Ransomware survival guide — Foundations of ransomware data protection

Ransomware protection is overwhelming. Every media outlet leads with the devastation and omnipresence of ransomware. Every vendor touts their ransomware “solution” as if such a complex problem could be solved by one product. Every CEO and board member demands a comprehensive ransomware strategy…within budget, of course. Where do you start?

Our new series, the Ransomware Survival Guide, will help you understand how to survive and protect against a ransomware attack. After reading this guide, you will be able to better define the data protection component of your ransomware recovery strategy. In this guide, we will share the requirements, best practices, and how to measure and share your progress. We will begin with the foundations, then advanced recovery services, and finally how to operationalize everything. 

Disclaimer: This guide is targeted toward ransomware data protection. There are many additional components to a ransomware strategy, for example anti-phishing training, SIEM, vulnerability management, and more, that are part of a comprehensive approach to protect against ransomware. No one company, product, or guide covers everything.

This post covers the foundations of ransomware data protection. We will discuss the core requirements for protection, where to include architectural flexibility, and the single best way to protect against ransomware. 

Protecting your data

After ransomware strikes, the organization will take many steps, but they will begin and end with recovery. At the beginning, you will need to answer: “Can we recover the affected data in time, or will we have to pay the ransom?” At the end, you will need to deliver. Therefore, the foundations begin with protecting your data. 

Since cyber criminals know the importance of your backups, they will target them for corruption or deletion. Therefore, not only do you need to protect the data, you need to protect your protection copies. There are four requirements for data protection in the age of ransomware:

  1. Reliable, resilient backups — You should target a 99+ percent successful backup rate. More importantly, the backups should be resilient and durable, so you can target a 99+ percent successful recovery rate. If your backups are not working, ransomware does not even need to corrupt or delete them. 
  2. Unmodifiable backups — Ransomware will try to corrupt or delete your backups. There should be no way for a process/server in your environment to directly access the backup storage — e.g. via NFS, SMB, S3 or local file protocols — because ransomware will exploit the link. Even “root only” accesses are a vulnerability because cyber criminals can gain root access to your systems. 
  3. Non-deletable backups — Ransomware will try to gain control of your backup software and delete all the backups. It can manually trigger deletes, reduce the retention period to force automatic deletions, and alter backup schedules so no new backups are created. Therefore, you need a system that will prevent backup deletion, even by an administrator, because administrator accounts can be compromised.
  4. Backup everything — Ransomware usually enters via end-user devices, but attacks any data source — SaaS applications, cloud applications, filer servers, VMs, and even databases. Therefore, you need to protect everything with the same resilient, unmodifiable, non-deletable approach, because your organization will want to recover everything. 

Architectural flexibility

Every product has a unique ransomware protection feature, but it is impossible to create an architecture flexible enough to incorporate every differentiated approach. Furthermore, ransomware itself will continue to evolve, so you want a simple enough architecture that avoids becoming brittle. Therefore, you will need to decide where you want to build in architectural flexibility for the future.

There are three areas in which architectural flexibility will matter:

  1. Scalable recovery — Ransomware attacks try to compromise as much data as possible in as short a time as possible. Therefore, organizations will need to recover data both successfully and quickly. Since most protection environments are not built for large-scale recoveries, it will become increasingly important to design for the flexibility to recover at scale.
  2. Multi-cloud recovery — It can take days or weeks to clean out ransomware from an environment. Organizations that can recover data to alternate locations can restart critical applications even while quarantining infected areas. Instead of losing revenue and customer confidence, the business can continue to run.
  3. Ability to evolve — Ransomware is constantly evolving, and so is your data environment. Therefore, you want an architecture that enables frequent upgrades of the protection environment. The security team would not use 18 month-old anti-virus signatures, and you cannot afford to use 18 month-old protection software. 

When it comes to the foundations of data protection, follow the aphorism, “It’s not about backup… it’s about recovery.” You will need to recover more data faster. You will need to recover to new environments. You will need to recover workloads that don’t even exist today. 

The fight against ransomware is just beginning. Architectural flexibility is more important than any feature. 

The best way to protect against ransomware

Test your recoveries — every week.

Teams worry about testing realistic “ransomware recovery,” but if you can’t run a recovery, you can’t run a ransomware recovery. While ransomware recoveries create additional requirements, which we will cover in the last part of the guide, the fundamental requirement is — “you should be able to run a successful recovery 99+ percent of the time.” You will only hit that mark if you test in the following ways:

  1. Test recovery in different environments — Depending on the scope of the attack and the urgency of the restore, you may need to recover your data and applications to an alternate environment. No matter how portable your applications are, you want the first cross-environment restores to be tests, so you can work out performance, security and network settings, application dependencies, and the unknown unknowns unique to your organization. 
  2. Test recovering different workloads — Most restore tests tend to look something like: “Recover a few VMs, some files, and a tablespace.” A ransomware recovery could require restoring SharePoint Online, a NAS share, 40 laptops, and dozens of VMs. You need to know both the functional and performance limitations of restoring different workloads, or you cannot answer, “Can we recover the affected data in time, or will we have to pay the ransom?”
  3. Test them with different people — You want your entire staff to be able to run recoveries because recovering at scale does not just require technology — it requires people. The only way to be comfortable under pressure is to practice. 

Practice makes perfect. Ransomware recovery is the motivation you need to practice. 

Key takeaways

Do not be intimidated by the noise around ransomware recovery. The foundations of data protection for ransomware recovery are the same as the foundations for traditional recovery. 

First, build a reliable protection service for all of your data, and ensure that the protection storage and protection software cannot be compromised. Second, keep the architecture focused on recovery performance and flexibility, because ransomware is evolving so quickly that premature feature optimizations will limit your ability to respond. Finally, test your recoveries in as many ways as you can. 

Data protection for ransomware recovery is still data protection. Ransomware provides an excellent opportunity to refocus your organization on data protection best practices, before moving to more complex functionality. 

In our next entry in the Ransomware Survival Guide, we will walk you through a ransomware recovery scenario, so that you can build on the foundations to deliver best-in-class ransomware data protection.

Join us at the 2021 Cyber Resilience Summit

Mark October 13 on your calendar and join security leaders, industry visionaries, Druva experts, and peers as they discuss best practices, experiences, and learnings for cyber resilience. Register for free now.