Tech/Engineering

Best practices — Ransomware protection, recovery, and beyond

Ransomware. It’s so critical that it doesn’t even need an introduction anymore. 

There is no one product, service, or company that can “solve” ransomware for you, but organizations can follow ransomware best practices to achieve success. 

In 2020, ransomware protection became table stakes for every organization. In 2021, leading teams are focusing on reliable ransomware recovery, while laying the groundwork for post-recovery, and ransomware isolation solutions in 2022. 

Ransomware protection

Ransomware protection provides the foundation for your solution, and must be rock-solid before investing in the next steps.

Ransomware tries to encrypt your data, so that you pay for the key to decrypt your data. Cyber criminals know that recent, restorable backups are the greatest threat to getting paid, since the company could simply restore to a time before the ransomware encrypted their files. Therefore, they first corrupt or delete the backups before attacking the production data.

There are three characteristics of an effective ransomware protection solution:

  1. Reliable — If your backups and restores commonly fail, you’ve done half of the cyber criminals job for them. Monitor your backup failure rates and run test restores.
  2. Unmodifiable Cyber attacks gain control over your IT environment so they can delete and corrupt backups. To stop a rogue process from destroying your backups, ensure that nothing can destroy your backups. Store your backups on unmodifiable storage, e.g. object storage or traditional storage with a WORM (write once, read many) option.
  3. Offsite account — Traditionally, the 3-2-1 rule for backup says, “Three copies, two types of media, one offsite,” but ransomware protection demands more. The offsite backup should be stored in a separate account to protect from the ransomware deleting the data at the raw device layer (e.g. zeroing disk drives, deleting object buckets). 

Reliable ransomware protection is an insurance policy that guarantees you can recover your data, so you can focus on the next step.

Ransomware recovery

Most organizations do not have a ransomware recovery plan because they think that they can follow their standard disaster recovery plan. When the ransomware attack strikes, however, they realize how mistaken they are. Ransomware is a disaster that keeps happening until you stop it. Ransomware means that your latest backup copies may have corruption and infection. You need a ransomware recovery plan.

The first step in recovery is to minimize the damage. Therefore, you need to detect the ransomware attack as soon as possible. Until you can stop the attack, it is impossible to take the next step forward. While any company has multiple security layers, data security is one of the most important and challenging. The backup solution is the only part of the environment that looks at all the data. It should detect unusual data patterns and generate alerts for administrators, both directly and via central management solutions (e.g. Palo Alto Networks and FireEye).

The second step in recovery is successfully restoring the right version of your data. There is no value in running a multi-hour recovery process, only to see that half of the data is still encrypted. Therefore, it is critical to look at historical backup patterns, to ensure that you have a clean point in time. Ideally, the recovery would bring together the right version of the data for you, but, if not, you must do the work manually. Measure twice, cut once.

The third step in recovery is eliminating the malware before the restored system is put back into production. Malware can sit dormant for weeks or months, so even the oldest backups may contain the infection. Ideally, the recovery would scan and eliminate the malware prior to restoration, but if this is not possible, run the scan immediately after restore. 

Once you can minimize the damage and restore with confidence, you are ready for the more advanced steps. 

Post recovery

After any ransomware attack and recovery, the job is not complete. 

The legal team will need to assess what systems were compromised and what data may have been lost by recovering from a previous point in time. The forensics team will want to track the genesis and spread of the ransomware. The executive staff and board will want a full report of what happened and how to prevent it from happening again. 

In fact, you may need to run some of the forensics and legal steps before you complete the recovery, so you can address the root cause of the attack and understand the exposure. 

To aid in recovery and post recovery, you will need to ensure you have easily accessible historical metadata, logs, and data versions that span across the organization. Only your backups contain all the information you need, so it has to be a part of your legal, security, and analytics infrastructure. 

Ransomware isolation

Ransomware is evolving, and you need to prepare for the next wave by managing your data better. The newest ransomware extracts a copy of your data before encrypting your version. Therefore, even if you can recover your data, the cyber attackers can still threaten to post your private information online if you do not pay. 

To prepare for this new type of attack, organizations need to better manage their data, so that their most precious data is not exposed. 

The first step is to understand where your data lives. It is almost impossible to set a security perimeter without knowing where all of your data lives. With small data sprawl, data lives almost everywhere — in the cloud, SaaS applications, the edge, endpoints (e.g. laptops), remote offices, and the data center. Since backup is unique for its breadth across the environment, it is critical that organizations deploy a centralized protection system that can provide visibility into the environment.

The second step is to set data management policies. Every organization knows that ransomware comes from their users. Therefore, they need to ensure that the privileged data is separated from the likely attack vectors — employee endpoints. It is also increasingly important to set retention policies — instead of “keep everything forever.” Not only does an infinite retention strain the infrastructure, but it brings regulatory risk and leaves more data exposed to cyber criminals.

The third step is to enforce the data management policies. The biggest indication that policies are being broken is critical data being found on the endpoints — e.g. PII or PHI data. Therefore, organizations should scan those sources, or their backups, for policy violations. Ideally, you will implement defensible deletion policies that automatically eliminate the inappropriate data.

Ransomware will strike. Modern ransomware will extract data. Make sure that the data the attackers can access is not something to worry about. 

Key takeaways

Ransomware, regulations, and common sense all point in the same direction — you need to get control of your data. Ransomware is an omnipresent threat, but the best way to protect yourself is by protecting and managing your data according to best practices. The path is clear.

In 2020, you should have set up reliable ransomware protection. 

In 2021, you should implement a robust ransomware recovery solution.

In 2022, you will need comprehensive post-recovery and ransomware isolation solutions. 

If you are worried about your current exposure or concerned about your path to the future, we are here to help you turn best practices into reality. At Druva, our comprehensive cloud data protection, robust security, and ransomware defense and recovery solutions empower security operations and IT teams to protect, detect, respond, and recover faster from external or internal threats. We invite you to explore Druva’s cloud platform for yourself — visit the ransomware protection and recovery page of the Druva site to learn more, and watch the video below for a demonstration of our solution in action.