Get started Bring yourself up to speed with our introductory content.

Can you recover from ransomware with frequent data backups?

Ransomware is becoming a serious security threat. A proper backup strategy lets administrators recover data from ransomware attacks without major disruption to the organization.

Ransomware is a relatively new phenomenon in which an organization's data or computer systems are held ransom by...

hackers. In a typical scenario, hackers gain access to the firm's IT systems in stealth mode and install malware or encrypt data on servers, making the organization's applications unusable. If the IT department pays up, the hackers release encryption keys and allow the hacked organization to regain access to its data.

There are ways to prevent or minimize intrusions, such as securing networks, but if an attack does occur, backups can be an essential way to recover from ransomware. All backups are essentially point-in-time copies of data that are retained for recovery purposes. As IT professionals, we keep multiple backups to enable applications or individual files to be recovered to a previous point in time before data was changed, whether these changes were deliberate or accidental. When backups are scheduled, we pick points in time that tie in with the application itself.

For example, we may back up an email system or order processing system after a workday. Alternatively, some applications are backed up relatively frequently to achieve a fast recovery or ensure recovered data is more current. Our decision to back up is based on service-level requirements and is determined by both recovery time objectives and recovery point objectives (RPOs) negotiated in discussion with the owner of the application.

Backups help organizations recover from ransomware scenarios by allowing an application to be rolled back, or recovered, to a previous backup based on RPOs. If backups are implemented correctly, the impact of recovering to a previous application image should be minimal, and it should be no different to recover from ransomware than to recover from a hardware or application error.

Evaluate all backup approaches to assess capabilities

When implementing backups specifically to recover from ransomware attacks, administrators need to consider two issues:

  • How would the entire application or range of applications be recovered?
  • How often should backups be taken to recover within acceptable service-level agreements if the entire application has to be returned to a previous point in time? The business owner may have different views on recovery when the entire application is affected.

Of course, not all backup regimes are capable of recovering all applications in a timely fashion. Typically, processes like data replication -- whether asynchronous or synchronous -- are used to recover from instances such as site failure. These technologies don't help with ransomware, as they will also faithfully replicate any encrypted data. As a result, the data protection regime may need reviewing to implement a process capable of dealing with more frequent backups. This could mean integrating with features in storage or the hypervisor.

Next Steps

Downtime caused by ransomware results in hospital payout

New 'vaccine' could protect against ransomware infections

Ransomware trend emerges as top threat to businesses

Explore a handbook of ransomware recovery advice

Dig Deeper on Data backup security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Other than backup, what steps can you take to protect against ransomware attacks?
Chris, great article as usual! I was noodling this a bit while on hiking in the mountains on my vacation and had to come back to your post and comment. We have spoken to quite a few customers in the meantime and are building some consensus I’d like to share. No doubt that a decent backup strategy can help mitigate the damage done by a destructive cyberattack. Paying the ransom can help get the business on track but cyber criminals often come back for more, give only partial encryption keys, or the decryption might not even work. And if the hacker pursues a social agenda then ransom will not help at all. Having protected restore points is a good additional precaution to increase the likelihood of a speedy recovery. In many cases we see customers deploying completely isolated environments with two-person authentication, air gapping, and other methods to lock the bad actors out. Additional consideration needs to be placed on detecting when the actual attack occurs. Clearly we’ll know when data has been deleted but encrypted records might take longer to detect. Special methods and analytics that go above and beyond the existing SIEM solutions can help shorten the window to discovery and remediation. For example, injecting sentinel records into the business critical database can provide a method to detect when database records have been tampered with. With proper planning and special consideration for this specific use case, a good backup strategy can provide similar benefits as it does for other issues.