Ransomware survival guide — Advanced ransomware data recovery

Stephen Manley, CTO

Ransomware protection is overwhelming. Every media outlet leads with the devastation and omnipresence of ransomware. Every vendor touts their ransomware “solution” as if such a complex problem could be solved by one product. Every CEO and board member demands a comprehensive ransomware data recovery strategy — within budget, of course. Where do you start?

Our new series, the Ransomware Survival Guide, will help you understand how to survive and protect against a ransomware attack. After reading this guide, you will be able to better define the data protection component of your ransomware recovery strategy. In this guide, we will share the requirements, best practices, and how to measure and share your progress. We will begin with the foundations, then advanced ransomware recovery services, and finally, how to operationalize everything. 

Disclaimer: This guide is targeted toward ransomware data protection. There are many additional components to a ransomware strategy, for example anti-phishing training, SIEM, vulnerability management, and more, that are part of a comprehensive approach to protect against ransomware. No one company, product, or guide covers everything.

This post covers the advanced recovery from ransomware. We will discuss how data protection can help you detect and respond to a ransomware attack, how to validate data before recovery, and three simple rules for accelerating your ransomware recovery following the attack.

Detect, analyze, and assess

Ransomware can lie dormant within your environment for months, infiltrating your systems. When everything is “in place,” the cyber criminals launch a massive coordinated attack. As we discussed in our previous edition of the series, they will first target the backups, then encrypt as much production data as possible, so that recovery will seem like an insurmountable task. The first way to optimize your recovery is for your backups to help detect an attack, run the forensic analysis, and assess the damage as quickly as possible. 

First, detect the ransomware attack as quickly and accurately as possible. Your data protection solution should help your security team and solution detect an attack without false positives. Since ransomware attacks SaaS applicationscloud workloadsdata centers, and endpoints, you need a centralized backup solution that can protect all your data, identify anomalies, and send alerts to your security management. Detecting a ransomware attack is complicated, but information about unusual behavior and activity in your backup environment can make detection faster and more reliable. 

Second, use forensics to track the path of the ransomware. To eradicate the malware, you need to understand where it started and how it spread. Your backups should provide historical information to your forensic analysis tools to expedite the process. Historical logs can be useful for tracking the progress of the malware, and catalog searches can identify when/where malware files arrived onto OneDrive, a VM, or a NAS share

Third, assess the damage. The legal and executive teams need to understand what data is affected, so they can explain the magnitude of the damage to auditors, board members, and customers. Backups can help identify affected files and systems, so organizations can track potentially exfiltrated data, compromised services, and time to recovery. Backups can provide data for risk assessment and remediation.

Validate before recovering

There are two rules to recovering from a ransomware attack:

  1. Do not restore malware back into the environment
  2. Do restore the most recent good version of data

You must remove ransomware prior to restoring any system into the environment. Ideally, your protection vendor should scan for and remove malware before the restore. Regardless, we recommend that you also run your own malware scan. Many customers bring up the restored data in an isolated environment, run their own scans, and then proceed to bring the data into production.

With the cloud, running a preliminary restore does not have to be expensive and slow. First, since the cloud spins up resources on-demand, you do not need separate “standby” resources for the first stage of ransomware data recovery. Second, recovery to a cloud instance, especially from a backup in the cloud, can be extremely fast. Third, since the recovery is fast and on-demand, you can set up the restored instances while still in the “analyze” and “assess” phases. 

You should recover the most recent good version of your data with a combination of analytics and self-service. First, if your protection vendor can detect anomalies, that can immediately eliminate the corrupted backups. Second, you should be able to look at the distribution of file types across different backups, and discard backups with unusual backup types. Third, even after the recovery, users should be able to rapidly extract files from older backups with self-service restores. 

The entire business is watching, so you only want to restore to production once. Use analytics, built-in malware scans, and test restores to ensure that you are ready. 

Recover quickly

Once you are prepared, you want the ransomware recovery to run as quickly as possible. Most recovery performance comes from preparation, so you need to prepare. 

The three key steps to recovery performance are:

  1. Prioritize — Under stress, every business struggles to identify which applications and infrastructure should be recovered first. Therefore, create a recovery plan ahead of time. The business can identify what matters, so that when it comes time to recover, you just have to execute. 
  2. Recover applications, not infrastructure — The business cares about applications, and ransomware may affect some components of an application, but not others. Therefore, you can further break an application by restoring components to a previous point in time. It is critical to test restores to validate application dependencies, so that you can recover the application when the time comes. 
  3. Cloud scalability — Most on-premises environments are not built for large-scale recoveries, and they can bottleneck on protection appliances, network, and even the production target. The cloud can enable on-demand scale in all three dimensions: storage, compute, and network. Recover from the ransomware attack, and then you can repatriate workloads to your data center at your own pace. 

There is no magic formula to rapid recovery, but the cloud is a key ingredient to success. If you are prepared, your recovery will be focused, successful, and run at the scale of your business. 

Key takeaways

Ransomware recovery extends the foundations of traditional recovery to address the unique challenges brought about by a cyber attack. 

First, unlike a traditional failure, the ransomware protection solution needs to help detect, analyze, and assess the damage of a ransomware attack. Second, ransomware recovery needs to be a two-staged process to ensure that you are eliminating malware and restoring the latest good version of your data. Finally, since ransomware recoveries tend to be extensive, you need a validated plan and scalable infrastructure to meet the timelines of the business. 

You need a ransomware recovery plan because cybercriminals are targeting everyone. Rapid recovery from a ransomware attack can mean the difference between your business surviving the attack or collapsing under lost revenue and customer confidence. You need to be ready.

In our next and final entry in the Ransomware Survival Guide, we will help you operationalize your ransomware protection solution. Visit the Druva blog to learn more about cyber resilience and all things cloud data protection, and stay tuned for this series’ final entry in the weeks to come.

Join us at the 2021 Cyber Resilience Summit

Mark October 13 on your calendar — and join security leaders, industry visionaries, Druva experts, and peers as they discuss best practices, experiences, and learnings for cyber resilience. Register for free now.