It is one of the first questions during any ransomware incident. It seems like an easy question. “Of course we have backups, we’ve even tested it and fall back on them on a regular basis” is the common answer Soteria receives. Unfortunately, the reality of the situation is often that the backups are not as reliable and resilient as one would have hoped. This is especially troubling, given that the answer to this question determines whether you will have to choose between paying a ransom to criminals (See our ‘Pay Up’ blog post), or accepting that your data is gone forever.
Ransomware actors are gaining more experience everyday, and are refining their tactics in order to create maximum effect and get paid. Backup systems and business processes are being actively targeted by attackers because they know their success or failure depends on the strength of their target’s backup procedures. These systems need to be protected as highly as your most critical data.
As the rate of ransomware attacks increases, our team often finds ourselves talking with new clients who do not have full and clean backups. This leads to the next question, “Do you want to try to negotiate ransom or rebuild from scratch?” – two awful options.
We all hope that our defensive efforts will prevent ransomware attacks from happening, but organizations should ensure they have a plan to recover, should their defensive measures fail. To save time, money, effort, stress, and disaster, we recommend that organizations take a serious look at whether they have the right “Backup Plan” in the event ransomware finds its way into your network.
Backups are a great method to ensure that data is not lost but they are often not adequate to fully recover. To be useful during a ransomware attack, an organization’s backups should include all necessary data to reconstitute their operations. In addition to obvious items like file servers, you may want to consider configuration files, databases, and other critical assets that are difficult to build from scratch.
When assessing how frequently backups should be updated, consider how much data is acceptable to lose. Known as a recovery point objective (RPO), an organization should determine what the maximum age of files that must be recovered from backups in a disaster situation. This translates to a backup strategy that ensures backups are taken on a schedule that supports this RPO. For some organizations, losing two weeks worth of information is bearable but for others, a day of data loss could have major impacts. Consider the resources required and cost to maintain these update schedules and back up methods to determine what is the acceptable amount of data loss your organization can withstand.
This question trips up many people. Simply storing backups at a physically separate location is not enough – ransomware actors are not sneakernetting their malware from device to device! When recovering from an incident, ‘clean’ backups that have not been touched by the malicious actors can be a lifesaver. Ideally, these are stored on a network that is physically or logically segmented from your business or completely offline. Whether stored in a cloud service or on disconnected physical media, it is important to ensure that the ransomware cannot access your backups from the initial point of intrusion. One of the most common methods is the 3-2-1 backup, where there are 3 backups of your data at a minimum, on at least 2 different local network media, with at least 1 offsite backup.
Backups will not help you if you can’t restore them to your production environment. Once you have implemented a backup strategy, make sure you can recover the data in a timely manner! Technical exercises should be performed on a recurring basis to ensure that the plan works and to provide you with an understanding of how long it takes to recover data. Organizations should establish a recovery time objective (RTO), which specifies the maximum amount of downtime acceptable to the business. If the time to restore data is longer than the recovery time objective, adjustments should be made to reconcile the difference.
How Soteria services and solutions can be helpful and additive;
Assessments and tabletop exercises – early engagements with clients on proactive projects in planning and testing for incident response.
Lexico MDR – Soteria can initiate immediate response when ransomware is detected which can prevent the spreading and impact of the incident.
Incident Response services – as soon as companies realize they require help with a large scale incident.