6 Ways To Recover Data From Ransomware Attacks


Enterprises need a robust data protection strategy to ensure they can recover data and restore business services after a ransomware attack. Here are some key tips for your IT team to survive and recover from an attack, shares Marc Lehmberg, product manager, Catalogic Software.

We live in a data-driven digital age where data is the lifeblood of organizations and increasingly a successful target for cybercriminals. Keeping cybercriminals out is almost impossible due to the number of security vulnerabilities in operating systems and software and with the increased attack surface from remote workers. When ransomware strikes, the only recourse is to have a secure backup of your data. It should never be a question of whether you need data backups – whether it be for a disaster, accident deletion or a ransomware attack – it is always when you will need them and how to make sure you can recover from them.

Organizations need to have a robust data protection strategy and solution to ensure they can recover their data and restore all services back to a functional and working state. Data backup and recovery solutions have been around for a longtime. They have evolved to provide the robust data protection and the system and data recovery capabilities that you need. 

Steps To Recover From a Ransomware Attack

Let’s examine the key capabilities your data protection solution, and IT team needs to provide to survive and recover from a ransomware attack:

1. 3-2-1 backup rule with a cyber twist

To ensure your backups are available to recover your data , the data backups should use the 3-2-1 backup rule, and preferably with a new twist to make it a 3-2-1-1 rule. The 3-2-1 backup rule is a time-honored strategy for data protection that states that your business should have at least three (3) copies of your data, on two (2) different storage media types, with one (1) of the copies offsite or in the cloud. Without backups to recover from and the offsite copy that ransomware cannot reach, you may be forced to pay the ransom to get your data back. The extra one (1) added to make the rule 3-2-1-1 is to ensure that you have at least one backup copy that you verified was not locked or corrupted that you can recover from. Therefore, the rule changes a little bit to 3 copies, 2 media, 1 offsite and 1 verified recoverable.

2. Secure and “air-gapped” backups

Data protection is the last line of defense when it comes to ransomware attacks. If your backups reside on the same network or the same storage system as your production data resides, they are vulnerable to attack also. Cybercriminals have gotten more sophisticated, and one of the first items they do is to search for and remove all your backups so that no data recovery is possible. Having backups air-gapped in the cloud or on tape that the ransomware attacker cannot reach, ensures that your data can be recovered.

3. Granular recovery points to turn back time

Backing up your data is one thing, but if you are only backing up once per week and ransomware strikes on day 6, you only have a recovery point from 6 days ago, thereby losing many days of data. It is therefore critical that backups are run regularly and data snapshots or point-in-time copies of data be taken as often as possible. You can then turn back the clock and recover as close as possible to the time the data was encrypted or damaged by ransomware. 

See More: What Is Cloud Data Protection? Definition, Importance, and Best Practices

4. Fast recovery from immutable snapshots

If your backup data or data snapshots are accessible to ransomware and are not immutable or locked from changes, they can be encrypted or deleted and therefore made useless for recovery purposes. Immutable or locked snapshots can be used to rapidly recover your data in case ransomware encrypts your data. The snapshots can be onsite on a hardened storage appliance that does not allow access to the backup data, or offsite in cloud storage or on backup tapes that cannot be tampered with.

5. Application-aware backups with verification

Applications that use databases require additional attention if their data is protected only by the actual database files themselves. When a disaster or ransomware hits, a multi-step process is needed to recover applications to a point where it can be used again with minimal disruption to the business. It is therefore important to have an application-aware backup that also protects application meta data and ensures that the application servers can successfully be recovered. If you run regular application recovery verification tests, you know with relative certainty that the data and applications can be restored and up and running again quickly.

6. Reporting to give early warning

In normal operations, incremental data backup sizes have relatively small amounts of changes between full backup cycles. When ransomware hits and data is encrypted, the incremental backups sizes suddenly become much more like a full backup. Modern data protection products can track these changes and report if backup sizes are unexpectedly much larger and alert the backup/security administrator of this anomaly. Not only can this help identify an attack in progress, it also helps identify the point in time that rapid data recovery can be done from.

See More: How To Avoid Huge Ransomware Payments With Global File Systems

Closing Thoughts

After a year of the world operating in “backup mode,” we should need no reminder of the disruption that natural disasters, human error, and now ransomware can have on your business. Implementing and following these basic data protection processes will help ensure your business survives an increasingly inevitable ransomware attack. Making sure your data protection policies are well defined, and data recovery points are verified to be recoverable is critical to recovering your data from verified backup instances. If ransomware manages to infiltrate your business, you can confidently recover your data with minimal business disruption and not pay the cybercriminals to get your data back.

Did you find this article helpful? Tell us what you think on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d be thrilled to hear from you.