The nature of disaster recovery planning is changing, almost on a daily basis. What was once preparing for the loss of the data center caused by a natural or manmade event is now morphing into recovering from ransomware and other cyberattacks. The latest complications promise to be more problematic to an organization than any natural disaster could ever be.
Cyberattacks, like denial of service attacks and viruses, have been around since the internet has been connecting organizations. But there is a new assault that looks to be very difficult to keep out and extremely costly to defeat over time: ransomware attacks.
Ransomware typically enters a data center when users click on a link they shouldn't have. The ransomware downloads a virus onto the user's device and then begins crawling into everything the user has access to -- including network shares and other users' laptops -- encrypting all the data it encounters.
Unlike other cyberattacks, the data is usually kept intact, but is encrypted by the virus. The only way to gain access to your data is to buy the encryption key from the attacker using a service such as Bitcoin. This digital currency uses its own encryption techniques to regulate the generation of units of currency and verify the transfer of funds, operating independently of a central bank. Attackers use Bitcoin to get paid without revealing their identity or location.
Quick steps for recovering from ransomware
A key facet to successfully recovering from ransomware is a solid data protection strategy:
- Step 1: Continuous protection. Organizational shares need to be protected via replication, snapshots or frequent block-level incremental backups with the understanding that data created or modified between protection events will be lost.
- Step 2: Laptop protection. Mobile users create and modify data separate from the corporate NAS or file server. Protecting these devices should be standard operating procedure for most organizations, but that often isn't the reality. The threat of ransomware heightens the requirement. There are plenty of laptop data protection products available, but most only protect data on a scheduled basis.
A viable alternative is enterprise file sync-and-share products that update a corporate NAS or file share as users change data. Data on these systems should be recoverable in the event of a ransomware attack. Some enterprise file sync-and-share offerings are adding the ability to detect a ransomware attack, turn off syncing and alert an administrator of a potentially infected laptop.
The real challenge with ransomware is that unlike other types of attacks, it is almost impossible to keep out of an organization. A popular approach is to send an email that looks like it's from a popular online retailer and requests users to click a link for an order status.
Because of the way an attack is triggered and how it infects data, recovering from ransomware is almost always the responsibility of the data protection team. The problem is that most of the infected data is only protected once per night through the backup process, as it is deemed not as critical as an organization's databases and applications. If, as is often the case, the attack happens during the middle of the day, then much of the infected data has either been created or changed since the last protection event. The result: The last good copy of data is in the sole possession of the attacker.
Stopping ransomware may be an almost impossible act for IT organizations. But recovering from ransomware should not be. A successful ransomware recovery can leverage existing data protection techniques, but the span between protection events needs to be shortened.
Back up and be ready to recover from ransomware
Good backups are good for ransomware protection
Experts detail how to make ransomware less hazardous
Use the cloud for ransomware recoveries