Ransomware Backup Protection Requires A Comprehensive Approach

Ransomware Backup
Protection Requires a
Comprehensive
Approach
Your expert guide to protecting backups from ransomware,
testing your recovery strategy, and operating post-attack
In this e-guide
Table of Contents:
 How has ransomware recovery
changed in recent years? Introduction: Keeping backups safe from ransomware
 How ransomware variants are How has ransomware recovery changed in recent years?
neutralizing data backups
How ransomware variants are neutralizing data backups
 How to protect backups from
How to protect backups from ransomware infiltration
ransomware infiltration
Protect backup from ransomware attacks and recover safely
 Ransomware backup strategy
guidelines to help ensure recovery Ransomware backup strategy guidelines to help ensure recovery
 Ransomware disaster recovery: A Ransomware disaster recovery: A checklist for continuity

checklist for continuity Test your ransomware recovery plan to safeguard data
 Test your ransomware recovery plan Ransomware recovery: How can enterprises operate post-attack?
to safeguard data
Can you recover from ransomware? Take our quiz and find out
 Ransomware recovery: How can
enterprises operate post-attack?
 Can you recover from ransomware?

Take our quiz and find out
Page 1 of 32
In this e-guide
Introduction: Keeping backups safe
changed in recent years?
from ransomware
Paul Crocetti, Senior Site Editor
 How ransomware variants are
neutralizing data backups If you think ransomware couldn't get any sneakier, you're wrong.
 How to protect backups from One of the major trends with ever-evolving malicious software is having it infiltrate an
organization's data backups. The ransomware lies low in your network until data needs to be
recovered back into production, and then it detonates. It's a highly dangerous situation for
 Ransomware backup strategy organizations, because contaminated files used to restore data only perpetuate the attack
guidelines to help ensure recovery cycle.
 Ransomware disaster recovery: A A ransomware backup protection strategy must include best practices to ensure recovered
data is free from infection. To this end, vendors are starting to add ransomware-specific
checklist for continuity
features -- such as using machine learning technology and predictive analytics to detect
 Test your ransomware recovery plan suspicious behavior -- to their backup products. But backup admins need to put
comprehensive backup and data protection procedures in place to provide their backup
to safeguard data
platforms with optimum protection.
Some organizations believe that if they have data backed up, they have ransomware backup
protection in place, but that's not the case. This guide discusses how ransomware can
 Can you recover from ransomware? infiltrate data backups, what organizations can do to best prepare for this new problem and
general guidelines for better backup practices.
▼ Next Article
Page 2 of 32
In this e-guide
How has ransomware recovery
Brien Posey, Microsoft MVP
neutralizing data backups History has shown that anyone can fall victim to ransomware. Ransomware infections don't
discriminate and have caused data loss in countless organizations -- from large enterprises to
 How to protect backups from individual users.
In the past, ransomware recovery meant one of three choices: Pay the ransom, suffer data
 Ransomware backup strategy loss or restore a backup. In fact, the availability of a backup was usually the determining
guidelines to help ensure recovery factor in whether or not a ransom was paid.
 Ransomware disaster recovery: A A couple of years ago, there was a sudden, sharp decline in ransomware infections.
Ransomware had become pervasive, and the epidemic received so much media attention that
organizations began to make an extra effort to ensure that their data was being securely
 Test your ransomware recovery plan backed up. Paying the ransom was effectively removed from the list of viable options, with IT
experts across the board urging against it. After all, there is hardly a guarantee that paying the
to safeguard data
ransom will result in the promised return of data. Instead, the ransomware recovery focused
 Ransomware recovery: How can on prevention and pre-emptive measures to ensure a quick recovery in the event of an attack.
Unfortunately, this trend did not lead to the extinction of ransomware. With fewer people
 Can you recover from ransomware? paying ransoms, ransomware became far less profitable, and many ransomware creators
began to look for a different scheme. That was about the time when cryptomining started
taking off.
Enter the attack loop

Page 3 of 32
Instead of ditching ransomware entirely, attackers realized that, if they wanted to get paid,
In this e-guide
then they needed to do something to prevent backups from being used as a means of
ransomware recovery. Their answer was a relatively new type of attack called a ransomware
attack loop.
The basic idea behind this type of attack is simple. Previously, when a computer contracted a
 How ransomware variants are ransomware infection, the ransomware would immediately begin encrypting files. Once the
neutralizing data backups encryption process was complete, the ransom warning was displayed to the victim. The fact
that the message was not displayed until the encryption process finished kept the victim from
stopping the encryption process midstream.
In contrast, a ransomware attack loop infects a system in the normal way but then lies
 Ransomware backup strategy dormant -- possibly for months. The idea is that most organizations only retain a few months'
guidelines to help ensure recovery worth of backups. By the time the ransomware actually begins its attack, all of the
organization's backups will presumably contain the ransomware. Hence, restoring a backup
 Ransomware disaster recovery: A
does no good.
Attack loops are difficult to prevent, because you might not even know that you have a
 Test your ransomware recovery plan problem until it is too late to do anything about it. The best way to protect your data is to take
to safeguard data a layered approach to ransomware prevention. You should start by blocking email messages
from dubious sources, as well as incorporating a good malware scanning engine onto your
 Ransomware recovery: How can backup server to actively scan your backups.

