lolloj - Fotolia
Ransomware outbreak threat calls for backup and DR strategy
IT departments deploy a range of data restore approaches to mitigate the risk of a debilitating ransomware attack. Time is of the essence, however.
The ransomware outbreak threat may be subsiding somewhat, but IT managers continue to shore up their defenses. Backup and disaster recovery is a key area of emphasis.
For much of 2017, the WannaCry and NotPetya ransomware outbreaks dominated cybercrime headlines. A new report from antimalware vendor Malwarebytes said ransomware detections last year increased 90% among businesses. But by the end of 2017, the "development of new ransomware families grew stale," as cybercriminals shifted their focus to other forms of malware, such as banker Trojans that steal financial information, according to the report, "Cybercrime Tactics and Techniques: 2017 State of Malware."
That said, organizations are looking to bolster their ransomware outbreak protections. Front-end measures often include antivirus software, firewalls and content scanners that can intercept email attachments that appear questionable.
IT departments, however, are also looking to strengthen back-end protections that can help them recover from ransomware attacks that lock up data via encryption. Here, the emphasis is on disaster recovery strategies that let a business restore its data from a backup copy. But even here, there are risks: IT managers must ensure the backups it makes are actually usable and consider how long a data restore will take in the event of an emergency.
Another level of security
The city of Milpitas, Calif., already has a number of security measures in place to defend itself from a ransomware outbreak. On the front end, the municipal government employs email filtering, spam filtering and email attachment scanning. On the back end, the city uses BackupAssist, a Windows server backup and recovery software offering for SMBs. A remote disaster recovery site provides an additional line of defense.
The city earlier this month said it layered on another element to its backup and recovery defense. Mike Luu, information services director for the city of Milpitas, said the city activated CryptoSafeGuard, a BackupAssist feature the vendor recently added to its product.
CryptoSafeGuard, according to the company, prevents infected files from being backed up and also prevents backups from becoming encrypted. Some ransomware attacks have succeeded in encrypting both an organization's production and backup data.
"It's just another method of trying to protect against [Ransomware]," Luu said of CryptoSafeGuard.
Luu said switching on CryptoSafeGuard was a simple matter of ticking a box on BackupAssist's user interface. "It came along for the ride at no additional cost," he added.
BackupAssist offers CryptoSafeGuard as part of the vendor's BackupCare subscription package. Troy Vertigan, digital sales and marketing manager at BackupAssist, said 30% of the vendor's customers running the latest versions of BackupAssist have activated CryptoSafeGuard since it became available in September 2017.
When backups fail
Backup plans can fall through when ransomware hits. TenCate, a maker of composite materials and armor based in the Netherlands, found that out a few years ago during the CryptoLocker ransomware outbreak. Malware entered the company's U.S. operations through a manufacturing facility and made its way to the file server, recalled Jayme Williams, senior systems engineer at TenCate. Data ended up encrypted from the shop floor to the front office.
When TenCate attempted a data restore from Linear Tape-Open standard tape backups, the backup software the company used wasn't able to catalog the LTO tapes -- a necessary step for recovering files. Williams said some data had been copied off to disk media, but that backup tier was also unreadable. He contacted a data recovery service, which was able to extract the data from the disks.
The company's disk-based backups weren't frequent, so some of the data had become stale. The recovered data, however, provided a framework for rebuilding what was lost. It took two weeks to make data accessible again; even then, it wasn't an ideal data restore because of the age of the recovered data.
One of the key lessons learned from the CryptoLocker experience was that TenCate's security was lacking for the ransomware infection to penetrate as far as it did, Williams noted. In response, company managers have signed off on tighter security.
The other lesson: Backup and disaster recovery are different things.
Jayme Williamssenior systems engineer at TenCate
"Backup is not resilience," Williams said.
That realization put TenCate on the path toward new approaches. Initially, the company, which is a VMware shop, considered the virtualization vendor's Site Recovery Manager. But the company's IT services partner recommended a cloud-based backup and disaster recovery offering from Zerto. The vendor replicates data from an organization's on-site data stores to the cloud.
One factor in favor of Zerto was simplicity. Zerto helped TenCate set up a proof of concept (POC) in about 30 minutes to demonstrate replication and failover. When Williams received permission to purchase the replication service, TenCate was able to take the POC into production without reinstallation.
When a second ransomware outbreak struck TenCate, the updated security and disaster recovery system thwarted the attack. The company's virtual machines (VMs) were shielded within Zerto's Virtual Protection Groups and journaling technique, which Williams described as "the TiVo of the VM." The Zerto journal lets administrators rollback a VM to a point in time before the ransomware virus hit -- a matter of seconds, according to Williams.
Time is a critical consideration in devising a ransomware mitigation strategy, noted Michael Suby, Stratecast vice president of research at Frost & Sullivan.
A too lengthy data restore process leaves organizations vulnerable to ransomware demands, he said. A besieged organization may capitulate and pay the fee if a drawn out recovery time would result in a greater loss of revenue or threaten lives, as in the case of an attack against a hospital.
"Companies can still be exploited if the time to revert to those backup files is excessive," Suby explained. "It's not just having backup files. We have to have them readily accessible."