Disaster Recovery Is Not the Same as Ransomware Planning

By Tony Mendoza, Vice President of IT, Spectra Logic.

  • 1 year ago Posted in

Cyber threats continue to rise at an exponential rate in today’s digital age. Ransomware attacks are constantly in the news – seemingly on a daily basis. Ransomware wreaks havoc by encrypting an organization’s files, then, the threat actor(s) communicates a demand for a ransom in exchange for decryption of data. While advancements in hardware and software have improved reliability and resiliency, security remains a people problem. Cybercriminals are constantly finding new ways to exploit vulnerabilities and profit from valuable digital data. With ransomware attacks costing companies millions of dollars (the average ransomware cost for an organization is $4.54 million USD), it’s important for organizations of all sizes to understand how to recognize, withstand and recover from an attack, all while maintaining business continuity and rejecting ransomware payoffs. 

Last month, the Department of Homeland Security investigated whether security information was exposed in a ransomware attack on the contractor Johnson Controls International. This ransomware attack is a reminder of the importance of cybersecurity and having a plan in place in the event an attack takes place. Ransomware criminals especially love government contractors, because of the sensitive nature of the data they have – which increases the likelihood that their demanded ransom will be paid quickly. Ransomware attacks are also becoming more frequent in the healthcare industry for the same reason. 

You may have a rock-solid disaster recovery (DR) plan in place, but though disaster recovery is often equated to ransomware recovery, the two are in fact, not the same. Both types of plans aim to minimize the impact of an unexpected incident, recover from it, and quickly restore the organization to its normal production levels. However, mitigating and recovering from a ransomware attack with a ransomware recovery plan is different than having a DR plan. In essence, disaster recovery is centered around recovery objectives and necessary steps to restore operations after an incident, while the primary focus of a ransomware recovery plan is to safeguard sensitive data during an event. It also defines the scope of action, roles and responsibilities of the incident response team. In fact, the best idea is to have and merge both to create an air-tight strategy that lessens the impact of a cyberattack.  Consider what to add to your DR plan to make your infrastructure as ransomware resilient as possible.

Here are some things your organization can do to prepare for and mitigate a ransomware attack: 

Preemptive Steps Against Ransomware

Develop and test your disaster recovery plan, including a ransomware recovery plan to ensure that the organization is prepared

Ensure the employee base is well-educated on recognizing email phishing attempts

Maintain secure backup processes and up-to-date software, following industry-recognized best practices established in the 3-2-1-1-0 rule and employing ransomware prevention measures like anomaly checks

Mitigate the blast radius by keeping multiple copies of data, in storage locations where the data can be protected and even air-gapped, limiting what the attack can compromise within your infrastructure 

Minimize the amount of data that needs to be immediately restored by moving less frequently used data off primary storage

Run regular network security assessments to identify any potential weaknesses 

Create a game plan for the immediate aftermath of an attack, including how to recognize and stop the attack

Consider cyberattack insurance to provide financial coverage for losses and specialized help from on-call cyber experts 

Post-Ransomware Measures

Shut down all systems immediately to prevent further damage 

Implement your response plan, including reporting the incident to the FBI or similar federal agency and contacting key personnel

Assess the full extent of the damage, including identifying the strain of ransomware and finding your last secure backup 

Evaluate your options for recovery, ranging from negotiating with the threat actor to fully restoring your data without paying the ransom, depending on your preparedness  

Establish next steps and future processes to put in place to prevent another attack from happening again 

 

Preventing and Escaping the Ransomware Attack Loop

One of the unwelcome challenges organizations face in recovering from ransomware attacks is the presence of attack loops. Attack loops occur when the recovery process inadvertently restores the pre-attack generation of backup files that contain the ransomware. This perpetuates a continuous cycle of attacks, rendering file restoration ineffective. To combat attack loops, organizations can leverage anti-ransomware backup software solutions that identify and quarantine malicious code, disabling it during the recovery process.

Ransomware-resilient data storage solutions like object-based tape are also playing an increasingly integral role in the fight against cybercrime. Modern object-based tape technology that is S3-compatible enables organizations to easily integrate cutting-edge backup software into their workflows while enjoying tape storage's robust data protection capabilities. In the fight against cybercrime, exclusive tape features like the tape air gap, which provides an electronically disconnected copy of data, can be an invaluable lifeline in recovering from ransomware attacks.

The Importance of Evolving Cybersecurity Strategies

 It is no longer a matter of if an organization will be attacked but when. With new security challenges emerging daily, organizations must continually evolve their cybersecurity strategies. By implementing these measures, your organization can be better prepared to handle a ransomware attack and ensure a smoother path to recovery. The time is now to create a robust disaster recovery plan melded with a ransomware recovery plan to ensure your organization can get up and running quickly without paying threat actors or losing customers. 

By Darren Thomson, Field CTO EMEAI, Commvault.
By Oliver Feiler, Head of Global Alliances and Strategic Partnerships EMEA, Nozomi Networks and...
By David Higgins, EMEA Technical Director at CyberArk.
By Manuel Sanchez, Information Security and Compliance Specialist, iManage.
Anita Mavridis, VP of Product at Zivver, and Sue Musumeci, Director of Quality & Clinical...
By Danny Lopez, CEO of Glasswall.
Nadir Izrael, Co-Founder and CTO at Armis discusses the importance of critical infrastructure...
By Darren Thomson, Field CTO EMEAI at Commvault.