Ransomware

5 Reasons for Ransomware Recovery Failure

by

overcome the five reasons for ransomware recovery failure so you don't have to pay the ransom
Ransomware recovery failure leads to ransom payments 67% of the time.

According to a recent IDC survey, 92% of IT professionals are confident in their ability to recover from a ransomware attack. Nevertheless, 46% of these organizations were successfully attacked and 67% of that group were unable to successfully recover from the attack. There are five reasons for ransomware recovery failure. If these reasons aren’t addressed, your organization will also be part of the 46% that was successfully attacked and the 67% of that group that had to pay the ransom. The current average ransom payment is $228,000, which means a potential $35 million in ransoms were paid by this group, shaking their ransomware recovery confidence.

The five reasons for ransomware recovery failure are:

  1. A lack of frequent backups of ALL data
  2. The vulnerability of backup data copies and backup application metadata
  3. A slow recovery process that makes paying the ransom tempting
  4. The lack of an isolated recovery environment known to be free of malware
  5. The lack of testing. Ransomware recovery is different.

Our next webinar, “Beat Ransomware – How to Turn a Data Protection Double Play,” explains how doubling up on backup software and hardware protection features can create a ransomware recovery strategy to overcome these five shortcomings.

Ransomware Recovery Requires Frequent Backups

The first step in achieving ransomware recovery success is to increase the frequency of backups. Once a night is no longer enough. The goal is to reduce your threat exposure window so the amount of data lost after the attack is minimal. Modern backup software applications now deliver technologies like block-level incremental (BLI) backups to minimize the amount of data transfer and enable backups throughout the day of all data, not just so-called mission-critical data. Attacked organizations may be able to bring mission-critical systems back online but then still end up paying the ransom to regain access to non-mission-critical data.

The problem is the increase in backup frequency and scope puts a strain on the backup infrastructure. Backup data flow is now random instead of sequential, and the backup storage hardware may be unable to keep pace.

Look for a backup solution that leverages flash storage to keep pace with the high number of BLI backups. This requirement does not mean the organization must use an all-flash storage system for backup. Instead, it needs a solution with intelligent auto-tiering that optimally uses flash and hard disk drives to power through these backups while keeping costs in check.

Ransomware Recovery Requires Protected Backups

Bad actors know that IT will look toward their backups as a means to recover, so, increasingly, they go after those first before encrypting anything else. The second of the five reasons for ransomware recovery failure is the vulnerability of backup data. A successful ransomware recovery strategy requires hardening the two types of backup application data; copies of the production data they are assigned to protect and the metadata it creates so you can find data when needed.

Most modern backup applications support moving data to an immutable storage system, typically an object store. The problem is that most object storage systems cannot sustain the high random ingest rates the increase in backup frequency requires. Most backup vendors suggest two systems to meet the demands of increasing backup frequency and backup data hardening.

The problem is the backup data is exposed until the backup process completes and the backup software can transfer the data to the immutable storage system. There is also the challenge that IT now has two essential but separate storage systems to manage and maintain within the backup infrastructure.

overcome the five reasons for ransomware recovery failure by protecting backup data
Lock and shield your backup data from attack

Backup metadata is also a prime target of ransomware attacks. While most backup software applications can rebuild the metadata index, it does take time. The bad actor’s goal is to slow down the recovery process to make paying the ransom more appealing.

Look for a backup solution that can make the copies of production and backup metadata immutable within seconds of it landing on the backup storage target without having to transfer to a secondary system. The solution should also be able to present an object store so that you don’t need to support and pay for multiple storage systems.

Ransomware Recovery Requires Rapid Restores

Another challenge that forces organizations to give up on their ransomware recovery tools is the time it takes to restore data. Part of the time delay is identifying a known good copy. Another delay is the time it takes to instantiate the data for user access. According to a recent Sophos survey, the average time to recover from a ransomware attack is over one month. The temptation of paying the ransom and getting your data back “instantly” is appealing, but that same survey found that only 4% of the organizations that paid the ransom got all their data back!

Modern backup applications have features like instant recovery to eliminate network transfer times. However, suppose your applications and users expect all-flash or hybrid performance. In that case, they may not appreciate executing an instant recovery to a hard-drive-only backup storage target. The instant recovery process adds additional overhead, which also decreases performance.

Look for a backup storage target that can deliver production-class performance. If the solution uses the flash tier intelligently, as described earlier, it can reallocate capacity on that tier so that instantly recovered data will perform similarly to production.

Ransomware Recovery Requires an Isolated Recovery Environment

Of the five reasons for ransomware recovery failure, the fourth, the lack of an isolated recovery environment, is the most overlooked. During a recovery, malware trigger files may continue to lurk on production storage, ready to reinfect any recovery attempt. Most organizations have no answer to this problem, and suggestions from industry analysts reflect an “it’s not in my budget” mentality. Most organizations can’t justify a system sitting idle in the data center waiting for ransomware recovery.

