Protect Against Ransomware Using These 5 Key Steps

It is becoming increasingly difficult to protect against ransomware and there are several ransomware incidents that has crippled organizations worldwide. Ransomware is a form of malware that encrypts victims’ data so threat actors can demand a “ransom” in exchange for a decryption key needed to unlock your data.New strains of ransomware and other malware threats specifically target backup data for encryption or deletion, effectively destroying organizations’ last line of defense. With more employees transitioning to working remotely, exposure to ransomware and the risk of infection are increasing.

In today’s diverse and distributed IT environment, restoring your organization’s applications and data quickly in the event of a ransomware attack is a significant challenge. But, according to industry analysts, over 90 percent of ransomware attacks are preventable with sound security fundamentals, including an effective backup and recovery strategy. Your business needs a data resiliency solution that does all of the following: 

• Ensures data integrity and availability by protecting backup data from ransomware
• Enables you to operationalize security without overtaxing your IT team
• Empowers you get back to normal faster with orchestrated and automated recovery options

Druva’s secure cloud architecture can help protect your business assets, limit the impact of ransomware, and accelerate recovery. In this blog, we outline five key steps to help you improve your business resilience in the age of ransomware. 

Experience how a ransomware attacks feels and how it affects the organization in real-time through our Virtual Ransomware Fire Drill Workshop. 

Backup your data, system images, and configurations, regularly test them, and keep the backups offline. Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems— White House memo on ransomware

1) Ensure data integrity and availability for key business assets

In order to recover from ransomware (without paying the ransom), you must have a secure copy of your application and business data. Here are some important issues to address:

• Identify key workloads — Understand the full scope of the applications and data that need to be protected. This includes critical servers and applications (including SaaS apps like M365) that power your business in addition to the entry points where ransomware can attack (primarily endpoints).

• Ensure data integrity — Identifying key assets to protect and automating your backup process is important, but you must also ensure that your backup data cannot be encrypted or deleted by ransomware. To ensure your backup data is secure, look for a solution that provides air-gapped, immutable, and encrypted backups.
• Leverage enhanced access controls — If too many people have the ability to access and delete data or reassign administrative roles, threat actors can compromise even low-level credentials and use them to destroy data or lock other administrators out of the backup environment. We strongly recommend implementing RBAC (Role Based Access Control) to ensure that only a small group of administrators can perform destructive actions like deleting backup data.
• Apply a zero-trust security model — Zero-trust is a security model based on strict verification processes. This approach treats every access attempt as if it originates from an untrusted source and access is only granted after identity has been verified.

2) Operationalize security across primary and backup environments

Selecting a secure backup solution is a good first step toward making your data safe. To truly protect your data, you must build security into the day-to-day operations of your organization. You need to regularly update and patch all your applications, optimize performance, and patch vulnerabilities. 

Unfortunately, It’s easy to fall behind on patches and updates. In fact, 42% of vulnerabilities are exploited after a patch has been released. This is why the most successful organizations are moving from on-premises backup to SaaS solutions to help them operationalize their security efforts. The software-as-a-service model allows customers to protect their data without taxing overextended IT teams with the need to manage security for yet another solution. 

As an example, updates to the Druva Data Resiliency Cloud are completed automatically in the background, eliminating the need to manage timely upgrades or security patches. Additionally, Druva patches known vulnerabilities within 30 days and critical vulnerabilities within the hour — making sure you stay ahead of ransomware threat actors.

3) Orchestrate response to automatically contain threats

Threat actors commonly wait until Friday evenings or national holidays to ensure most people will be out of the office before executing a ransomware attack. You need to be able to respond automatically without the intervention of IT staff. 

Your response action should be to quarantine infected resources, in both the primary and backup environments. Stop backing up data from infected machines or servers and prevent anyone from recovering data from affected snapshots. To automate these processes, Druva offers built-in API integrations with SIEM (security information event managment) and SOAR (security orchestration automation and response) solutions, such as Palo Alto XSOAR, Splunk, and FireEye Helix. 

4) Identify anomalous data and activities

Once you’ve quarantined affected resources, you need to understand what went wrong during the attack. There are two levels of information that are useful in this process: access insights and unusual data activity. 

• Access insights — Situational awareness of activity in your backup environment can help you identify malicious actions such as unauthorized access or deletions. Druva’s Access Insights make it easy to see which users and APIs accessed the backup environment, where the attempts took place geographically, when they took place, and what actions were attempted. 

• Unusual data activity (UDA) — Ransomware attacks also produce anomalies at the data level. Quickly identifying anomalous data sets can help you choose a course of action during the recovery process and even support detection of ransomware attacks. Druva’s UDA algorithm uses machine learning to understand norms for your specific backup environment and provides automated alerts for unusual data activity including bulk deletion and encryption. You can use these insights to quickly identify affected snapshots during recovery.

5) Automate the recovery of complete and clean data

After containing an attack and understanding its impact, you are ready to begin the process of actually restoring data. 

As ransomware encrypts data slowly over time, recovery is a complicated experience. The average dwell time for ransomware is dropping, but is still over 20 days, making it unlikely that the most recent unencrypted version of each file or dataset will exist within a single snapshot. And with ransomware recovery, you must go through the additional step of ensuring that data is clean before restoring it to your primary environment.

These unique challenges can be addressed with the following cloud-native infrastructure and automation processes:

• Bulk restore — Following an attack, it can be challenging to recover data across all users and workloads as quickly as possible. As cost efficiency is also a critical factor, the bulk recovery of clean data is a top priority for most enterprises.
• Druva’s Curated Recovery — Druva offers a unique solution to the problem of finding and restoring the most recent unencrypted version of files or data sets after an attack. Users simply define the time period of the attack (from initial infection to the present) and Curated Recovery uses AI to automatically find the best version of every file. The solution assembles clean versions into a single “golden snapshot” for recovery.
• Restore only clean data — Restoring contaminated data can take your whole organization back to square one. That’s why it’s vital to ensure data is free of malware before recovery. Solutions like Druva enable you to automatically scan and remove infected files from snapshots, as well as wipe infected devices clean.

Key takeaways

The threat of ransomware continues to grow and evolve. Legacy solutions fail to protect backup data from encryption and deletion, are difficult to maintain, and offer limited response and recovery options. These solutions are also ill-equipped to handle ransomware recovery across workloads that span endpoints, data centers, SaaS applications, and the cloud. 

You need a sound data protection strategy and a strong data resilience vendor to help you implement and manage it. Druva can ensure your backup data is safe, help operationalize security across your backup and primary environments, and accelerate the recovery process so you can get back to normal faster. 

Check out Druva’s new white paper to learn more about how you can implement best practices for ransomware protection and recovery.