alphaspirit - Fotolia

Can you recover from ransomware with frequent data backups?

Ransomware is becoming a serious security threat. A proper backup strategy lets administrators recover data from ransomware attacks without major disruption to the organization.

Ransomware is a relatively new phenomenon in which an organization's data or computer systems are held ransom by...

hackers. In a typical scenario, hackers gain access to the firm's IT systems in stealth mode and install malware or encrypt data on servers, making the organization's applications unusable. If the IT department pays up, the hackers release encryption keys and allow the hacked organization to regain access to its data.

There are ways to prevent or minimize intrusions, such as securing networks, but if an attack does occur, backups can be an essential way to recover from ransomware. All backups are essentially point-in-time copies of data that are retained for recovery purposes. As IT professionals, we keep multiple backups to enable applications or individual files to be recovered to a previous point in time before data was changed, whether these changes were deliberate or accidental. When backups are scheduled, we pick points in time that tie in with the application itself.

For example, we may back up an email system or order processing system after a workday. Alternatively, some applications are backed up relatively frequently to achieve a fast recovery or ensure recovered data is more current. Our decision to back up is based on service-level requirements and is determined by both recovery time objectives and recovery point objectives (RPOs) negotiated in discussion with the owner of the application.

Backups help organizations recover from ransomware scenarios by allowing an application to be rolled back, or recovered, to a previous backup based on RPOs. If backups are implemented correctly, the impact of recovering to a previous application image should be minimal, and it should be no different to recover from ransomware than to recover from a hardware or application error.

Evaluate all backup approaches to assess capabilities

When implementing backups specifically to recover from ransomware attacks, administrators need to consider two issues:

  • How would the entire application or range of applications be recovered?
  • How often should backups be taken to recover within acceptable service-level agreements if the entire application has to be returned to a previous point in time? The business owner may have different views on recovery when the entire application is affected.

Of course, not all backup regimes are capable of recovering all applications in a timely fashion. Typically, processes like data replication -- whether asynchronous or synchronous -- are used to recover from instances such as site failure. These technologies don't help with ransomware, as they will also faithfully replicate any encrypted data. As a result, the data protection regime may need reviewing to implement a process capable of dealing with more frequent backups. This could mean integrating with features in storage or the hypervisor.

Next Steps

Downtime caused by ransomware results in hospital payout

New 'vaccine' could protect against ransomware infections

Ransomware trend emerges as top threat to businesses

Explore a handbook of ransomware recovery advice

Dig Deeper on Data backup security