Look for a backup storage target that can build on the instant recovery performance described above to deliver standby storage. A backup storage target with this capability is highly available and has enterprise storage features like snapshots and replications. There are reasons beyond ransomware recovery for standby storage, but its ability to see an organization through an attack is invaluable. Most importantly, the standby storage capability requires only a minimal addition in backup storage costs.

Test, Test, Test

Another major factor in ransomware recovery success is testing. Most organizations don’t test the ransomware attack scenario specifically. Ransomware recovery is fundamentally different than disaster recovery (DR). In a disaster, your primary data center is gone, or at least unavailable. Your DR site has a known good copy of data and is likely not experiencing the same disaster. Depending on the disaster, your users and maybe even most of your customers also deal personally with the disaster. As a result, they will not pressure you for immediate access to their applications. You can’t take weeks to recover, but you have more time than you think to recover from a natural disaster.

During a ransomware attack, the data center appears to be fine, but the data is corrupted. There is a good chance that replicated copies of that data at the DR site are also unusable. Production storage is available, but restoration will likely happen to an environment still under attack. Users are on their laptops, ready to get to work and waiting for you to fix the problem. Sadly, time is of the essence, and there is the temptation of paying the ransom.

Learn More

Overcoming MSP Storage Challenges

by

To increase their monthly recurring revenue (MRR), Managed Service Providers (MSPs), must focus on overcoming MSP storage challenges. These organizations typically start with a particular area of specialization, such as backup, or virtual desktop infrastructure (VDI), and then try to increase their MRR by offering additional services to those customers while also continuing to onboard new customers. The problem is that each new service offering often requires a storage system different than the original.

MSPs deal with potentially the worst case of storage sprawl. Not only are they managing five to six different storage systems, but each customer is also using some or all these systems. Overcoming MSP Storage challenges require that they follow a unique set of guidelines.

Register for Our Live Webinar

MSPs Must Consolidate Storage

Storage Sprawl tops the list of MSP storage challenges. Adding a storage system for each new service offering cuts into its potential profitability and may even add so much operational overhead that it makes other service offerings less profitable. To overcome sprawl, MSPs must look for a storage system that can support multiple workloads and consolidate the infrastructure into a single storage solution. Today’s storage hardware (controllers and media) can support multiple use cases simultaneously. The problem is that the traditional storage software, common in today’s storage systems, is not optimized to use high-performance flash drives or high-density hard disk drives efficiently. StorONE’s architecture rethinks storage I/O for maximum hardware efficiency and utilization. Where other vendors throw hardware at the problem, StorONE throws efficiency. The results are lower costs and reduced data center footprint requirements.

However, the variety of MSP use cases is extreme, ranging from backup to virtualization to databases. An MSP storage solution must not only be able to support this range of I/O profiles but also ensure that one workload does not starve another for resources. StorONE’s Virtual Storage Containers (VSC) enable MSPs to create storage tenants per service or clients within the service. Each VSC can have a unique performance profile, drive redundancy setting, and data protection configuration. VSCs can be templated, dramatically reducing management overhead, provisioning time, and eliminating configuration mistakes.

MSP Storage Must Be Ransomware Resilient

Ransomware is a problem for every data center, but the problem is magnified in the MSP data center. A breach means that dozens, maybe even hundreds of businesses are now at risk. MSPs are becoming high-profile targets. MSPs have the added challenge of customer mistakes leading to a breach, even if the MSP has followed all the best practices. Customers will still expect the MSP to recover their data.

Overcoming MSP Storage Challenges requires ransomware resiliency.

Protection against an attack is an excellent first step, but eventually, an attack will work through its defenses, and MSPs will need a ransomware recovery strategy. That strategy must include frequent data protection captures, immutable storage of protected data, and an isolated recovery environment. With these components in place, the MSP can return its customers to a safe and fully operating environment within minutes.

StorONE offers its 360° Data Protection capability, which enables organizations to continuously protect data and store the protected copies in a space-efficient, immutable state. If a ransomware attack hits a customer’s VSC, the MSP can use the immutable copies to return the customer to production within minutes of the attack.

MSP Storage Must Be Flexible

MSP growth is hard to predict; it can come in spurts as the MSP launches new services or slow and steady as it adds new customers. MSPs need the flexibility to accommodate these conflicting growth patterns. They need to be able to granularly add capacity and performance in response to growth. The storage solution should not force them into using a specific media manufacturer, type, or capacity. It should also not force the MSP to add entire shelves or nodes. MSPs require the flexibility to meet today’s needs today, and the scalability to meet tomorrow’s needs tomorrow.

With StorONE, MSPs can add flash or hard disk drives from various manufacturers and of different densities. The MSP can add as few of these drives as the storage enclosure allows. Even though the drives are mixed, the MSP enjoys the full performance and capacity of those drives. StorONE’s VSCs extract the drive hardware from the MSP service or customer use case.

