The following is a guest post from business continuity specialists, Databarracks.
Ransomware has become the biggest cause of major recovery for organisations in the UK. Over 50 new variants have emerged since the start of 2016 and outright prevention is practically impossible. Attacks are evolving too quickly and software-based anti-virus solutions simply can’t keep pace.
Due to the amount of revenue being generated by cyber criminals, experts are predicting continued growth in both the sophistication of targeting and in the volume of attacks. The prevalence of attacks means organisations must now assume that an infection will occur at some point, and devise specific incident response plans to minimise downtime and data loss.
What to do if you’re infected
Once infected by ransomware, you essentially have two options: you can pay the ransom or you can recover your data from a previous backup. Interestingly, recent research from Trend Micro suggests that a fifth of organisations who pay the ransom don’t actually get their data back – so the only way to be fully protected is to have historic copies of your data.
When recovering from ransomware, your main objectives are to minimise the amount of data loss and to minimise the amount of IT downtime for the organisation. But despite Disaster Recovery as a Service being the preferred method of IT recovery for many organisations, traditional disaster recovery services aren’t optimised for cyber threats.
With traditional disaster recovery, the replication software immediately copies the ransomware from production IT systems to the offsite replica. Recovering from ransomware demands reverting to a clean historic version of your data from before the infection occurred, which usually means restoring from backups. The problem with restoring from your backups, however, is the length of time it takes. Restoring every file from a large document management system can take hours, or even days, when recovering from backups, so you’d have to factor in significant downtime for the recovery process too.
Cyber-Disaster Recover as a Service
The rapid change in the cyber risk landscape demands an equally swift response in our methods of defence. To solve this problem, we’ve developed a new service called Cyber-DRaaS to offer the least downtime and data loss possible. After initial scanning to establish a clean bill of health, we continuously replicate and scan your environment in isolation on our secure infrastructure platform. This delivers a regularly updated point in time from which to both scan against and recover to.
This is all done offline so the scan can be far more aggressive than the usual malware scanning that you would perform on a production system. If an infection is detected, we perform recursive scanning to find the most recent clean version of the data to roll back to.
Ransomware and Business Continuity Planning
If you take away one piece of advice from this blog post, let it be this: make ransomware the topic for your next DR test. Of all the activities around disaster recovery and business continuity, planning and testing are by far the most ignored.
We always say when it comes to business continuity, plan for impacts and test for scenarios. Impact-based planning works on the understanding that whilst there are an infinite number of possible disasters, the number of possible consequences at the operational level is much smaller.
Scenario-based planning focuses on the situation at hand. It asks users to anticipate the consequences of disastrous events and create resolutions ahead of time. Make a ransomware attack the focus for your next test to see how your team would cope, and to help create a step-by-step runbook for dealing with a real attack in future.
If it isn’t possible to do a full scale DR test, you should certainly do some low-level testing, like a tabletop test. And if you need some ideas on how to put your test together, we’ve created an interactive tabletop test simulator – and one of the scenarios that you need to recover from is a cyber attack.
- User awareness is the first step to identifying and dealing with attacks. As a minimum you should have up to date anti-spam products in place to prevent a phishing email getting through to your network in the first place, but it’s not possible to stop everything getting through. Your best defence is a well educated staff who know what to look out for and who to report any suspicious activity to. Cyber awareness training should be delivered to new employees, and updated at least annually for all staff. Human error is the leading cause of data loss, so you should always add additional layers of security to allow for this.
- Use network monitoring to alert for any suspicious activity on your network early. If you’ve missed it at the first stage, you have another chance to catch predictable behaviour here. Set alerts to notify you if ransomware is encrypting all of your files. Specific anti-ransomware tools can monitor to see if a high number of reads and write, or file modifications are taking place.
- You may also see alerts from your backups. If you run incremental backups, you’ll have a good understanding of what a normal incremental backup is – it will be XGB for a particular server or file share and it will take X minutes each night. You may already have alerts setup to catch this, perhaps because you want to keep an eye on your backup costs or because a big spike in changes can mean that your backup won’t complete in the window. It might not stop the ransomware, but it will help you combat it as early as possible
Find out more about Cyber-DRaaS here.
Databarracks provides ultra-secure, award winning Disaster Recovery, Backup and Infrastructure services from UK-based, ex-military data centres.
Databarracks is certified by the Cloud Industry Forum, ISO 27001 certified for Information Security and has been named as a “Niche Player” in Gartner’s Magic Quadrant for DRaaS for two consecutive years. For more information, please see: http://www.databarracks.com/
Subscribe to receive free updates
If you'd like to be kept updated on our blog, why not subscribe?
We will never give away, trade or sell your email address. You can unsubscribe at any time.