Protection from ransomware requires layered backup, DR
A strategy for protection and successful recovery from ransomware includes everything from monitoring tools to offline storage. Organizations should use multiple methods.
CHICAGO -- The VeeamON session on protection from ransomware Wednesday started with a question for attendees: How many had experienced a ransomware attack at their organization?
Dozens of hands went up.
Ransomware attacks continue to make news. In just the last couple of months, high-profile victims included the city of Atlanta and a school district in Massachusetts. Many attacks, though, go unreported or unmentioned to the general public.
A layered defense is important to be able to protect and recover from ransomware, Rick Vanover, Veeam's director of product strategy, told the packed room of close to 200 people.
Backup, DR, education all play a role
Using offline storage to create an air gap is arguably the most technically efficient method of protection against ransomware. Tape is a good fit for air gapping, because you can take it off site, where it is not connected to the network or any other devices.
"The one reason I love tape is its resiliency in this situation," Vanover said.
Other offline or semioffline storage choices include replicated virtual machines, primary storage snapshots, Veeam Cloud Connect backups that aren't connected directly to the backup infrastructure and rotating hard drives.
Educating users is another major component of a comprehensive strategy for protection from ransomware.
"No matter how often you do it, you can't do it enough," said Joe Marton, senior systems engineer at Veeam.
Advice for users includes being overly careful about clicking links and attachments and telling IT immediately if there appears to be an issue.
IT should have visibility into suspicious behavior using monitoring capabilities. For example, Veeam ONE includes a predefined alarm that triggers if it detects possible ransomware activity.
Organizations as a whole should continue to follow the standard "3-2-1" backup plan of having three different copies of data on two different media types, one of which is off site or offline.
From a disaster recovery angle, DR isn't just for natural disasters.
"Ransomware can be a disaster," Marton said.
That means an organization's DR process applies to ransomware attacks.
The organization should also document its recovery plan, specifically one for ransomware incidents.
Matt Fonner, a severity one engineer of the Veeam support team, said every week he deals with two or three restores from a ransomware attack.
Ransomware, protection continue to evolve
Rick Vanoverdirector of product strategy, Veeam
Vanover said later that he spent about 25 minutes following the presentation talking with people about attacks and protection from ransomware. One person told him that her SMB had been hit and decided to pay the ransom, rather than deal with an inferior restore program -- that wasn't Veeam.
Vanover said organizations should classify data to figure out which level of resiliency is needed. Not everything needs to be in that most expensive tier.
Vanover said the ransomware landscape has changed from a year ago, when he also gave a presentation on ransomware protection at VeeamON.
"The ransomware story does change every time you write it," he said.
One new twist in the storage is ransomware is attacking backups themselves. In a common scenario, ransomware will infiltrate a backup and stay dormant until the data is recovered back to the network following an attack on primary storage.
That's where offline storage comes in, Vanover said.
Data protection vendors are also starting to add specific features to protect backups from ransomware. For example, Asigra Cloud Backup has embedded malware engines in the backup and recovery stream. Acronis Active Protection detects suspicious changes to data, backup files and the backup application. CloudBerry Backup detects possible cases of ransomware in backups.
Vanover said if he drew up another presentation in a month or two, it would probably be different.
"We have to always evolve to the threatscape," he said.