Ransomware Capabilities Essential for Reliable and Rapid Recovery

Over the past decade, ransomware has rapidly evolved into one of the most destructive trends organizations face today. The sophistication and adaptability of ransomware and other cyber threats today require an agile, layered defense. Yet, many organizations still maintain standalone security products that are focused on a single attack vector, which can easily be bypassed. Gaps in people, processes, and technology make attacking your data easier than ever for sophisticated cybercriminals.

Businesses can’t prevent a cyber-attack, but they can take the necessary steps to be prepared to effectively protect their data when an attack occurs.

The total cost of ransomware breach was an average of $4.62 million in 2021, not including a ransom.

Experts estimated that a ransomware attack would take place every 11 seconds in 2021.

Globally, there are 304.7 million ransomware attacks in the first half of 2021, a 151% increase since 2020.

Build a Foundation for Recovery 

Without a structured way to manage cybersecurity risk, it would be easy to focus all your efforts into detection-based defenses such as firewalls and anti-virus while neglecting the processes and tools that are mandatory to effectively respond to, and recover from, a successful attack. 

Put another way, the best offense is a solid defense including having a robust strategy for backing up and protecting your data and workloads. Successful backups are the last line of defense for cyberattacks and can be the deciding factor to prevent considerable downtime, data loss and paying a costly ransom 

Best Practices & Capabilities:

Broad protection platform  

The chosen solution should be capable of protecting critical workloads (physical, virtual, or container based). Mission critical data now resides in many locations and needs to be portable – regardless of if workloads on premise or in the cloud. The protection platform should also be able to scale up or down - depending on requirements and workloads being protected. Lastly, the backup solution should be capable of capturing data via a multitude of methods - including backup, replication, continuous data protection (CDP) and storage array integrations. 

Backup success with automated verification  

Valid backups are the key to starting a comprehensive defense strategy. Reliable, verified, and tested backups are the first step to any successful recovery. Busy IT teams need a way to automatically verify the integrity of backup data as backups are taken. If there is any issue, another backup can be taken while production data is still available, thus ensuring that there are no issues in data availability that are discovered after the production data is no longer available, has been compromised or is deemed to be untrustworthy and lacking integrity. 

Resilient Backups  

Cybercriminals now routinely attempt to encrypt or delete an organization’s backups as part of any ransomware attack. Without backups, the victim must pay to recover their data. Resilient backups are simply backups that cannot be destroyed by a cybercriminal — even one who has acquired administrative credentials. On a simpler level, this can be achieved by backup to removable drives or to tapes which are then removed from the tape library.  

Immutability is just the start  

While immutability is very helpful in remediating cyberthreats, it is only the beginning of a comprehensive ransomware protection practice. Encryption end-to-end is needed to fend of data exfiltration. Today, one of the fastest rising cyberthreats is data leakage and data exfiltration, whereby a ransom must be paid to avoid sensitive data from being shared on the dark web. Proper authentication, and ‘digital hygiene’ regarding least privilege access, are needed to remediate against data injection. 

Instant recovery of data  

Before ransomware, organizations typically only restored 3-5% of their backed-up data over a one-year time frame. But in a ransomware attack, 100% of your production data may be encrypted or contaminated with malware, and you need to get it all back, fast. Fast access to data is critical, with the goal being more of a resume than a restore for all vital operations. 

Secure data recovery  

Ransomware dwell times (the time an adversary is on a victim’s network before activating an attack) can be many months. Because of this, you need automation to ensure that you never restore malware back into your cleansed or new environment. This can include doing a manual inspection to see if the ransomware threat is still in place, investigating specific files.  

Recovery automation  

Make no mistake, cyberattacks are disasters. In an emergency, your team needs automated, repeatable results. Your toolset must allow regular tests and audits of how quickly you could recover from a disaster. Most organizations have many types of Business Continuity (BC) and Disaster Recovery (DR) plans. Examples include application-level failure, site-level failure, infrastructure component failure, mission-critical applications, and dev/test applications. 

After creating a recovery plan, the most important thing you can do is test it. You need to know if the plan you put together works. To respond to changes and configuration drift, recovery plans must be updated any time a change is made to an application, such as adding more servers for additional capacity, or removing older servers.  

Conclusion  

It is crucial that companies continue to improve their security programs to ensure that data is securely protected and that their organization can recover from an incident quickly and safely. Regardless of if your data resides on premises or in the cloud - having a complete set of ransomware remediation capabilities is essential. Bringing the best practices listed above into your security program simplifies the response to cyber-attacks and avoids data loss or paying a costly ransom.