lay the foundation to both recover from a ransomware attack and set the stage to put in place more sophisticated backup software that can better detect and alert to ransomware’s presense.