A ransomware attack is one of the worst-case scenarios you face. In 2020, the average ransom demand was $178k, with the largest totalling $11.8m – could you afford to pay? Able to strike any business network without warning, it can spread quickly through your infrastructure like wildfire. And it’s a problem on the rise, during COVID, ransomware attacks grew 148%.
There are several types of ransomware attack, including:
-
- Encryption: affects personal files and folders and deletes them.
-
- NAS: specifically targets Network Attached Storage (NAS) systems to encrypt/delete critical files.
-
- Lock screen: demands payment before unlocking your computer’s screen.
-
- Hardware locker: changes the computer’s Master Boot Record (MBR) to interrupt the startup.
-
- Application/web server encryption: hunts out application vulnerabilities to gain access.
Regardless of the method of attack, during the ransomware recovery process, speed and precision are critical if you don’t want to be left with little option but to pay the ransom.
Following a ransomware attack, data availability is critical
Over half of organisations (56%) hit by a ransomware attack are able to recover their data using a backup. Bad actors know this though. ‘Pouring’ their profits into research, the latest generation of ransomware attacks target backups. This is confirmed by research from Gartner, which indicates how sophisticated ransomware attacks have become.
After a ransomware attack, even simple tasks become difficult. For example, if you’re locked out of SharePoint, you can’t access your recovery process documents, which will slow your time to recovery. And if your email is affected, you won’t be able to communicate with your staff, customers, partners and suppliers, to keep them updated and inform them of what actions they may need to take.
To put yourself in the best possible position for a quick ransomware recovery, there are many things you should consider, which we can help you with. But the key is to prepare in advance so that when the worst-case scenario does present itself, you’re well rehearsed.
To protect our clients against the risk of a ransomware attack, we’ve invested in work around the NCSC guidelines. They seek to prevent a compromise happening in the first place and reduce the impact when an attack does happen by following four golden rules:
-
- The offline rule: prevent all your backups being affected simultaneously by always keeping an offline version, and using strong passwords and two-factor authentication to verify identity.
-
- The recovery rule: ‘backup your backup’ to ensure you can restore past versions or deleted files from your cloud storage provider.
-
- The 3-2-1 rule: save data in multiple locations – at least 3 copies, on 2 devices, including 1 offsite.
-
- The regular rule: the more frequently you create backups, the less data you’re forced to recover. And the more you test your backups, the more likely they are to work as expected.
Ransomware protection stems from a proper plan
Enterprise data backup and recovery is complex. The best way to identify and neutralise a ransomware attack quickly is to have a comprehensive ransomware recovery plan in place. Start by identifying key stakeholders from across the business who will be responsible for putting the ransomware plan into action. Then consider asking the following critical questions to the business to help flesh out your plan:
What data should be a priority?
Nearly three-quarters (72%) of organisations lose access to their data for at least two days following a ransomware attack. When your platforms, systems, applications and data repositories represent different value to the business, it’s important to identify what you have and how the different datasets relate. With this intelligence, you can create a ransomware recovery plan based on the systems that need restoring first and keep unplanned downtime to a minimum.
What is our RPO/RTO?
To recover your systems/data in the best way, consider how critical they are to your operations. Additionally, under the GDPR data protection legislation, it’s a legal requirement for organisations to have, “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”
While recovery point objectives (RPO) and recovery time objectives (RTO) will differ between organisations and sectors, everyone should consider where their backup comes from – and how that affects your objectives.
How will we know the impact?
Under GDPR you have just 72-hours to report a breach to the Information Commissioner’s Office, and one of the first questions you need to answer is what personally identifiable information (PII) was compromised.
Choose a solution like Rubrik’s Radar and secure an impact diagnosis, which helps you visualise the ‘blast radius’ to identify everything that was affected. Additionally, Rubrik’s Sonar enables you to discover, classify, and report on where PII resides and who has access to it. The bonus is that with this level of detail, you can make informed decisions about whether appropriate security is in place to protect different types of data, or if remediation actions should be taken to better secure it.
How can we make our ransomware recovery process more efficient?
Through automation it’s possible to create a more reliable and robust ransomware recovery plan. It will speed up your recovery, reduce the risk of human error, and track progress in real-time. Furthermore, if you can shut down infected systems immediately, it isolates the attack to prevent ransomware spreading further and causing more damage on your network.
How do we ensure data loss prevention?
When it comes to data storage, NCSC advocates the use of the ‘321 rule’, where organisations keep three copies of backup data on two different storage types with one copy isolated off-site. In the event that your network is hit, the ‘air gap’ between your production environment and backups is designed to keep your data safe, and your recovery swift.
However, if you desire true peace of mind, immutable backup creates an additional layer of protection. Immutable backups cannot be changed, overwritten, encrypted or deleted during an attack, to ensure you always have a clean backup and therefore avoid the need to pay a ransom.
When was the last time we tested the ransomware recovery plan?
2 in 5 companies have never tested their ransomware recovery plan. While research from IDC shows that of the 40% of SMEs who do backup their data, half cannot fully recover it. There’s no guarantee you’re safe. Even if you have tested a recovery of a file, or a particular system or server, what if all of your environment is affected by ransomware? How long would it take you to recover? What is the impact? Do you have the spare capacity needed to perform a mass recovery?
Regularly testing your ransomware recovery plan ensures you are always prepared for the unexpected. As well as give your people confidence to recover quickly, since executing the plan is so familiar.
Ransomware protection: check!
MTI has been around for 25-years so we appreciate how important visibility is for security. Our backup-as-a-service offering combines data centre, cyber and data security to provide full visibility over your IT infrastructure. This allows us to perform an in-depth review, where we map your current operations against the NCSC guidelines to identify any gaps, along with remediation actions.
Right now we are doing a project with NHS Digital, which has seen 90 NHS hospital trusts complete our Secure Backup Review. What sets our Review apart is the scope – we look at everything from beginning to end, using NIST as a framing device to ensure every detail is captured. But while our Secure Backup Review comprises a workshop, data discovery exercise and output report, the outcome our customers value most is the end checklist. It helps them to answer their critical business questions, breaks larger tasks down and prioritises actions based on their business impact. Get in touch to get your review.