▼ Next Article
Page 4 of 32
In this e-guide
How ransomware variants are
Brien Posey, Microsoft MVP
neutralizing data backups Ransomware, the monetization of malware, has been one of the most pervasive threats
against business data for the last several years. Now a megabillion-dollar industry,
 How to protect backups from ransomware variants are usually delivered by email attachments that allow attackers to
ransomware infiltration encrypt a company's data and hold the key to unlock the data for an exorbitant price.
 Ransomware backup strategy The media has run story after story about businesses that have suffered massive financial
guidelines to help ensure recovery losses following a ransomware attack. Some of the more recent victims include the Georgia
Department of Agriculture, Mecklenburg County North Carolina and the Hackensack Sleep
 Ransomware disaster recovery: A and Pulmonary Center in New Jersey.
Once an organization falls victim to a ransomware attack, it has two choices: pay the ransom
 Test your ransomware recovery plan or restore a backup. Three-quarters of IT decision-makers whose organizations haven't been
hit by ransomware said they wouldn't pay a ransom, according to a survey conducted by
to safeguard data
cybersecurity vendor Trend Micro. When faced with the reality of an attack, however, nearly
 Ransomware recovery: How can two-thirds (65%) of previously infected companies surveyed paid up.
The FBI advises against paying the ransom because doing so doesn't guarantee your data
 Can you recover from ransomware? will be returned. There are documented instances of companies paying a ransom and never
receiving decryption keys or then being told they need to pay more. Ultimately, paying a
ransom emboldens the perpetrators.
This leaves backup restoration as the best option for coping with a ransomware attack. But
even this option isn't foolproof.
Page 5 of 32
In this e-guide Inadequate restorations
 How has ransomware recovery For one thing, some companies discover their backups are inadequate. For example, they
may have omitted certain systems or data from their backups either accidentally or to reduce
costs. Likewise, some organizations fail to test their backups, discovering only after an attack
 How ransomware variants are that the backups can't be restored.
These types of problems are preventable if you take time to review and test backups before
 How to protect backups from disaster strikes. Far more troubling is how ransomware is becoming more pervasive, and new
ransomware variants are increasingly more sophisticated. Some victims have found
ransomware not only encrypts data, but also destroys backups.
guidelines to help ensure recovery

 Test your ransomware recovery plan

to safeguard data


Page 6 of 32
In this e-guide
 How has ransomware recovery New ransomware variants target backups

The degree to which ransomware can harm backups varies according to a number of factors,
 How ransomware variants are including the ransomware variant involved and the way in which the data is protected. Most
neutralizing data backups modern backup products for Windows use shadow copies and system restore points. But
several types of ransomware, such as Locky and Crypto, are known to destroy shadow copies
and restore point data.
Similarly, smaller organizations often write backup data either to a separate hard disk within a
 Ransomware backup strategy physical machine or to an external volume that's attached as a mapped network drive. Even if
guidelines to help ensure recovery ransomware isn't designed to target backups, they're still at risk because the backups'
location is accessible to the machine's file system.

to safeguard data


Page 7 of 32
In this e-guide





As noted, each ransomware type works differently. Many variants are designed to attack
 Test your ransomware recovery plan specific file types, such as PDFs or Microsoft Office documents. There are ransomware
to safeguard data variants that perform volume-level encryption or that attack all files, regardless of type.
Therefore, any backup that's directly accessible through a computer's file system is vulnerable
 Ransomware recovery: How can to ransomware. Ideally, a backup application should be able to pull data from a protected host
enterprises operate post-attack? without that host requiring a direct mapping to the backup.

Replication's hidden danger
Smaller businesses or branch offices of larger organizations sometimes use replication to
protect data. Hypervisor vendors such as VMware and Microsoft, for example, offer native
replication features that allow a standby host to replicate. If something happened to the
Page 8 of 32
primary copy of a virtual machine (VM), then the replica can be activated and brought online.
In this e-guide
Of course there are other types of replication that are sometimes used for data protection.
Many storage vendors provide storage array-level replication features as a tool for protecting
against data loss.
Replication works as a contingency for hardware failure and, on its own, does almost nothing
 How ransomware variants are to protect against ransomware. A replication engine can't distinguish between malicious file
neutralizing data backups encryption and a legitimate file modification. Hence, when ransomware encrypts a file, the
malicious action is repeated on the replica, meaning the replica's data also will be encrypted.
ransomware infiltration If your organization uses replication as a data protection mechanism, check to see if the
replication engine allows for the creation of multiple recovery points. You can configure some
 Ransomware backup strategy replication products to retain a number of recovery points, so if the replica has to be activated,
guidelines to help ensure recovery it can be reverted to a previous state. Microsoft's Hyper-V, for example, allows for the creation
of hourly recovery points. Hence, if a ransomware infection were to spread to a replica VM,
then a failover could be performed using a replica recovery point created just prior to the
checklist for continuity ransomware attack, as shown in "Recovery point selection."
to safeguard data


