That all depends on how you would honestly expect to respond to a Ransomware attack ...
A: Prepare to pay the Ransom?
B: Lose access to your data permanently?
C: Attempt to recover your data from Backup?
Of these three choices:
OPTION A: PAY UP
Paying the ransom is potentially the quickest way to get your business back up and running. But there are no guarantees the attackers will give you full access and you are also likely to be put on a “target” list for future ransomware attacks. If you have cyber security insurance you can expect future premium increases - if indeed you are covered for ransomware in the first place. Altogether it can be devastatingly expensive and fraught with risk. Definitely not ideal!
OPTION B: LOSE YOUR DATA
This is typically catastrophic for any business especially as 93% of companies that lost their data ended up shutting down within 12 months.
OPTION C: RECOVER FROM BACKUP
The obvious preferred choice for most organisations. Firstly, you need to be certain you have a good backup policy (such as the 3-2-1 rule), test it regularly and maintain it completely. Secondly, ensure it can meet the business’ recovery point targets and, if required, recover the data in a timely fashion that meets business needs.
Simple then … the obvious answer is OPTION C: RECOVER FROM BACKUP ... so you just need to ensure you have a good backup policy in place then, right?
Well … Yes and No!
Current trends point to targeted attacks focussing on the backup environment itself as part of the system infiltration. In a nutshell, that renders the option of RECOVER FROM BACKUP null and void, leaving you to either PAY UP or LOSE YOUR DATA.
We envisage the use of this backup-infiltration tactic increasing rapidly, as it essentially disables an organisation, cripples all your available leverage and leaves you with no other option than to PAY UP if you want to keep your business afloat.
SO WHAT'S THE FIX?
The first option could be to backup to tape. Some of our clients do still have tapes in place or could re-instate them. Ultimately a tape provides a recovery point-in-time that can be held off site and “air-gapped” from the primary system.
As the stored tape backup pre-dates the ransomware attack, this provides a fallback point if you choose not to pay - or an element of leverage if you decide you will. However tape backup is not ideal for many reasons including speed, reliability, complications with testing and cost.
A far better option is to ensure you have object locking and immutable storage in place across both your application and storage platform:
- OBJECT LOCK allows you to store data/objects in a WORM model (Write Once Read Many). This protects you against data being altered, overwritten or deleted for a specified period of time.
- IMMUTABLE STORAGE relates to data that cannot be modified after it is created.
HOW DOES THIS WORK IN PRACTICE?
As you create your backup it is embedded with additional data, for example a specified time period for which it will be locked. Let’s say you want some of your data locked for 30 days and other data for 180 days. In fact you can specify any desired time period - even 10 years or ‘forever’ is achievable.
The backup is then sent offsite to an immutable storage repository. It remains available online to recover from, but cannot be modified, over-written or deleted. As with tape backup, it is “air-gapped” from the primary system and provides data points that can pre-date any attempted attack.
The ransomware actor now can’t lock you out of your backups by encrypting them, as the backups themselves are locked to their original state for the retention period you have pre-determined.
With the correct solution and depending on the backup tools in place, the whole implementation is seamless and can be executed effortlessly.
For the best implementation, your application and storage platforms should both offer object lock and immutability working hand-in-hand to protect your data. You need to ensure that your backup is safe even if the worst happens and the rest of your infrastructure becomes compromised.
This is now achievable from £5 per TB (after dedupe and compression) with no ingress/egress/API charges and full 256-bit encryption in transit and at rest via our Cloudlake platform.