Ransomware is a relatively new phenomenon in which an organization's data or computer systems are held ransom by...
hackers. In a typical scenario, hackers gain access to the firm's IT systems in stealth mode and install malware or encrypt data on servers, making the organization's applications unusable. If the IT department pays up, the hackers release encryption keys and allow the hacked organization to regain access to its data.
There are ways to prevent or minimize intrusions, such as securing networks, but if an attack does occur, backups can be an essential way to recover from ransomware. All backups are essentially point-in-time copies of data that are retained for recovery purposes. As IT professionals, we keep multiple backups to enable applications or individual files to be recovered to a previous point in time before data was changed, whether these changes were deliberate or accidental. When backups are scheduled, we pick points in time that tie in with the application itself.
For example, we may back up an email system or order processing system after a workday. Alternatively, some applications are backed up relatively frequently to achieve a fast recovery or ensure recovered data is more current. Our decision to back up is based on service-level requirements and is determined by both recovery time objectives and recovery point objectives (RPOs) negotiated in discussion with the owner of the application.
Backups help organizations recover from ransomware scenarios by allowing an application to be rolled back, or recovered, to a previous backup based on RPOs. If backups are implemented correctly, the impact of recovering to a previous application image should be minimal, and it should be no different to recover from ransomware than to recover from a hardware or application error.
Evaluate all backup approaches to assess capabilities
When implementing backups specifically to recover from ransomware attacks, administrators need to consider two issues:
- How would the entire application or range of applications be recovered?
- How often should backups be taken to recover within acceptable service-level agreements if the entire application has to be returned to a previous point in time? The business owner may have different views on recovery when the entire application is affected.
Of course, not all backup regimes are capable of recovering all applications in a timely fashion. Typically, processes like data replication -- whether asynchronous or synchronous -- are used to recover from instances such as site failure. These technologies don't help with ransomware, as they will also faithfully replicate any encrypted data. As a result, the data protection regime may need reviewing to implement a process capable of dealing with more frequent backups. This could mean integrating with features in storage or the hypervisor.
Downtime caused by ransomware results in hospital payout
New 'vaccine' could protect against ransomware infections
Ransomware trend emerges as top threat to businesses
Explore a handbook of ransomware recovery advice
Dig Deeper on Data backup security
Related Q&A from Chris Evans
Agentless data backups offer some major advantages over agent-based backups. The technology should be used wherever possible, and it can be ... Continue Reading
Using Oracle Recovery Manager for database backup and restore? Explore the Oracle backup script and command process, with options for specific ... Continue Reading
While ransomware remains a top threat, it is not the only cybersecurity problem data backup admins need to keep on their radar. Here are three more ... Continue Reading