Page 9 of 32
In this e-guide





The importance of an air gap
When it comes to protecting backups from new ransomware variants, the fundamental rule is
ransomware can't affect what it can't touch. As such, the single most important measure you
to safeguard data can take in protecting backups against ransomware is to implement an air gap. An air gap can
exist in a variety of forms. It refers to placing an insurmountable obstacle between a potential
ransomware attack and your backup. The common example of a backup air gap is a disk-to-
enterprises operate post-attack? disk-to-tape backup.
 Can you recover from ransomware? A disk-to-disk-to-tape backup architecture is similar to any other disk-based backup. The
Take our quiz and find out difference is the contents of the disk-based backup target are periodically written to tape. The
disk-to-disk-to-tape architecture was originally developed so backup tapes could be shipped
off site to protect data against loss from fire or other catastrophe. It's also ideally suited to
protecting data from ransomware.
Page 10 of 32
Imagine for a moment you suffer a massive ransomware attack and lose a significant amount
In this e-guide
of data. Let's also assume the ransomware destroyed your disk-based backups. In a situation
like this, the tape backup remains unaffected because even the most advanced ransomware
can't overwrite a tape that isn't mounted in a tape drive.
 How ransomware variants are Revisit your permissions model

Ransomware infections often originate at network endpoints through the actions of careless,
 How to protect backups from or unlucky, users. One of the best things you can do to minimize damage is to ensure users
have only the permissions necessary for them to do their jobs and nothing more.
If a backup agent runs directly on a user's PC, then it's best to configure the backup agent to
use a dedicated service account rather than simply piggybacking off of the end user's
guidelines to help ensure recovery account. This approach makes it possible to back up the system without giving the user
 Ransomware disaster recovery: A backup permissions. If the user suffers a ransomware attack, then the ransomware will most
likely use the end user's security context, meaning its access will be limited to what the user
has access to. Isolating the backups through using a service account may help to shield the
 Test your ransomware recovery plan backup process.
to safeguard data Ransomware statistics are staggering. Simply put, there's a high probability of any
organization being attacked. Perhaps the scariest fact about ransomware is that attacks can
happen repeatedly. Imagine the frustration of paying a ransom to get your data back, only to
be hit by another attack an hour later. This has happened, and the attackers have no
 Can you recover from ransomware? sympathy or mercy for their victims.
Take our quiz and find out Given the seriousness of these attacks, organizations must take the threat seriously and take
steps to prevent attacks. A backup should be the last line of defense against ransomware, not
the first.
Page 11 of 32
In the past, organizations have relied heavily on user education for malware prevention: If
In this e-guide
users can be taught to recognize a phishing email, then there's little chance they'll click on a
malicious link in such a message. Unfortunately, experience has shown that even the best
user education won't completely mitigate the risk of users clicking on malicious links or
changed in recent years? opening malicious attachments.
 How ransomware variants are A better approach is to assume that user education is ineffective. And a better strategy is to
neutralizing data backups screen messages at the mail server level so phishing messages never make it to users'
mailboxes. Similarly, restrict user permissions in a way that minimizes damage should a
ransomware attack occur.
There are a lot of ways of doing this. One particularly effective approach is to use application
 Ransomware backup strategy whitelisting so that users can't run unauthorized processes. A more common approach is to
guidelines to help ensure recovery perform a permissions audit and ensure that users only have write permissions where
absolutely necessary. This won't stop a ransomware infection from occurring, but because
ransomware piggybacks on the user's privileges, it won't be able to touch anything the user
checklist for continuity doesn't have access to. Hence, this approach limits the damage. Another option is to require
the IT staff to use nonadministrative accounts unless they're performing an action that
specifically requires administrative privileges.
to safeguard data
It's important to remember phishing email messages are only one source of ransomware. It's
 Ransomware recovery: How can also common for attackers to use phony tech support scams as a means of introducing
enterprises operate post-attack? ransomware onto victim computers. Train end users to recognize the difference between a
real phone call from IT and a scam. That's easier said than done, however.
Take our quiz and find out Ransomware protection bottom line
When it comes to protecting against ransomware, it is best to think of the problem as
business continuity. Even if an organization is able to recover from a ransomware attack by
Page 12 of 32
restoring backups, the recovery process will take time to complete. As such, organizations
In this e-guide
shouldn't focus solely on protecting backups against ransomware; they should also consider
how to minimize the disruption caused by a ransomware attack.
changed in recent years? The best way to minimize the disruption caused by ransomware is to prevent an infection from
ever occurring. But because it's difficult to guarantee that a ransomware infection will never
 How ransomware variants are occur, you can minimize the disruption by making sure that users only have rights to the data
neutralizing data backups required to do their jobs and that you have a continuous data protection system in place --
preferably with instant recovery capabilities -- so that you can roll back any damage that does
occur.

