
According to a recent IDC survey, 92% of IT professionals are confident in their ability to recover from a ransomware attack. Nevertheless, 46% of these organizations were successfully attacked and 67% of that group were unable to successfully recover from the attack. There are five reasons for ransomware recovery failure. If these reasons aren’t addressed, your organization will also be part of the 46% that was successfully attacked and the 67% of that group that had to pay the ransom. The current average ransom payment is $228,000, which means a potential $35 million in ransoms were paid by this group, shaking their ransomware recovery confidence.
The five reasons for ransomware recovery failure are:
- A lack of frequent backups of ALL data
- The vulnerability of backup data copies and backup application metadata
- A slow recovery process that makes paying the ransom tempting
- The lack of an isolated recovery environment known to be free of malware
- The lack of testing. Ransomware recovery is different.
Our next webinar, “Beat Ransomware – How to Turn a Data Protection Double Play,” explains how doubling up on backup software and hardware protection features can create a ransomware recovery strategy to overcome these five shortcomings.
Ransomware Recovery Requires Frequent Backups
The first step in achieving ransomware recovery success is to increase the frequency of backups. Once a night is no longer enough. The goal is to reduce your threat exposure window so the amount of data lost after the attack is minimal. Modern backup software applications now deliver technologies like block-level incremental (BLI) backups to minimize the amount of data transfer and enable backups throughout the day of all data, not just so-called mission-critical data. Attacked organizations may be able to bring mission-critical systems back online but then still end up paying the ransom to regain access to non-mission-critical data.
The problem is the increase in backup frequency and scope puts a strain on the backup infrastructure. Backup data flow is now random instead of sequential, and the backup storage hardware may be unable to keep pace.
Look for a backup solution that leverages flash storage to keep pace with the high number of BLI backups. This requirement does not mean the organization must use an all-flash storage system for backup. Instead, it needs a solution with intelligent auto-tiering that optimally uses flash and hard disk drives to power through these backups while keeping costs in check.
Ransomware Recovery Requires Protected Backups
Bad actors know that IT will look toward their backups as a means to recover, so, increasingly, they go after those first before encrypting anything else. The second of the five reasons for ransomware recovery failure is the vulnerability of backup data. A successful ransomware recovery strategy requires hardening the two types of backup application data; copies of the production data they are assigned to protect and the metadata it creates so you can find data when needed.
Most modern backup applications support moving data to an immutable storage system, typically an object store. The problem is that most object storage systems cannot sustain the high random ingest rates the increase in backup frequency requires. Most backup vendors suggest two systems to meet the demands of increasing backup frequency and backup data hardening.
The problem is the backup data is exposed until the backup process completes and the backup software can transfer the data to the immutable storage system. There is also the challenge that IT now has two essential but separate storage systems to manage and maintain within the backup infrastructure.

Backup metadata is also a prime target of ransomware attacks. While most backup software applications can rebuild the metadata index, it does take time. The bad actor’s goal is to slow down the recovery process to make paying the ransom more appealing.
Look for a backup solution that can make the copies of production and backup metadata immutable within seconds of it landing on the backup storage target without having to transfer to a secondary system. The solution should also be able to present an object store so that you don’t need to support and pay for multiple storage systems.
Ransomware Recovery Requires Rapid Restores
Another challenge that forces organizations to give up on their ransomware recovery tools is the time it takes to restore data. Part of the time delay is identifying a known good copy. Another delay is the time it takes to instantiate the data for user access. According to a recent Sophos survey, the average time to recover from a ransomware attack is over one month. The temptation of paying the ransom and getting your data back “instantly” is appealing, but that same survey found that only 4% of the organizations that paid the ransom got all their data back!
Modern backup applications have features like instant recovery to eliminate network transfer times. However, suppose your applications and users expect all-flash or hybrid performance. In that case, they may not appreciate executing an instant recovery to a hard-drive-only backup storage target. The instant recovery process adds additional overhead, which also decreases performance.
Look for a backup storage target that can deliver production-class performance. If the solution uses the flash tier intelligently, as described earlier, it can reallocate capacity on that tier so that instantly recovered data will perform similarly to production.
Ransomware Recovery Requires an Isolated Recovery Environment
Of the five reasons for ransomware recovery failure, the fourth, the lack of an isolated recovery environment, is the most overlooked. During a recovery, malware trigger files may continue to lurk on production storage, ready to reinfect any recovery attempt. Most organizations have no answer to this problem, and suggestions from industry analysts reflect an “it’s not in my budget” mentality. Most organizations can’t justify a system sitting idle in the data center waiting for ransomware recovery.
Look for a backup storage target that can build on the instant recovery performance described above to deliver standby storage. A backup storage target with this capability is highly available and has enterprise storage features like snapshots and replications. There are reasons beyond ransomware recovery for standby storage, but its ability to see an organization through an attack is invaluable. Most importantly, the standby storage capability requires only a minimal addition in backup storage costs.
Test, Test, Test
Another major factor in ransomware recovery success is testing. Most organizations don’t test the ransomware attack scenario specifically. Ransomware recovery is fundamentally different than disaster recovery (DR). In a disaster, your primary data center is gone, or at least unavailable. Your DR site has a known good copy of data and is likely not experiencing the same disaster. Depending on the disaster, your users and maybe even most of your customers also deal personally with the disaster. As a result, they will not pressure you for immediate access to their applications. You can’t take weeks to recover, but you have more time than you think to recover from a natural disaster.
During a ransomware attack, the data center appears to be fine, but the data is corrupted. There is a good chance that replicated copies of that data at the DR site are also unusable. Production storage is available, but restoration will likely happen to an environment still under attack. Users are on their laptops, ready to get to work and waiting for you to fix the problem. Sadly, time is of the essence, and there is the temptation of paying the ransom.
Learn More
- Join Veeam and StorONE for our next live webinar, “Beat Ransomware – How to Turn a Data Protection Double Play.“ Learn how to beat ransomware by doubling up on protection and recovery capabilities.
- Read our whitepaper “Designing a Modern Backup Infrastructure.“ Learn how to ensure your entire backup process is equipped to handle a ransomware attack.
