Ransomware recovery is the new frontier

Oct. 3, 2023
Recovery is the new frontier in the fight against ransomware, so have a disaster recovery plan

This July saw a record number of ransomware attacks with a 154% year-on-year increase, largely driven by the Cl0p ransomware group's exploitation of MOVEit software, per a new report by NCC Group's Global Threat Intelligence team. As attackers target individuals, businesses, and governments alike, ransomware has emerged as the most significant cybersecurity threats of our time. When cybercriminals encrypt valuable data and demand hefty ransoms, it paralyzes operations and causes severe financial and reputational damage.

In fact, 85% of organizations were hit by at least one ransomware attack last year, and just under half (48%) suffered even two or three attacks. It is evident that ransomware has become an unfortunate reality for practically every organization – even those that aren’t directly involved. We have no better example than what we’re seeing with the infamous MoveIt tool attacks, which are now being exploited to breach companies that don’t even use it, simply because their business partners do.

So, as cybercriminals constantly evolve their tactics and find new ways to bypass security measures, it has become a case of when not if a successful attack occurs. Traditional prevention methods, such as firewalls and antivirus software, are still crucial, but on their own they are not enough to be prepared for advanced ransomware attacks. Organizations must prioritize robust recovery strategies to minimize the impact on operations, business continuity, and reputation. While many recognize the importance of this shift, to build substantial resilience against ransomware attacks, more emphasis needs to be placed on strengthening your incident response and disaster recovery plan and process.

Ransom does Not Equal Recovery

Paying the ransom is not a recovery strategy, and simply backing up data is not either. In 2022, the majority (80%) of organizations opted to pay the ransom in order to end an attack and recover their data,  rising 4% compared to the previous year. This is despite 41% of organizations having a "Do-Not-Pay" policy regarding ransomware. But, out of those who paid the ransom, only 59% were successful in recovering their data, and 21% who paid up still lost their data. Similarly, while you might think you have a sufficient backup in place and can avoid paying a ransom, 93% of attackers targeted backups during cyberattacks and were successful in debilitating their victim's ability to recover in 75% of those events. 

A reliable disaster recovery process is made up of three stages: preparation, response, and recovery. Preparation includes having backups in place and, just as importantly, having a tested and proven recovery location ready. This is something that many organizations do not think about until it is too late. You cannot recover to the original environment; it is compromised and an active crime scene. But you also do not want to be preparing and getting to grips with a new cloud environment for the first time in the wake of an ongoing ransomware attack. Effective disaster response includes reporting and containing the incident, pre-defined operational response, and forensics to ensure you know what has been affected and if environments (especially backups) have been compromised. Only then can you recover with confidence. 

Starting from the Right Place 

Being prepared for disaster recovery is only effective if the backups you are planning around are bulletproof. If you only have one data backup and it is hit during the attack, you are back to square one. Instead, organizations need to follow a few golden rules to increase cyber-resiliency:

  • Security teams must ensure they possess an immutable copy of their mission-critical data, preventing hackers from altering or encrypting it. Immutable means that something is unable to be changed or deleted. Immutable backup data is safe from potential changes or deletions, meaning that its original integrity stays intact. Immutability is key to effective cybersecurity protection and can be as simple as moving one copy of the backup data to the public cloud with the immutability flag enabled.
  • Data encryption is crucial to render stolen or breached data inaccessible and useless to hackers. Data encryption is performed as part of backup, backup copy, or archiving to tape processes. A simple but effective rule for encrypting successfully is to use strong passwords – hard to crack, stored safely, and changed regularly to elevate the encryption security level. You also have the option of using platforms that can ensure your data is encrypted and backed up without relying on a password.
  • The most critical aspect of bolstering your strategy lies in following the 3-2-1-1-0 backup rule. This rule is essential for ensuring reliable data protection and recovery in the face of potential threats like ransomware attacks. It involves maintaining a minimum of three copies of the data, ensuring that even if two devices are compromised or fail, there is an additional copy available. Since the likelihood of three devices failing simultaneously is low. Organizations should store these backups on two different types of media, such as one copy on an internal hard disk and another in the cloud. One copy should always be stored at a secure offsite location, while another should remain offline (air-gapped) with no connection to the primary IT infrastructure. Lastly, the "0" stage is of critical importance, there should be zero errors in your backups. Achieving this needs to be accomplished through regular testing without any errors that should be ideally complemented with constant monitoring, and restoration process training.

Navigating the Road Out of Ransomware

There is no doubt that ransomware attacks continue to evolve significantly, growing in scale, sophistication, and impact. The latest news of the severe ransomware attack on cloud hosts CloudNordic and AzeroCloud, resulting in most customers losing all their data, is a prime example of this. There is also no doubt that ransom payments are relatively ineffectual. Despite their heavy loss, CloudNordic is emphatic about not paying any ransom demanded by its attackers. It bears repetition: it is no longer a matter of IF your organization will be the target of a cyber-attack, but how often. This shift has meant the road out of ransomware is moving from prevention to recovery.

While security and prevention remain important, recovery is the new frontier in the fight against ransomware, and ensuring you have a slick disaster recovery plan in place is paramount. By prioritizing data backup, investing in modern recovery technologies, and establishing robust disaster recovery plans, organizations can strengthen their resilience, improve their ability to recover from attacks, and navigate the road out of ransomware.

About the Author: Danny Allan is the Chief Technology Officer and Senior Vice President for Product Strategy at Veeam. He is responsible for the global product roadmap and strategy group, and for spearheading the company’s technology vision as the #1 global provider of Data Protection and Ransomware Recovery.  With more than 25 years of software technology experience, he is enthusiastic about solving customer problems and software innovation.

About the Author

Danny Allan | CTO at Veeam

Danny Allan is the Chief Technology Officer and Senior Vice President for Product Strategy at Veeam. He is responsible for the global product roadmap and strategy group, and for spearheading the company’s technology vision as the #1 global provider of Data Protection and Ransomware Recovery.  With more than 25 years of software technology experience, he is enthusiastic about solving customer problems and software innovation.