▼ Next Article

to safeguard data


Page 13 of 32
In this e-guide
How to protect backups from
Alastair Cooke, Consultant for SearchVirtualDesktop.com
neutralizing data backups There has been a tactical pivot in ransomware. It seems that ransomware writers have
realized that large organizations have lots of money, and some do not have the best
 How to protect backups from protection against infections. Newer ransomware is behaving as an advanced persistent
ransomware infiltration threat, a piece of malware that tries to stay undetected in your network for some time to do
the maximum amount of damage.
guidelines to help ensure recovery The APT will usually spread through your network, infecting as many computers as possible.
Often, the malware will try to connect to a command-and-control server over the internet to
 Ransomware disaster recovery: A report the progress of the infection and await the command to attack. To respond to this new
checklist for continuity threat, you need different approaches to protect backups from ransomware.
 Test your ransomware recovery plan Beware your restore

to safeguard data
A ransomware APT attack may start by stealthily spreading itself through your network and
 Ransomware recovery: How can infecting all of your computers. It will then seek out file-based backups and valuable but older
enterprises operate post-attack? files to encrypt. The aim is to get as much of your infrastructure infected and encrypted -- over
a period of weeks or months -- before you are alerted and can protect backups from
ransomware. By slowly encrypting files, the ransomware is making the process of recovering
Take our quiz and find out from backups slow and expensive, perhaps more costly than paying the ransom. Once the
infection is complete, and your backups contain a mix of encrypted and clean files, then it is
Page 14 of 32
time to detonate the ransomware. All of the infected machines will suddenly encrypt recently
In this e-guide
used files, and your applications will stop working.
 How has ransomware recovery Because the APT ransomware has been in the network for weeks before it detonates, it
changed in recent years? probably has been backed up numerous times. Your backups now contain both encrypted
files and the ransomware application itself. If you bulk restore whole systems in an attempt to
 How ransomware variants are protect backups from ransomware, you will also restore the infection and negate all of the
neutralizing data backups cleanup work you have already completed. Be very cautious about restoring any executable
files, scripts such as JavaScript or even files that may contain macros until you know how the
ransomware spreads. Ideally, you only want to restore data files.



to safeguard data


Page 15 of 32
In this e-guide






to safeguard data


Page 16 of 32
In this e-guide Analytics to the rescue
 How has ransomware recovery You probably have thousands of encrypted files, and with the last unencrypted versions
spread across multiple backups, you'll need to work out what to restore. Your backup
application should use its backup catalogs to identify the last unencrypted version of each file
 How ransomware variants are and automatically restore those versions. If those backups are to tape, it will take a while to
neutralizing data backups work through each tape. If the backups are to disk, it should take less time to recover.
 How to protect backups from Backups should not be accessible as files over the network, as they will be prime targets for
encryption by the ransomware first. If your backup application can identify encrypted files, it
might be the first thing in your network to identify a ransomware infection. One sure sign of
 Ransomware backup strategy the presence of ransomware is the need to back up a lot of non-compressible files in a
guidelines to help ensure recovery directory that previously only contained compressible files.
 Ransomware disaster recovery: A Ransomware has evolved and is targeting enterprises by behaving as an advanced persistent
threat. You need to be aware of these changes and protect backups from ransomware by
identifying the infection rapidly and recovering without paying a ransom.
to safeguard data
▼ Next Article

Page 17 of 32
In this e-guide
Protect backup from ransomware
attacks and recover safely
Nick Cavalancia, Consultant, Writer
neutralizing data backups Backups have been a recommended part of your organization's ransomware response
strategy for a number of years now. The pivotal question of whether you pay the ransom or
 How to protect backups from not has long been based on the presence of viable backups -- have the backup, skip the
ransomware infiltration ransom.
 Ransomware backup strategy In recent years, we've begun to see new tactics from ransomware developers, including the
guidelines to help ensure recovery search for and destruction of backups, making it necessary for organizations to protect
backup from ransomware. But there's an even more sinister tactic being used today -- one
 Ransomware disaster recovery: A that makes recovery difficult.
It's referred to as a ransomware attack loop. The strategy behind the attack is to infect the
 Test your ransomware recovery plan environment with ransomware in a way that, should backups be used to recover, the
ransomware is still present.
to safeguard data

Here's an example of how the attack works:
enterprises operate post-attack? 1. An endpoint or server is infected with ransomware through traditional methods.
2. The ransomware does not detonate for three to six months.
3. Backups of the infected system now include data and the ransomware.
Take our quiz and find out 4. The ransomware detonates, asking for the ransom.
5. You recover the system -- rather than paying the ransom -- to an earlier thought-to-be-
clean backup, only to recover the system to a still-infected state.
Page 18 of 32
6. The ransomware redetonates. Herein lies the loop, as you are back to step four in the
In this e-guide
attack.
 How has ransomware recovery You can, in theory, repeat step six using earlier and earlier backups, but because you don't
changed in recent years? know exactly when the system was infected, this process may be more work than it's worth.

