Over the past several years, ransomware has emerged as a preeminent threat to any organization with a significant online presence. While increasingly diverse and manipulative types of ransomware and other malware threats are on the rise, cloud backup serves as a strategic defense mechanism for data and applications that are particularly vulnerable, including endpoints, cloud workloads, and SaaS applications such as Microsoft 365. In a recent study, Aberdeen Group concluded that cloud backup and restore offers the potential to reduce ransomware’s overall impact on an organization by more than 90%.¹
While there are several data protection solutions in the market to help address backup and recovery, only the flexibility of the cloud provides a comprehensive approach to protecting against ransomware attacks and helping recover with speed, agility, and confidence. In this blog, we’ll detail five key steps to protect your organization, enabling cyber resilience and business continuity and limiting ransomware’s effects in the event of an attack.
1) Identify key assets and automate your data protection
A swift and painless recovery from ransomware means having a secure copy of your application and business data. It’s important to understand the full scope of your organization’s data to understand what exactly needs to be protected, as well as the best strategy to do so. This means not only taking inventory of the critical servers and applications that power your business, but also entry points where ransomware can gain access.
Evaluate the following common data areas for protection:
- End user data — Most ransomware enters through your end users. Make an effort to protect both endpoints (laptops, mobiles devices, etc.) and the SaaS applications hosting user data (Microsoft 365, Google Workspace, etc.) to limit access and potential spread.
- Data centers — The true target of ransomware, loss of access to these systems can cripple operations. Protect your virtual machines, NAS systems, and the databases storing your data.
- Cloud workloads — As cloud computing, such as that on Amazon Web Services (AWS) increases, make sure these environments can be restored quickly.
Automating data protection processes and cloud backup ensures you have up-to-date resources for a timely recovery. Consider implementing a SaaS data protection solution such as Druva to keep backup data isolated from your infrastructure, and thus inaccessible to ransomware.
2) Lock down your backup environment with the cloud
A key challenge of on-premises data protection is its exposure to the same ransomware threat as the remainder of the data center environment. Its attachment to your network opens it up to the possibility of infection, preventing you from accessing backup data when you need it the most. Unlike an on-premises backup solution, cloud vendors like Druva offer built-in, naturally air-gapped data protection. Backup data is stored in the cloud, preventing ransomware from exploiting the same security vulnerabilities. Additionally, this cloud-native architecture ensures your backup data cannot be encrypted.
Look for cloud vendors offering a secure, multi-tenant environment for customer data leveraging encryption keys and compliant with today’s leading security certifications. This will help support your in-depth cybersecurity strategy by providing a multi-layered defense, enabling your organization’s admins to build situational awareness, detect anomalies, respond quickly, and recover.
3) Detect threats early and prepare
Without proactive monitoring, your cybersecurity team might not detect ransomware until it triggers, potentially after lying dormant inside your data for months. Organizations need to rapidly detect threats, even if affected data is in the backup environment. This requires a strategy to regularly monitor backups for abnormalities, as well as detect unusual admin and end-user activities for ransomware’s common indicators.
In constantly monitoring your environment for threats, today’s leading vendors offer:
- Complete data visibility and automatic risk flagging, identifying suspicious activity based on historical usage
- Automated alerts empowering admins to make proactive security decisions
- A comprehensive analytics platform including IP address logging to capture the full audit trail of admin and user activities
4) Execute a swift, strong response to the threat
A quick and effective response to a potential threat is the key to maintaining the safety of your organization’s data and applications. Once identified, your organization needs the ability to quickly analyze the data environment to discover the infection source and understand when the data was compromised.
Optimize your ransomware response with the following key steps:
- Identify your last known good copy
- Leverage your cloud vendor to find the last clean backup or snapshots from infected ones. For example, Druva’s algorithms can trace back to before anomalous behavior was recorded in the system and recover from these clean backups. Once the last good copy has been identified, scour your data sources to identify which others could be infected and take the appropriate measures.
- Delete compromised files and snapshots
- Take measures to ensure the ransomware has been fully removed from your network. Have your backup admins remove any infected snapshots to prevent them from accidentally being recovered in the future, as well as wipe clean infected endpoint devices. If your vendor offers federated search, utilize this functionality to locate and eliminate or quarantine infected files.
5) Rebound quickly with flexible recovery options
The faster your organization can recover from ransomware, the quicker you can get back to business as usual. However, not every disaster recovery strategy is the same, and having multiple options for how to proceed brings many advantages. Druva and other cloud backup and data protection vendors offer a few options, including historical snapshot and bulk recovery.
In historical snapshot-based recovery, admins set a custom retention policy for a given period of time to ensure recovery and minimize data loss. In the event of a ransomware attack, your organization will have easy access to recover clean data from an identified date. This long-term retention of backup data protects from data loss threats, and also helps your business meet many of today’s strict compliance regulations. Keeping data long term not only helps reduce the impact of future threats, but cuts down on your overall storage spend.
For many companies, the speed and cost-efficiency of recovery following an attack are the most important factors to consider, and bulk recovery often meets these demands. With the bulk recovery of backup data, your organization will be able to offer both admin- and user-driven restore for end-user data, restore VMs to VPC, and bulk export files for recovery via alternate options such as network share or shipped hard drives.
The global ransomware threat is evolving fast, and much current backup infrastructure, such as on-premises solutions, just doesn’t offer the capabilities to recover from ransomware effectively or fast enough. These challenges are exacerbated across workloads that span endpoints, data centers, SaaS applications, and the cloud.
Today’s organizations require a proven data protection strategy and an experienced cloud vendor like Druva to deliver cyber resilience and business continuity expertise. While no backup vendor can totally eliminate the risk of an attack, Druva guarantees that with its 100% SaaS-based solution, you can significantly increase response and recovery speed. Druva’s comprehensive cloud data protection empowers teams to protect, detect, respond, and recover faster in the face of any external or internal attacks. This gives your organization the tools it needs to minimize cost and complexity, increase cyber resilience, maintain compliance, and accelerate and protect its cloud projects.
Download the Insider’s guide to protecting against ransomware eBook to learn more, and take a deep-dive into how Druva defends against ransomware in the video below.
¹ Aberdeen, “Reducing impact of ransomware attacks via cloud-based approaches,” Derek E. Brink, March 2019.