How Ransomware Impacts Your DR Strategy

Picture this: You're browsing a new website, click on an interesting link, and suddenly you're bombarded with the following warning: “Uhh ohhh! Your files are encrypted!! Your documents, photos, and databases are no longer accessible. Don't waste time trying to recover them. The only way to get them back is to pay us for the decryption key. Otherwise, all your important data will be lost!!!”

Unfortunately, the above scenario has become all too common in the era of ransomware. According to data compiled by Barkly, ransomware successfully infected 71 percent of the organizations targeted in attacks. Hancock Health was recently enshrined into that group of victims. The Indiana-based hospital ended up paying $55,000 in Bitcoin after a ransomware infection propagated across its email servers, health records, and operating systems.

The Need for Ransomware-Proofing

DR planning was much more simplistic in the not so distant past. For many firms, the data protection component largely consisted of backing up your files at regular intervals and implementing whatever measures were required to meet regulatory compliance. If important files were accidentally deleted by an employee or exposed in a security breach, the data could be quickly recovered with minimal impact on production. The evolution of malware has forced organizations to rethink their approach to disaster recovery as a whole.

Today's ransomware is so sophisticated that some variants not only target system files, but backup data as well. This can happen for various reasons. For example, the backup files may be shared on a network connected to the targeted system and end up comprised merely by association. Ransomware could also exploit vulnerabilities in the operating system that allow the attacker to directly encrypt backup copies. In either case, losing access to your backups likely leaves you with one way out: pay the ransom. Cyber attackers are amplifying their efforts by looking beyond single machines and opting to lock up the victim's backups instead. Below we have outlined four ways organizations can optimize their disaster recovery strategies with ransomware in mind:

• Isolate your backups: Making your data available on a network provides for convenient centralization and easy backups. With that said, this same practice can make your entire network extremely vulnerable to security attacks. Since ransomware typically looks to encrypt all connected drives, any shares left open on the network would be compromised as well, backups included. For this reason, backup copies should be isolated from production servers and stored in multiple locations.
• Don't trust the cloud: Although it is often guarded by state of the art defenses, the cloud is not impervious to security attacks. In a recent example, healthcare technology provider AllScripts was the victim of a ransomware infection that impacted more than 1,500 clients on its cloud-based network. While no hospitals were said to have been affected, the attack disrupted the delivery of training resources and test results for an disclosed number of entities. AllScripts is yet another case study on why the cloud should never be your one and only backup solution.
• Monitor your backups: How you respond to a ransomware attack is just as important as the actions you take to prevent the infection. In fact, there are various warning signs that can let you know something is amiss. If you schedule incremental backups, the activity in your logs will skyrocket as each encrypted file represents changes that trigger the execution of new backup jobs. Furthermore, those newly encrypted files will likely consume a noticeable amount of space on the affected drive. An organization that monitors its backup process on a regular basis can detect ransomware in its earliest stages and limit the impact on disaster recovery.
• Optimize and test: DR planning not only entails making sure your data can be fully restored, but also ensures that your backup strategy and recovery objectives are aligned. If your recovery point objective (RPO) is currently set at one week, you may need to question whether you can really afford to lose as much as a week's worth of data. While performing daily backups is more expensive, it also provides better overall data protection. Extensive testing and optimization of your DR plan is critical to minimizing the damage ransomware is able to inflict.

Conclusion

When it comes to ransomware, a good backup plan was often viewed as a silver bullet to the Wolfman. Rapid advancements in ransomware reinforce the importance of revisiting your disaster recovery plan. Now is the time to ensure there are measures in place to facilitate early threat detection, regular testing of backups, and full data recovery. These efforts may not prevent an attack, but they can reduce the likelihood of losing your data and having to pay a hefty ransom.