A Complete Ransomware Recovery Strategy

One of the challenges IT faces when developing a complete ransomware recovery strategy is to think holistically about the process. Focusing on just one capability may expose the organization to ransomware damage in other areas. IT needs a 360° Ransomware Recovery Strategy that protects production data backup metadata and rapidly returns the organization to an operational state.

The Elements of a Complete Ransomware Recovery Strategy

  • Frequent Backups
  • Immutable Storage
  • Rapid Recovery
  • A Sterile Recovery Environment
  • Affordability
a complete ransomware recovery strategy

Ransomware Recovery Requirement 1: Frequent Backups

For years (decades?), backup vendors have claimed: “it is all about recovery!” While recovery is a critical part of a ransomware recovery strategy, it is not all about recovery. If your architecture doesn’t enable you to execute fast, frequent backups, your recovery point objective (RPO) may lead to losing hours and even days’ worth of data. This delay may lead to a temptation to pay the ransom instead of completing the recovery process. A complete ransomware recovery strategy requires the frequent protection of production data. Also if that data isn’t written securely to persistent media, there may not be quality data for recovery.

Ransomware Recovery Requirement 2: Immutable Storage

Immutable storage is critical to your ransomware recovery strategy. Your backup storage target should store every backup in an immutable state and be able to retain that state for months without impacting performance. It should also store your backup software’s metadata in an immutable state, which means your backup storage target needs to deliver the performance your backup-server software requires to update these files quickly. If the ransomware attack encrypts either the backup data or the backup metadata, you might not be able to recover anything. A complete ransomware recovery strategy requires immutable storage of the protected data and the backup configuration files and indexes.

Ransomware Recovery Requirement 3: Rapid Recovery

Frequent backups and protected storage of that data set the stage for a successful recovery. However, these recoveries have to be some of the fastest IT has ever done since they are under pressure from users and application owners who want to get back to a productive state as quickly as possible. There is also pressure from the executive team, weighing the cost of paying the ransom versus the time it will take for IT to complete the recovery. Finally, there is the possibility that the “bad actors” have set a time limit for you to pay the ransom, or they will delete all your data. A complete ransomware recovery strategy requires that instant recoveries or even native recoveries occur quickly. Backup storage needs to provide the ability to host production data with a performance profile similar to that of the production environment.

Ransomware Recovery Requirement 4: A Sterile Recovery Environment

Unlike a natural disaster, the state of your production storage after a ransomware attack is at best “unknown.” Ransomware trigger files often make copies of themselves as they encrypt your environment. If IT doesn’t have the time to complete the forensic work, which can take hours, to ensure the removal of these files, then the likelihood of reinfection, with even less “pay the ransom” time, is very high.

A complete ransomware recovery strategy requires a sterile recovery environment. It buys IT time to remove the trigger files properly and potentially the infected data as well. The sterile recovery environment needs to deliver production-class performance and reliability to get the time IT needs to inspect the production environment thoroughly. The sterile environment also needs to protect itself with immutability. The need for a sterile recovery environment is new because of ransomware but is helpful for recovery from many other outages. To learn more, read our latest Whitepaper,” What is Standby Storage.”

Ransomware Recovery Requirement 5: Affordability

The ransomware recovery strategy has to be affordable. Part of a 360° Ransomware Recovery Strategy means that all applications and data are protected the same way. Today, IT has to piecemeal this type of strategy together using solutions from multiple vendors, which significantly raises the purchase, implementation, and operational costs. The fragmentation also forces IT to either pick which component of the strategy to implement, which leaves open attack vectors, or pick only a few data sets to protect, which means the rest of the environment is still exposed.

It should also intelligently leverage flash and high-density (20TB) hard disk drives to keep costs low. Using a hard disk tier means the solution needs to rapidly recover from a drive failure because RAID Rebuild times are more relevant than ever.

Delivering a 360° Ransomware Recovery Solution

Implementing a 360° Ransomware Recovery Strategy means IT needs to look for a single solution that can provide cost-effective backup storage while meeting the five previously listed requirements. The solution needs a small flash tier to handle the hourly ingest of backup data from dozens, if not hundreds of virtual machines, application servers, and NAS systems. The flash tier should be large enough to support recovery and enable customers to use backup-server applications with “instant recovery” features to exploit that capability fully.

A 360° Ransomware solution should also support the native restoration of data and become Standby Storage. It should provide native sterile volumes mountable via any storage protocol and enterprise-class performance and availability. Standby Storage is valuable for more than just ransomware recovery by also providing a recovery area during a storage controller failure or storage software failure.

Only StorONE’s S1:Backup delivers all of these capabilities in a single, cost-effective solution that is easy to implement and operate. To learn more, watch our on-demand webinar “Beat Ransomware with Standby Storage.”

Want More Content from StorONE?

Every day, we share unique content on our LinkedIn page including storage tips, industry updates, and new product announcements.

Posted in

George Crump

George has over 25 years of experience in the storage industry, holding executive sales and engineer positions. Before joining StorONE, he was the founder and lead analyst at Storage Switzerland.

What to Read Next

Beat Ransomware with Better Primary Storage

Backup can’t beat ransomware. Instead, IT professionals need to beat ransomware with better primary storage. As the recent public disaster because of an alleged ransomware attack that Garmin is experiencing proves, bad actors are still at work even during the COVID-19 pandemic. Malware attacks are on the rise since March. Partly, the increase in attacks […]
Read More

Hybrid Cloud Eliminates Backup

While snapshots can reduce your dependencies on it, if implemented correctly, Hybrid Cloud eliminates backup. In reality, primary storage solutions should have eliminated backup many years ago. The problem is that the limitations of enterprise-class storage features caused by inefficient software won’t allow the technology to finish the job. Because of these limitations, the features […]
Read More

Requirements for Extreme High-Availability

The requirements for extreme high-availability create a big challenge for the organization. Creating a highly available storage infrastructure that your organization can afford seems almost impossible. Achieving the goal of an affordable highly-available storage infrastructure requires a flexible storage solution that can deliver various protection strategies across a wide variety of storage hardware. The Levels […]
Read More

Learn More About the Hidden Cost of Dedupe

  • This field is for validation purposes and should be left unchanged.