Every morning, IT leaders wake up and read about yet another organization that has been brought down due to a ransomware attack. The amount of damage this does to a company in cost of recovery, lost productivity, and reputation is staggering. Organizations need a comprehensive cyber security plan to protect their IT assets whether it is multi-cloud, SaaS, or endpoints. But you also need a robust and resilient backup ecosystem, because backups, and the ability to recover your data, is your last line of defense against ransomware. It does you no good if the same malicious software that has crippled your production environment can also target and wreak havoc on your backups. We’ll talk more about how Druva meets both operational security and data integrity in another blog, but just know that Druva provides the tools and environment that secures your backups against severe data loss scenarios.
Another major problem is that ransomware is getting smarter. It no longer immediately infects and encrypts everything it can see and touch because organizations have a more heightened ability to respond when something happens immediately. In fact, according to a survey from CrowdStrike, the average time that malicious software packages can linger in systems can be almost three months.¹
So now you are faced with a dilemma. You need to recover your data quickly to get your organization back on track, but how do you know which backup to recover from? If the ransomware has been infecting files for weeks, the latest restore still doesn’t recover it all. The last thing you want to be doing when recovering from a ransomware attack is sifting through dozens of backups looking for unaltered files. This could lead to an extended outage and you still might not get back to clean data.
Introducing curated recovery from ransomware
The answer is simple — Druva’s accelerated ransomware recovery is a suite of tools and workflows that can quickly bring your data back, and we are excited to announce a new enhancement called curated recovery! Read the Press Release here.
Curated recovery is a new feature that makes it easier to collate last-known good versions of files across numerous snapshots in a user-defined timeframe. This ensures that when you want to restore, you restore from a single backup and know that it’s comprehensive and clean. Refer to the diagram below for a closer look at this process.
Ransomware affected files across multiple backups
Here we have a series of files over a number of different backups that are being impacted by ransomware. Depending on the type of ransomware, you could have files encrypted and then deleted, or completely unusable. If you were to try to figure out which backup had the newest unaffected version of the file, you may have to recover several dozen backups across multiple systems. This adds complexity to the recovery process and could introduce mistakes or missed files.
So how does it work? At a high level, our curated recovery algorithm looks at the history of all the files within the defined time period and then stitches together a single known good recovery point. This “curated” recovery joins all known good versions across multiple snapshots into a single recovery point which can then accelerate your recovery process. The algorithm can also augment this further by filtering out malicious files that match an AV scan, imported file Indicators of Compromise (IoCs), and of course files that were encrypted by ransomware.
Automatically finding the most recent clean version of a file and adding it to a single snapshot
To begin, you first start by launching ransomware recovery in the Druva console. On the left-hand side, you can see the new curated recovery pane.
Here, you can see all of your snapshots or create new ones.
In collaboration with your security team – once you have determined the impacted assets and have zeroed in on an incident timeline you need to quickly recover data for bringing assets/services back online. The timeline could come from when they think ransomware started happening, or you could utilize unusual data activity (UDA) alerts to look back through your backups and see if there were any spikes in abnormal file modifications like addition/deletion/modification/encryption events.
To create a new snapshot, click on Create Curated Snapshot. From here, choose from various profiles or users to find the device(s) you are looking for.
Example – Selecting resources for curated recovery – Endpoints
Example – Selecting resources for curated recovery – Endpoints
Example – Choosing date range for curation – Endpoints
Example – Choosing date range for curation – Servers
But it’s not just the ability to make a collated version of known good files across multiple backups that’s important. How do you know you aren’t re-introducing ransomware to your environment during a restore? Curated recovery also takes full advantage of malicious file scanning from Druva. As part of the ransomware data recovery process, all of the backups that are rolled into a snapshot are scanned for malicious files, known malware extensions, and even user provided file hashes. These may have come from your security team or even pre-recovery AV scans.
Below you can see a full snapshot along with any files that were deemed malicious.
Curated recovery result
Once you have a snapshot that has been scanned and is free from malware, you will be able to restore all files to their last-known good location and status.
Restore data via curated recovery
Ransomware can be a massive problem for organizations, and sometimes the last line of defense is recovering from backups. You don’t have time to worry about whether or not what you restore is the latest. You don’t have time to scour through multiple backups looking for a good version of a system file or user file. With Druva’s accelerated ransomware recovery and its new curated recovery feature, we provide the peace of mind that comes from knowing unencrypted backup data is always safe and available. Our ransomware protection solution secures and isolates backup data from potential threats, leveraging best practices to protect, detect, respond, and recover faster from ransomware.
Join us as we continue our discussions on how Druva can provide comprehensive data protection and recovery especially when it comes to ransomware, and register for our upcoming Cyber Resilience Summit. The event, taking place October 13, features industry experts, like Santhosh Rao from Gartner, and will include discussions of security best practices from companies like yours. You won’t want to miss it!
¹ CrowdStrike, “CrowdStrike Services Cyber Front Lines Report,” 2021.