Strengthening your backup defense against
ransomware infiltration ransomware
 Ransomware backup strategy So, how do you protect backup from ransomware and put yourself in a situation where
backups are still useful in this kind of attack
model?
Some products protect
The answer lies in looking at your backup
platform and how it addresses malware in backup from
 Test your ransomware recovery plan backups. New backup products tend to do one of
ransomware by filtering
two things when it comes to malware on systems
to safeguard data
being backed up: out malware from getting
 Ransomware recovery: How can into backups.
1. They prevent. Some products protect
backup from ransomware by filtering out
 Can you recover from ransomware? malware from getting into backups,
preventing it from being recovered back into the environment.
Take our quiz and find out 2. They notify. Other products only tell you when they see abnormal data in the backup
stream, and it's up to you to attempt to remove it and back up again.
Page 19 of 32
The trick here is to use one of these two types of backup defense methodologies as part of
In this e-guide
your backup plan. The products preventing ransomware from being included in a backup are
obviously the best choice, but you may not have that as an option. The notification is less
automated in its response to finding ransomware -- in that you need to do the work of
changed in recent years? removing the malware yourself, as opposed to it simply not being included in the backup set --
 How ransomware variants are but is still a viable option.

Should you have neither feature set in your current product, my recommendation for how to
 How to protect backups from protect backup from ransomware involves two parts. First, focus on your layered defense
strategy to keep as much malware from getting in as possible. This should include domain
name system protection, email and web scanning, endpoint protection and antivirus. Second,
 Ransomware backup strategy for critical systems that absolutely need to be recoverable, I'd suggest identifying the file
guidelines to help ensure recovery locations where malware attempts to install itself -- typically, temp and user-type folder
locations -- and exclude those folders from your backup definitions. That way, your backups
 Ransomware disaster recovery: A will provide recoverability of a working system but without the malware.
Ransomware attack loops are pretty dastardly. It's an evolutionary step that requires you to
 Test your ransomware recovery plan take an equally evolutionary step with your backup strategy to ensure you prevail.
to safeguard data
 Ransomware recovery: How can ▼ Next Article


Page 20 of 32
In this e-guide
Ransomware backup strategy
Nick Cavalancia, Consultant, Writer
neutralizing data backups In 2018, one of the worst reported ransomware attacks hit. The government office in the
Matanuska-Susitna Borough -- commonly known as Mat-Su -- in Alaska was attacked by
 How to protect backups from ransomware that didn't just impact a few endpoints or servers; it brought the entire office
ransomware infiltration down.
 Ransomware backup strategy For reference, according to security awareness training vendor KnowBe4, the average
guidelines to help ensure recovery ransomware attack impacts 16 workstations and five servers -- but not the Mat-Su attack. It
impacted 500 workstations and 120 of their 150 servers. Just to keep the borough office
 Ransomware disaster recovery: A running, they even reverted to typewriters!
It's evident that ransomware can be so much more serious than impacting a few workstations.
 Test your ransomware recovery plan And with ransomware evolving to become so vicious, it begs the question of what you need to
be protecting for your ransomware backup strategy to ensure you can recover from an attack.
to safeguard data

The simple answer is everything, but we all know that's far too impractical.
enterprises operate post-attack? So, here's how I believe you should approach determining your ransomware backup strategy:
 Can you recover from ransomware? 1. Consider the criticality. The Mat-Su incident highlights the need to consider every
Take our quiz and find out last endpoint, server, SAN, etc. Since many parts of the environment can be affected,
start with the question: How would operations be impacted if <insert endpoint, server,
application, data here> was unavailable? The average downtime, according to
KnowBe4, is 14 hours. So, as you think about the CEO's laptop, the files in marketing
Page 21 of 32
or your Exchange server, put it first through the criticality lens. This will help you focus
In this e-guide
on the parts of the environment that would need first response post-attack.
2. Consider the recovery effort. In some ways, criticality can be used to establish a
 How has ransomware recovery recovery time objective, the amount of time in which you need to recover a given data
changed in recent years? set. To provide some context around this, I'd also suggest determining how much effort
is necessary to recover each data set. For example, some workstations just need to be
 How ransomware variants are reimaged -- no backups needed. But others require some time dedicated to imaging,
software installations, data recovery, synchronization with other services, etc. Those
that need more effort will take longer. I'd rather have a proactive ransomware backup
strategy in place that simplifies the restoration of services in these systems and
applications.
ransomware infiltration 3. Consider the likelihood. While there's never a guarantee that a system is immune to
ransomware attacks, you should consider that it usually takes a user clicking on a
 Ransomware backup strategy malicious link or attachment to begin an infection. So, certain systems that have no
guidelines to help ensure recovery access to email or the internet are far less likely to be infected and, therefore, may not
be as critical for your ransomware backup strategy. Also, those systems belonging to
 Ransomware disaster recovery: A users that are security-savvy -- again, less likely to click on something malicious -- fall
checklist for continuity into the same category.
 Test your ransomware recovery plan The reality here is: If you already have a backup strategy, much of this may already be
covered. But when trying to specifically prepare a ransomware backup strategy for an attack
to safeguard data
that can rear its ugly head seemingly anywhere within the network, it's important to have
 Ransomware recovery: How can identified your highest risk areas -- both risk of infection and impact to the business. As a
enterprises operate post-attack? result, any system, application or data that isn't backed up within the context of other disaster
recovery plans will be covered in case of a ransomware attack.
Take our quiz and find out ▼ Next Article
Page 22 of 32
In this e-guide
Ransomware disaster recovery: A
Paul Kirvan, Independent IT consultant/auditor
neutralizing data backups Among the biggest concerns in information security today is ransomware, where malicious
code embedded into a system prevents users from accessing data unless a ransom is paid.
 How to protect backups from From a business continuity perspective, this represents a major risk to organizations of all
ransomware infiltration kinds.
 Ransomware backup strategy An inability to access critical systems and data, or the threat by the perpetrator to publish
guidelines to help ensure recovery confidential data, can damage an organization's ability to conduct business and, more
importantly, damage its reputation and competitive position.
Taking a page from information security and business continuity playbooks, the following tips
on ransomware disaster recovery planning will help your organization defend its data.
to safeguard data Implement comprehensive backup
 Ransomware recovery: How can Identify the electronic systems, data and other intellectual property your organization needs to
enterprises operate post-attack? operate, and the loss of which could damage its reputation. Ensure these assets are securely
backed up and stored in another location so they can be retrieved in an emergency.
For systems and data that change dynamically during the day, perform multiple daily backups
using techniques such as data mirroring and replication to ensure the most current assets are
available.
Page 23 of 32
In this e-guide Stop ransomware before it starts
 How has ransomware recovery As your network perimeter is the most likely entry point for malicious code, ensure it is
protected with as much intrusion detection and prevention equipment as possible.

