InfoSec Insider

Top Steps for Ransomware Recovery and Preparation

Alex Restrepo, Virtual Data Center Solutions at Veritas Technologies, discusses post-attack restoration options, and how to prepare for another one in the future.

When it comes to ransomware attacks, it’s no longer a question of if or even when, but how often. A business falls victim to a ransomware attack every 11 seconds, making ransomware the fastest-growing type of cybercrime. Businesses today need to not only think about strategies to prevent ransomware, but how to protect and recover their data should they fall victim to an attack. After all, it’s not just your data that goes down — it’s your entire business.

The attack on the Scottish Environment Protection Agency (SEPA) is one of many examples of the importance of a proper backup and recovery strategy. SEPA had more than 4,000 digital files stolen by hackers. Though it had backup systems in place, the agency has been unable to recover all of its data sets. It could take years for it to fully recover.

But recovering from a ransomware attack doesn’t have to be so uncertain, nor such a laborious process. With the right strategies in place, businesses can quickly and safely recover from a ransomware attack and get back up and running without significant downtime. Outlined below are the key steps businesses should keep in mind.

How to Restore Data After a Ransomware Attack

The first thing to do when dealing with a ransomware attack is to assess your options for recovery. This may mean a complete bottom-up approach — reinstalling systems along with recovery of data — or it may mean making do with smaller data sets that can be recovered quickly. Depending on the desired outcome, here are some important options to consider:

  • Bare-metal restore: If your entire server gets encrypted, you’ll need to do a bare-metal restore. You’ll need your backed-up data in a form that allows you to restore the computer system from its bare-metal state. However, you shouldn’t have to reinstall operating systems or configure hardware manually.
  • Granular restore: This is when you need to have some data restored quickly, but can leave specific data out of the immediate recovery process and come back to it later. This is sometimes enough to quickly get your business back up and running, even if all systems are not yet fully recovered.
  • Instant rollbacks from VMs: This option is for you if you need to be back up as quickly as possible, but lets you search for the ransomware later. Instant rollbacks can restore data from virtual machines (VMs) in minutes, regardless of where your infrastructure lives.
  • Data center on-demand: This involves previously sending a copy of your primary data over a public proprietary network to an offsite server. The server is typically hosted by a third-party service provider that charges you a fee based on bandwidth, capacity or number of users. The right data-management software can help you ensure the costs remain in check. After an attack, all of your data can be restored from the third-party service provider’s server.

Your best recovery option will depend on how widespread the attack is and your level of preparedness. It’s important to take the time now to understand these different recovery options, so you can act quickly and ensure your businesses stays up and running after an attack. 

Improve Your Ransomware Resiliency

The best time to build your ransomware resiliency is before you face an attack, but it may be too late for that. You need to take the right measures to ensure your business isn’t vulnerable again. As a baseline, here are five steps you should take to improve your ransomware resiliency:

  • Distribute data: You should have good endpoint data-protection tools for desktops and laptops to ensure employees across worksites and those who work remotely have their data backed up continuously. Follow a 3-2-1-1 backup approach: have a minimum of three copies of your data on two different media with at least one copy onsite and one copy offsite.
  • Store data securely: Encrypting data can help delay attacks by making it more difficult for ransomware to identify what data you have stored. Also, if your storage is breached, encrypted files are much harder to effectively share online — deterring attackers from publicly distributing important information as part of a blackmail scheme to get more money out of you.
  • Restrict access to backups: With phishing attacks, the most common entry point for ransomware, limiting the amount of people who hold backup credentials can minimize room for error.
  • Schedule frequent backups: Running more frequent backups with a clear objective in mind can help you reduce recovery time — saving you seconds, minutes or even hours.
  • Conduct rehearsals of your data-recovery plan: While testing data-recovery plans could mean taking production systems offline for short periods of time, it’s worth it to make sure they will be effective during and after an attack.

Get Additional Support

Ransomware attacks are on the rise, and truthfully, no organization is safe. But government and the entire industry are working to combat this growing threat.

Don’t hesitate to ask for help from industry experts on recovering from a ransomware attack and preventing another one in the future. Seek support from vendors that offer ransomware protection and help businesses develop protection and recovery strategies. You’ve probably got a lot of questions, and they have the answers.

There may never be a finish line, or a point where we can say, “We did it—we solved the ransomware threat.” But by ensuring your data-storage and backup/restore strategies are strong and secure, you’ll sleep better at night knowing that you’re doing the right things to minimize loss, accelerate recovery and keep your business up and running.

Alex Restrepo is part of the Virtual Data Center Solutions team at Veritas Technologies.

Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.

Suggested articles