Arsgera - Fotolia

WannaCry ransomware attack shows value of data backups

WannaCry and other ransomware attacks can be thwarted, but it takes proper data protection practices beforehand, as well as close monitoring of your data.

The WannaCry ransomware attack that affected more than 100,000 organizations in 150 countries last week thrust ransomware into the international spotlight.

The attack hit Britain's National Health Service, FedEx and Spain's Telefonica, among other organizations. And while it has only generated about $26,000 in payouts so far, it created a wide net of fear and dread. 

The WannaCry ransomware attack put the focus on what organizations need to do to protect their businesses and services from ransomware.

There is nothing like an incident infecting hundreds of thousands of computers worldwide to bring a problem into focus. But ransomware has been with us for years, and we have seen customer cases that prove it's possible to survive these attacks without having to pay.

However, survival requires preparation before the attack. Data protection technology and backup best practices are critical for mitigating the damage that ransomware attacks can inflict on organizations.

"The chances of getting hit by ransomware are high. And it's only going to get worse," said George Crump, president of IT analyst firm Storage Switzerland LLC. "Clearly, backup is one line of defense [against ransomware] ... before, you did backups to protect against a RAID failure."

The FBI recommends backing up regularly as one of the best ways to beat ransomware. The FBI also recommends you verify the integrity of those backups and secure the backups. Backups are best protected when they are maintained offline from the production environments, because the ransomware viruses can corrupt backup copies, as well. Snapshots and replication can be vulnerable to time-delayed ransomware attacks.

"Backup remains your best recovery option," said John Bambenek, a threat systems manager at intrusion detection vendor Fidelis Cybersecurity, based in Bethesda, Md.

Data protection vendors, such as Unitrends,  Zerto, Commvault, Acronis, Barracuda, Infrascale, Asigra, Druva and Datto, have been adding features they say will protect against ransomware. Storage vendors are also providing reporting tools that can help protect against ransomware by alerting users of anomalies occurring within files.

The idea is to use pattern detection on data and files to alert administrators of unusual encryption levels so they can intervene and limit the damage of the attack.

"You can look at a broad range of changes that are occurring on a high number of files," Crump said. "[The ransomware encryption I’ve seen] is done on a file-by-file basis. None that I've seen do encryption on volumes. That would be really nasty."

The WannaCry ransomware attack was a malware strain that moved laterally within networks by leveraging a bug in Windows SMBv1 and SMBv2. It affected any Windows computer without the Windows Patch MS17-010 that Microsoft released in March.

The chances of getting hit by ransomware are high. And it’s only going to get worse.
George Crumppresident, Storage Switzerland

"The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits," according to Europol, the European Union's law enforcement agency.

It's unlikely that backups alone would have prevented the WannaCry ransomware attack, especially if there are time-delayed attacks that have been let loose and are waiting to activate. That is why techniques such as pattern detection alerts are also important.

"At the end of the day, backups are not going to stop ransomware from doing its thing," said Don Foster, senior director of product management at data protection software vendor Commvault, based in Tinton Falls, N.J. "A backup is not going to keep it from happening. But there are a number of things organizations can do outside of the secure protocols."

Foster said administrators should have a working knowledge of the number of changes that occur in their file servers. They can get a warning if a server that has an average 1% change rate suddenly is experiencing a 90% change rate.

"That is a pretty good indication that something is going on," Foster said.

Foster said administrators also can set up a "ransomware honey pot" in which a couple of file types are planted in a system so an administrator receives an alert when a ransomware malware starts to infect a certain type of file.

"It's not perfect, but it's a great pre-emptor to identify that an attack is happening, especially if it is happening in more than one machine," Foster said.

Next Steps

How to protect yourself from ransomware

Object storage can help ransomware protection

The dos and don'ts of ransomware backup

Dig Deeper on Backup and recovery software