A multi-element defense-in-depth security strategy is an effective method of protection from
ransomware. For example, Barracuda Networks offers a number of products, such as
Advanced Threat Protection, to increase your chances of disaster recovery survival and to
 How to protect backups from help fight other threats.
ransomware infiltration In addition to your network perimeter, malicious code can enter your organization through
several threat vectors, such as email attachments, remote access, web-based applications
and smartphones. Work with your IT teams to prevent unauthorized access via technology.
When we consider individual employees as threat vectors, perhaps the most effective
 Ransomware disaster recovery: A protection from ransomware is education. Develop and conduct training programs that explain
checklist for continuity potential threats to the company. Provide ransomware disaster recovery awareness
reminders through the company intranet, email or an automated emergency notification
system.
to safeguard data
Social engineering, widely considered an effective way to breach security, can be mitigated
 Ransomware recovery: How can through training and awareness programs. Provide similar training and awareness to your
enterprises operate post-attack? remote workforce.

Stay up to date
From a technology perspective, keep your security systems up to date with the latest
software, hardware and patches. Do the same for your operating systems, applications,
databases and network elements. Ensure your firewalls have the most current rules in place
Page 24 of 32
and make sure the same is true if you use intrusion detection or intrusion prevention systems
In this e-guide
for ransomware disaster recovery. As often as possible, scan email boxes and applications for
vulnerabilities and provide patches as needed.
Plan ahead and test
Validate your perimeter's defenses through penetration testing. Test your internal networks for
potential vulnerabilities. Conduct regular tests of security software to ensure it is performing
 How to protect backups from properly and is ready to recover from ransomware.
ransomware infiltration Provide status reports to senior management -- perhaps in the form of a scorecard --
describing what is being done to keep up with protection from ransomware and other threats.
Keeping management informed will ensure they understand and support your efforts; it can
guidelines to help ensure recovery also lead to continued funding to keep your preventive measures operating properly.
 Ransomware disaster recovery: A Update your business continuity (BC) and technology disaster recovery (DR) plans to include
checklist for continuity ransomware and similar threats, as well as how such an event should be handled.
Coordination with physical security and information security teams is essential to minimize
damage to the organization and its IP assets.
to safeguard data
Schedule periodic joint meetings of BC/DR and security teams to discuss information about
 Ransomware recovery: How can new threats and new technology to mitigate threats, share information and plan for joint
enterprises operate post-attack? ransomware disaster recovery exercises.
 Can you recover from ransomware? Effective recovery from ransomware and other information threats requires not only a
Take our quiz and find out comprehensive and multilayered security strategy, but close coordination among BC, DR and
security teams.
Page 25 of 32
In this e-guide
Test your ransomware recovery plan
to safeguard data
Alastair Cooke, Consultant for SearchVirtualDesktop.com
neutralizing data backups Ransomware is a favorite way for unscrupulous people to make money, so you need to
ensure your organization won't end up paying a ransom. Having a ransomware recovery plan
 How to protect backups from is crucial to surviving an attack. Every device on your network should be patched and running
ransomware infiltration an up-to-date antimalware product. Invest in training both IT staff and line-of-business staff so
they are aware of how ransomware can get into the network, what signs to look for and how
 Ransomware backup strategy they should respond.
Unfortunately, we know from the WannaCry virus that these protections alone are not enough,
 Ransomware disaster recovery: A so planning a recovery strategy is crucial. Backups are your best method of recovery; they
checklist for continuity should be trusted and include all the files needed to recover compromised data.
 Test your ransomware recovery plan How often do you back up?
to safeguard data
If you need to restore from the last backup, all the work between the time of the backup and
 Ransomware recovery: How can the ransomware infection will be lost. The recovery point objective (RPO) is the acceptable
enterprises operate post-attack? period of data loss the business has agreed to, and it's an important part of a ransomware
strategy. Different applications often have different RPO requirements.
Take our quiz and find out When testing your ransomware recovery plan, ensure backups run frequently enough that any
potential data loss is acceptable. Many products can back up near continuously, provided you
have space to store the data.
Page 26 of 32
In this e-guide How long does a restore take?
 How has ransomware recovery Restore time is at the center of the business impact of a ransomware infection. The recovery
time objective (RTO) is the time from an event that stops work until work can resume. Like
RPO, there will probably be different RTOs for different applications. The bottom line is that
 How ransomware variants are the longer the recovery time, the higher the cost to the business for the infection. If the restore
neutralizing data backups cannot start until backup tapes are retrieved from off-site storage, an outage could last hours
or days.
On the other hand, if your infrastructure allows for immediate rollback, you may be able to
recover data very quickly. Bear in mind that PCs infected with ransomware need to be
 Ransomware backup strategy removed from your network before any recovery can start. Otherwise, the ransomware will re-
guidelines to help ensure recovery encrypt the restored files.
 Ransomware disaster recovery: A You can help to reduce recovery times by educating users about ransomware, particularly
how to recognize an infection and how to respond to the situation. The first response may
simply be to shut down the PC and phone the help desk.
to safeguard data Can you trust your backups?
 Ransomware recovery: How can The only way to trust your backup strategy is to test your data restoration process. Users
enterprises operate post-attack? accidentally deleting their files usually provide IT staff with a natural reason to restore
individual files. If users are not requesting restores, then scheduling weekly or monthly
 Can you recover from ransomware? restoration tests as part of your ransomware recovery plan can help verify that file restoration
Take our quiz and find out is possible.
Page 27 of 32
Some ransomware infections are caused by a
In this e-guide When testing your
single, vulnerable computer and an unlucky or
careless user. Just a few critical files are affected ransomware recovery
and the issue is detected quickly. More often, the
changed in recent years? plan, ensure backups
ransomware infection rips through the whole
run frequently enough
 How ransomware variants are network, and thousands of files are encrypted

