The first quarter of 2022 saw more ransomware attacks than in all of 2021, according to research by cyber security supplier WatchGuard. The firm expects 2022 to be a record year for ransomware attacks. Ransomware has grown steadily in its prominence and impact since the WannaCry attack five years ago – and backup is no less important as a means of recovery, despite changes in attackers’ techniques.
Because, while criminal groups resort to ever more advanced techniques, including double and triple extortion attacks, the fundamentals of ransomware still matter. Attackers infiltrate a network, find and encrypt data, and demand a payment (usually in cryptocurrency), in return for a decryption key.
None of this is news, nor is it news that paying a ransom is no guarantee of being able to retrieve data.
There is plenty of research to suggest that ransomware groups often fail to hand over a decryption key or, if they do, the key does not work. Research by Venafi, another cyber security supplier, suggests this happens in 35% of cases.
Then there is the time, inconvenience and cost involved in recovering encrypted data. This can take days, or even weeks. Understandably, chief information officers (CIOs) and chief information security officers (CISOs) may feel it’s worth going it alone and attempting to recover data from their own backups.
Ultimately, this can be the most effective strategy. It has the advantage of not putting money into the hands of criminal gangs, and possibly falling foul of sanctions for doing so. Although it is not currently illegal to pay a ransom in the UK, the NCSC and the Information Commissioner’s Office (ICO) recently called on firms not to pay ransoms. This is much easier for firms that have robust and reliable backups.
Restoring from backups: The basics
Firms can take a range of steps to reduce the risk of a ransomware attack, from technical security tools, regular patching and operating system updates to user education.
If an attacker does gain access to the network and is able to encrypt files, the only option – short of paying the ransom – is to restore data from backups. But backups need to be “hardened” against ransomware attacks.
Options include restoring from offsite media, including optical or tape drives, or from snapshots. Snapshots contain more information than just the data, but include metadata, parent copies and even deleted files. These snapshots are now often referred to as “immutable”, as once copied they cannot be changed.
And backup security tool suppliers have added measures to prevent snapshots being wiped, for example, by requiring multi-factor authentication to move or delete the data. This provides added protection against malware that attempts to delete or corrupt backup files.
If possible, backups should be air-gapped, either physically separated from production systems or logically separated by the backup and recovery tool. Ideally, firms should use both strategies.
Organisations should also consider backup to the cloud, to provide a logical and physical separation. More backup and recovery tools now support storing immutable backups in the cloud. CIOs need to be aware of storage and data egress costs, although cloud can still be more cost-effective than building extensive, on-premise backup hardware.
RPOs, RTOs, and ransomware
Any disaster recovery plan will set out the organisation’s recovery time objective (RTO), or how quickly data should be restored, and the recovery point objective (RPO), or how far back the restore needs to go to find a clean, workable copy of their data.
In conventional disaster recovery planning, RTO needs to be as short as possible to minimise revenue losses, and RPO as recent as possible to reduce the need to reconstruct lost data. Quicker recovery means more frequent backups and higher storage costs.
Ransomware, however, complicates matters because attackers often wait for weeks or months after they have penetrated networks before they deploy the malware. The challenge this presents is knowing how far back you will have to go to find a clean copy of data. In practical terms, ransomware protection means keeping more data copies for longer, and ensuring those copies are protected.
Firms also need to consider the recovery window: how long it will take to retrieve and check backups, especially off-site copies, and then begin the restore process.
Backup systems are not designed to recover large volumes of data quickly, which is why organisations have a broader suite of disaster recovery tools, including snapshots and mirrored systems. But these can be as vulnerable to ransomware attack as the production copies.
The option to recover data to cloud instances rather than on-premise helps, but CIOs will need to prioritise key operational systems for recovery. This needs to be part of the recovery plan, and tested in advance.
“The key point of failure in data protection usually isn’t the backup, it’s the recovery,” says Bryan Betts, at analyst firm Freeform Dynamics.
He cautions that increasing complexity of IT systems, including cloud, hybrid and containerised workloads, makes it harder to bring systems back online.
Again, snapshots will help, but disaster recovery planners need to think in terms of priority business systems and business processes rather than storage volumes. One single RPO and RTO might not be enough, and firms are likely to need different objectives for ransomware recovery than for a simple technical outage.
Backup and recovery risks
Recovering data after a ransomware attack is more complex and more risky than recovery from a system outage or natural disaster.
The greatest risk is that backups contain undetected ransomware, which then replicate into the production system or recovered systems.
This risk is reduced by using air-gapped copies and immutable copies and snapshots, and keeping more copies than would be required for conventional backup alone. This requires a more cautious approach to data recovery, and one that can be at odds with the commercial pressures for short RTOs and recent RPOs.
Matters are made more difficult because there are no viable, fool-proof systems that can scan data for ransomware before it is backed up, says Barnaby Mote, managing director at backup specialist Databarracks.
“Before ransomware was a thing, replicating data from production systems to DR as quickly as possible was a sound recovery strategy for conventional disasters,” he says. “Now, with ransomware, it has the opposite of the desired effect, rendering recovery systems unusable.”
There are some techniques IT teams can employ before recovering files, such as file monitoring, which looks at whether encrypted backup has the same characteristics, such as size, as the original files. However, detecting such anomalies is still largely a manual or custom process that relies on the skill of the recovery and IT security teams.
Recovering data initially to isolated environments and running further checks will provide some assurance. But all these measures take time, and add at least one more step to the recovery process.
And, as Christian Borst, field chief technology officer at threat detection and response company Vectra, points out, recovering from a ransomware attack is about more than recovering data. Firms need to reconstruct the operational state of their systems as well as ensure data is clean.
“Creating backups of system and application configuration in addition to operational data is essential,” he says. “The most important aspect in this regard is to ensure the integrity and availability of these backups.”
A good data protection strategy is neither easy nor cheap, but it will help firms reduce the downtime caused by a ransomware attack, and could, with good preparation and even a degree of luck, prevent the need to pay a ransom at all.