To mitigate ransomware damage, you need an effective backup and recovery plan

To mitigate ransomware damage, you need an effective backup and recovery plan

For Toronto organizations that heavily depend on IT systems to function, ransomware is a threat that cannot be ignored. Just last August, a threat group calling itself DarkSide claimed to have victimized a billion-dollar Toronto-based company. Beyond disabling the company’s IT systems with ransomware, the group said that they compromised files containing business plans, employee files, and financial records. If DarkSide’s claim was true, then their victim was in dire danger of losing vast amounts of crucial data and would have been hard-pressed to pay that group’s ransom demands.

It’s important to point out that while some companies that pay the ransom do receive the proper decryption keys and are able to cut downtime and resume operations immediately, other firms are not so fortunate. Such victims fall deeper into financial ruin because cybercriminals take the payment but don’t provide the correct decryptors in exchange. This is why business owners are advised not to pay ransoms if they can help it, and to avoid falling into such a predicament by implementing a backup and recovery plan.

What makes a backup and recovery plan more effective against ransomware?

A ransomware attack is only successful if it gets inside your network and leaves you with nothing to fall back on. Simply put, if you still have a reliable backup of your critical data, then having ransomware-struck data won't cripple your operations. You can use your backup to initiate data recovery and resume operations, which means that your backup and recovery system itself must be able to withstand cyberattacks.

To make your backups robust, you have to think as if the attacker has already compromised one of your key servers. With this sense of dire urgency in mind, how do you protect your backups?

1. Have an offline backup system.
For their ransomware campaigns to be more effective, a threat group must explore the network they find themselves in. They must infect as many computers besides the initial one they happened upon, and also compromise as many backups as they can find. Backups in local network access storage (NAS) devices or USB drives that are connected to your network will most likely be encrypted or deleted.

This is why your backup system needs to be offline. In such a system, local backups are stored in physical data storage media, such as tape or disk, kept either on premise for easy access and management or off-premise for even greater security. However, these storage devices are not physically connected to your primary devices. The literal space or “air gaps” between them is why hackers, who almost exclusively operate remotely, are highly unlikely to tamper with your backups.

To create a backup using this offline system, you must first determine that your database is viable for replication. Then, you need to disconnect the server that contains the data from your network before connecting the server to your local backup storage device. Once you’re done backing up your data, disconnect the storage device. The server containing the original database may be reconnected to the network so that it can be accessed once again by users, but the copy will be kept offline until you need it for data recovery.

In the event of a ransomware infection, you must first determine how much of your network has been compromised. Only after you’ve quarantined affected machines can you use your offline backup to restore your systems. If you fail to take this precaution, you risk compromising your backup as well.

2. Separate your local domain accounts from your security access to backup systems
A compromised admin account in your production system (i.e., the place where your apps are used and your files are accessed from) should not be enough to access your backup system. Ideally, backup management should be a stand-alone system that only a few people can access with stringent controls such as multifactor authentication in place. All of this simply means that if the production system is compromised, then the backup is protected by an entirely different level of administrative rights.

3. Maintain historical backups
Hackers can be very patient. They’ll wait in your network for a month or longer to ensure they have as many bases covered as possible before they launch their ransomware attack.

This means that when it is time to recover your data, you may discover that the hackers compromised your latest backups. This is why a 1-week or even 1-month recovery point may not be sufficient. Historical backups grant you the flexibility to go back to the point in time before they infiltrated your systems.

With ransomware, backup isn't the only consideration — you have to think about its legal ramifications, such as disclosures to the Office of the Privacy Commissioner. Learn what Canadian businesses must report when they are attacked by hackers.

4. Test disaster recovery on a regular basis.
A disaster recovery (DR) setup is useless if it can’t be pulled off once a ransomware seizes your network, which is why it must be tested regularly to ensure its viability. Simulations of large-scale ransomware campaigns can test your DR to the fullest extent and help both IT and non-IT teams learn their roles in the recovery process.

In simpler terms, you need to be ready to handle the restoration process. Here are a few guide questions that you must answer “yes” to for you to know that you are indeed ready:

  • Have the backups been tested to ensure the data is not corrupted?
  • Is your IT staff familiar with all the restoration tools and networks you will use?
  • Do you have separate hardware available for the restorations?
  • Do you have isolated network segments available to keep staff away from the compromised servers?

5. Let one MSP unify your backup and recovery strategy.
With so many moving parts, cybersecurity today is particularly hard to manage. Anti-malware software, identity and access management, network monitoring, and patch management are just some of the components that need to work with your backup and recovery solutions.

For example, you must scan your backups using the latest anti-malware software to make sure that these aren’t infected. Additionally, as mentioned earlier, you need to use multifactor authentication to control access to your backups.

Having one MSP implement an integrated cybersecurity approach makes the data recovery process as efficient as possible. During a time crunch — which is what a ransomware incident brings about — not having to wait on and keep in step with multiple vendors shortens costly downtime.

When it comes to ransomware, you need both prevention and cure

Backup and recovery plans are so effective at restoring operations that cybercriminals have begun resorting to stealing victims’ data. For instance, the threat group DarkSide claimed that they can provide ample proof that they stole 200 GB worth of sensitive data, which they will publish if the company does not pay their ransom demand.

Cybercriminals will twist their victim’s arms this way to make them pay the ransoms sooner. However, if you receive a threat like this, do not be fooled. If hackers have indeed exfiltrated your data, you must assume that they have already published it somewhere, most likely on the dark web to be sold. To minimize your vulnerability, you need both cybersecurity services to prevent hackers from infiltrating your IT systems and disaster recovery services in case someone from your staff becomes negligent and lets them in.

Turn to XBASE for Exponentially Better™ disaster recovery services. And to learn more about how we can safeguard your business from being victimized by ransomware attacks in the first place, contact us today.

Like This Article?

Sign up below and once a month we'll send you a roundup of our most popular posts