before the infection can be stopped. To recover that any potential data
from massive file encryption, you will need to do loss is acceptable.
 How to protect backups from whole server restores and often multiple servers
at the same time. Fast recovery is often entirely
dependent on throughput; on-site disk systems or modern tape systems offer fast streaming
 Ransomware backup strategy restores.
Some storage systems allow virtual machines to be started directly from the backup store
 Ransomware disaster recovery: A without any data copies. Any strictly off-site backup will have challenges. For off-site tapes or
disks, you will need to wait for physical media to get back to your site. Restoration speeds for
cloud-based backups are limited by your internet connection speed. I am a big fan of on-site
 Test your ransomware recovery plan backup stores for restores to production, coupled with cloud-based stores for long-term
to safeguard data retention.
 Ransomware recovery: How can Are your files safe?

A significant ransomware trend is to encrypt backup files. Ransomware creators know that
 Can you recover from ransomware? anyone who can restore from a backup will not pay the ransom, so they quickly target these
Take our quiz and find out files for deletion or encryption. So where do you store your backups? If they are on a file
share, then they are vulnerable to ransomware. If the files are on a server, they are vulnerable
to ransomware. Some careful security practices will help minimize the risk to your backup files
and maximize your chance of recovery.
Page 28 of 32
When crafting your ransomware recovery plan, you should have a backup service account
In this e-guide
that no one uses to log into a desktop and won't be used for any other purpose. Next, ensure
that account is the only one with write access to the backup files. No other account should be
able to encrypt or delete these files.
The key to recovering from a ransomware infection is to have secure backups that you know
 How ransomware variants are can be restored from promptly. Testing your ransomware recovery plan and educating users
neutralizing data backups will go a long way in ensuring you never need to pay that ransom.

