Ransomware backup protection requires comprehensive approach

Gajus - Fotolia

Manage Learn to apply best practices and optimize your operations.
This article is part of our Essential Guide: The modern disaster recovery market explained

Ransomware backup strategy guidelines to help ensure recovery

Ransomware backup best practices are critical, as one attack can cripple a business. Here are three areas to focus on for optimal protection against ransomware.

In 2018, one of the worst reported ransomware attacks hit. The government office in the Matanuska-Susitna Borough -- commonly known as Mat-Su -- in Alaska was attacked by ransomware that didn't just impact a few endpoints or servers; it brought the entire office down.

For reference, according to security awareness training vendor KnowBe4, the average ransomware attack impacts 16 workstations and five servers -- but not the Mat-Su attack. It impacted 500 workstations and 120 of their 150 servers. Just to keep the borough office running, they even reverted to typewriters!

It's evident that ransomware can be so much more serious than impacting a few workstations. And with ransomware evolving to become so vicious, it begs the question of what you need to be protecting for your ransomware backup strategy to ensure you can recover from an attack.

The simple answer is everything, but we all know that's far too impractical.

So, here's how I believe you should approach determining your ransomware backup strategy:

  1. Consider the criticality. The Mat-Su incident highlights the need to consider every last endpoint, server, SAN, etc. Since many parts of the environment can be affected, start with the question: How would operations be impacted if <insert endpoint, server, application, data here> was unavailable? The average downtime, according to KnowBe4, is 14 hours. So, as you think about the CEO's laptop, the files in marketing or your Exchange server, put it first through the criticality lens. This will help you focus on the parts of the environment that would need first response post-attack.
  2. Consider the recovery effort. In some ways, criticality can be used to establish a recovery time objective, the amount of time in which you need to recover a given data set. To provide some context around this, I'd also suggest determining how much effort is necessary to recover each data set. For example, some workstations just need to be reimaged -- no backups needed. But others require some time dedicated to imaging, software installations, data recovery, synchronization with other services, etc. Those that need more effort will take longer. I'd rather have a proactive ransomware backup strategy in place that simplifies the restoration of services in these systems and applications.
  3. Consider the likelihood. While there's never a guarantee that a system is immune to ransomware attacks, you should consider that it usually takes a user clicking on a malicious link or attachment to begin an infection. So, certain systems that have no access to email or the internet are far less likely to be infected and, therefore, may not be as critical for your ransomware backup strategy. Also, those systems belonging to users that are security-savvy -- again, less likely to click on something malicious -- fall into the same category.

The reality here is: If you already have a backup strategy, much of this may already be covered. But when trying to specifically prepare a ransomware backup strategy for an attack that can rear its ugly head seemingly anywhere within the network, it's important to have identified your highest risk areas -- both risk of infection and impact to the business. As a result, any system, application or data that isn't backed up within the context of other disaster recovery plans will be covered in case of a ransomware attack.

Dig Deeper on Data backup security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How do you prepare differently for ransomware backups as opposed to other kinds of backup?

I would identify all Critical Rebuild materials like DNS Zones, Active Directory, Security Keys, Certificates, Key HW/SW settings, Host files, Event Logs, Security Logs, IP and all data that makes the Network work and pass it thru a Cleanroom process on the way to a Cyber Vault on the other side of an AirGap.

Do the same for the Crown Jewel type data but the incoming cleanroom is not necessary but micro segment it or further Air-Gap it from the Critical Rebuild materials using something like NSX. Use Dedupe appliances on each side of the Air-Gap.

Provide Security Analytics in the Cyber Vault that allow you to find Malware and indicators of compromise, excise the Malware and Sandbox it for further Forensic Discovery. This same Analytics software will indicate the next best restore point and have the ability to even restore data from all around the indicated Malware back to production. As abonus have the Cyber Vault Analytics software tell you how you were compromised, when, where  and by which entry point.

Just like Magic a clean restored environment.