In 2018, one of the worst reported ransomware attacks hit. The government office in the Matanuska-Susitna Borough -- commonly known as Mat-Su -- in Alaska was attacked by ransomware that didn't just impact a few endpoints or servers; it brought the entire office down.
For reference, according to security awareness training vendor KnowBe4, the average ransomware attack impacts 16 workstations and five servers -- but not the Mat-Su attack. It impacted 500 workstations and 120 of their 150 servers. Just to keep the borough office running, they even reverted to typewriters!
It's evident that ransomware can be so much more serious than impacting a few workstations. And with ransomware evolving to become so vicious, it begs the question of what you need to be protecting for your ransomware backup strategy to ensure you can recover from an attack.
The simple answer is everything, but we all know that's far too impractical.
So, here's how I believe you should approach determining your ransomware backup strategy:
- Consider the criticality. The Mat-Su incident highlights the need to consider every last endpoint, server, SAN, etc. Since many parts of the environment can be affected, start with the question: How would operations be impacted if <insert endpoint, server, application, data here> was unavailable? The average downtime, according to KnowBe4, is 14 hours. So, as you think about the CEO's laptop, the files in marketing or your Exchange server, put it first through the criticality lens. This will help you focus on the parts of the environment that would need first response post-attack.
- Consider the recovery effort. In some ways, criticality can be used to establish a recovery time objective, the amount of time in which you need to recover a given data set. To provide some context around this, I'd also suggest determining how much effort is necessary to recover each data set. For example, some workstations just need to be reimaged -- no backups needed. But others require some time dedicated to imaging, software installations, data recovery, synchronization with other services, etc. Those that need more effort will take longer. I'd rather have a proactive ransomware backup strategy in place that simplifies the restoration of services in these systems and applications.
- Consider the likelihood. While there's never a guarantee that a system is immune to ransomware attacks, you should consider that it usually takes a user clicking on a malicious link or attachment to begin an infection. So, certain systems that have no access to email or the internet are far less likely to be infected and, therefore, may not be as critical for your ransomware backup strategy. Also, those systems belonging to users that are security-savvy -- again, less likely to click on something malicious -- fall into the same category.
The reality here is: If you already have a backup strategy, much of this may already be covered. But when trying to specifically prepare a ransomware backup strategy for an attack that can rear its ugly head seemingly anywhere within the network, it's important to have identified your highest risk areas -- both risk of infection and impact to the business. As a result, any system, application or data that isn't backed up within the context of other disaster recovery plans will be covered in case of a ransomware attack.