ransomware infiltration ▼ Next Article


to safeguard data


Page 29 of 32
In this e-guide
Ransomware recovery: How can
Nick Lewis, SearchSecurity.com Contributor
neutralizing data backups Danish shipping company Maersk, which was heavily affected by the NotPetya
ransomware last year, reported that it recovered from the attack by reinstalling its
 How to protect backups from entire infrastructure, including more than 4,000 servers; 45,000 PCs; and 2,500
ransomware infiltration applications. Is a full reinstall the best option for a system infected by ransomware or
is there a risk the malware will remain even after the reinstall? What other options are
 Ransomware backup strategy available for ransomware recovery?
The nuclear option when responding to a cybersecurity incident may call for a company to
 Ransomware disaster recovery: A format and reinstall a server or, in more extreme cases, rebuild an Enterprise Active Directory.
checklist for continuity In the most extreme situations, it may require an enterprise to reinstall all of its servers and
endpoints.
Anything malicious that could survive a format and reinstall would need to persist in the
to safeguard data
firmware, hardware, backups or system management tools, and it would be very difficult to
 Ransomware recovery: How can detect and remove. This could be very costly for an enterprise; for most companies,
enterprises operate post-attack? reinstalling the operating system on a compromised device is sufficient.
 Can you recover from ransomware? Maersk apparently took the nuclear option for ransomware recovery last year in response to
the NotPetya ransomware and reinstalled all of its servers and endpoints. It is possible
Maersk took this extreme response because the attackers compromised its Active Directory,
as well as its endpoint management tools and the system used for logging.
Page 30 of 32
If all of those systems were compromised, the enterprise wouldn't be able to tell what systems
In this e-guide
weren't compromised and wouldn't be able to use their existing systems to rebuild. Because
Maersk had to start from the ground up to rebuild the network, incorporating this process into
the company's business continuity and disaster recovery plan would have been a good idea.
The standard advice for ransomware recovery is to reinstall the compromised systems and
 How ransomware variants are restore system data from backups. However, it is important for defenders to only restore data
neutralizing data backups from a known good state to avoid inadvertently restoring the ransomware -- or the
vulnerability the ransomware exploited to attack the system.
ransomware infiltration When the system is reinstalled, it should be brought up to date with patches and have a
securely configured image installed. If your endpoint security tool doesn't address
 Ransomware backup strategy ransomware, then you may want to choose a different tool or take other steps to ensure that
guidelines to help ensure recovery protection from future ransomware attacks is in place.
 Ransomware disaster recovery: A Within the ransomware recovery process, if the ransomware affected a file share or server,
checklist for continuity then you must take the additional step of investigating how malware could affect a server to
adequately secure the server, including fixing share or file system access control before
 Test your ransomware recovery plan bringing it back online.
to safeguard data
 Ransomware recovery: How can ▼ Next Article


Page 31 of 32
In this e-guide
Can you recover from ransomware?
Erin Sullivan, Site Editor
neutralizing data backups Ransomware is easily the most pressing issue facing modern disaster recovery efforts, and
it's only becoming more urgent. To recover from ransomware, an organization needs to have
 How to protect backups from backups and other recovery tools in place prior to an attack.
Treating ransomware like an inevitability rather than a hypothetical seems like the best
 Ransomware backup strategy strategy these days; thinking of it as something that could happen to you, not just something
guidelines to help ensure recovery that happens to others. But what can be done following a ransomware attack? There are a
few options.
Whether you're looking at your existing data protection strategy or shopping for ransomware-
ready products, there are a lot of elements to consider. What product options are out there?
 Test your ransomware recovery plan Whose responsibility is it? Should we just pay the bad guy and get it over with?
to safeguard data Take our quiz here, and find out if you know all there is to know about how to recover from
ransomware.

Page 32 of 32

Ransomware Backup Protection Requires A Comprehensive Approach

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ransomware Backup Protection Requires A Comprehensive Approach

Загружено:

Авторское право:

Доступные форматы

Ransomware Backup

 Ransomware disaster recovery: A Ransomware disaster recovery: A checklist for continuity

 Can you recover from ransomware?

Enter the attack loop

 Can you recover from ransomware?

 Ransomware disaster recovery: A

 Test your ransomware recovery plan

 Ransomware recovery: How can

 Can you recover from ransomware?

 How has ransomware recovery New ransomware variants target backups

 Test your ransomware recovery plan

 Ransomware recovery: How can

 Can you recover from ransomware?

 How has ransomware recovery

 How ransomware variants are

 How to protect backups from

 Ransomware backup strategy

 Ransomware disaster recovery: A

 Can you recover from ransomware?

 Ransomware recovery: How can

 Can you recover from ransomware?

 How has ransomware recovery

 How ransomware variants are

 How to protect backups from

 Ransomware backup strategy

 Ransomware disaster recovery: A

 How ransomware variants are Revisit your permissions model

 Ransomware backup strategy

 Test your ransomware recovery plan

 Ransomware recovery: How can

 Can you recover from ransomware?

 Test your ransomware recovery plan Beware your restore

 Ransomware backup strategy

 Ransomware disaster recovery: A

 Test your ransomware recovery plan

 Ransomware recovery: How can

 Can you recover from ransomware?

 How has ransomware recovery

 How ransomware variants are

 How to protect backups from

 Ransomware backup strategy

 Ransomware disaster recovery: A

 Test your ransomware recovery plan

 Ransomware recovery: How can

 Can you recover from ransomware?

 Can you recover from ransomware?

 Ransomware recovery: How can

 How ransomware variants are

neutralizing data backups

 Ransomware recovery: How can ▼ Next Article

 Can you recover from ransomware?

 Ransomware recovery: How can

 How ransomware variants are

 Can you recover from ransomware?

neutralizing data backups

 Ransomware recovery: How can Are your files safe?

 How to protect backups from

 Ransomware disaster recovery: A

 Test your ransomware recovery plan

 Ransomware recovery: How can

 Can you recover from ransomware?

 Ransomware recovery: How can ▼ Next Article

 Can you recover from ransomware?