MSP Storage Must Be Future-Proof

Migrating data from an old storage system to a new one is challenging for any organization. The storage migration challenge for MSPs, again is magnified because they are not only moving data but also moving customers’ data. One mistake can cost them. The best migration is no migration; the storage solution should adapt and evolve, eliminating storage refreshes and migrations.

MSP Storage must be Future-Proof

StorONE’s ability to use VSCs to abstract storage hardware from the applications it services enables MSPs to add new hardware gradually. Administrators can add newer, higher-density, or higher-performing drives as they become available. If a drive reaches the end of life, remove it, and StorONE’s vRAID technology will automatically rebuild the new drive in record time (minutes for flash drives and a few hours for hard disk drives).

StorONE’s efficiency delivers massive performance and scalability from mid-range servers, which we turn into storage controllers. Those controllers will age out, and you may need more motherboard bandwidth in the future. With StorONE, MSPs can non-disruptively replace storage controllers and seamlessly move to next-generation PCIe buses.

Conclusion

Overcoming MSP Storage challenges is possible with StorONE. An MSP adopts a storage strategy built on a modern single storage engine. This engine can provide a broad portfolio of solutions supporting a wide range of workloads that can increase MRR without reducing profit margins. At the same time, they can improve their ransomware resiliency to the point that it can become an additional service offering within the MSP.

To learn more, register for our webinar “Increase MRR by Reducing Storage Complexity”, live on September 29th at 1:00 PM ET / 10:00 am CT.

Optimizing Veeam Backup Storage

by

With innovations like change block tracked backup, a scalable repository, and instant recovery, IT professionals should prioritize optimizing Veeam backup storage. Without proper optimization of the backup architecture, IT can’t realize the full potential of Veeam’s innovations.

Veeam Backup Storage Needs Flash

The granular data movement capabilities of Veeam’s change block tracking (CBT) backups enable customers to increase backup frequency which should improve recovery point objectives (RPO). The problem is that while CBT backups are easy on the network, they require a lot of random IO performance from the backup target.

The IO profile of CBT IO profile is highly randomized and needs a storage system to respond to that randomization. Hard disk technology can’t keep pace with dozens or even hundreds of simultaneous backup jobs landing on the backup storage target every hour. Flash storage, however, can handle these high-frequency backups, and it should be a component of every backup storage target.

Veeam Backup Storage Needs Hard Disks

While flash storage is critical to improving RPO, we are not at a point where an all-flash backup storage target makes sense. Flash is still too expensive to compete with hard disk drives. An 18TB hard disk drive is 1/10th the price of a 15TB flash drive.

Most legacy vendors shy away from using high-density hard disk drives for fear of customers’ slow recovery from drive failure complaints. We repeatedly speak to IT professionals that tell us they are experiencing RAID rebuild times over three days with 8TB drives, let alone 18TB drives, which will take even longer.

Veeam Backup Storage Needs Flexible Immutability

Veeam is doing an excellent job advancing state-of-the-art ransomware detection and protection. However, you can never have enough immutability. Protection from ransomware attacks requires instant immutability across all protocols without transferring to another storage silo. You also need to make sure any instantly recovered virtual machines or applications can be protected until you can ensure the environment is clear of any remnants of the malware.

You Need Production Class Recovery

Veeam’s instant recovery feature is a critical innovation that enables a virtual machine’s data to be instantiated on the backup storage target, eliminating network transfer time. The problem is that legacy backup storage devices don’t have the performance or availability to provide a production-class environment, forcing IT to move that VM into production quickly. Also, if the data center is experiencing a ransomware attack, instantly recovered VMs data is exposed to reinfection.

StorONE’s S1:Backup is Optimized for Veeam

StorONE’s S1:Backup is optimized to elevate Veeam’s innovation. Its flash-first technology enables the rapid ingest of data. You can improve RPO by executing dozens of simultaneous backup jobs. However, StorONE’s S1:Backup is not flash-only. We intelligently integrate flash and hard disk drives to deliver performance and affordable long-term cost savings.

Optimizing Veeam Backup Storage
S1:Backup Optimized Veeam Backups

S1:Backup provides immutability within seconds of the completion of each backup job. There is no data transfer to an immutable secondary volume or a secondary storage system. While S1:Backup supports S3, you can also enjoy immutability across all block and file protocols.

Finally, S1:Backup provides a production class recovery environment within the same storage system. During a recovery, flash is dynamically reallocated so that capacity is available to host instantly recovered VMs and applications. The solution has built-in high availability and provides the same immutable protection of the instantly recovered VMs that it does for backup data.

StorONE, ONE backup solution for Veeam

StorONE rewrote the IO stack, and we own the entire IO path as data travels through our platform.

Optimizing Veeam Backup Storage with S1:Backup also provides 360° Ransomware Protection
S1:Backup Provides 360° Ransomware Protection

We also rewrote erasure coding to deliver the fastest recovery from drive failure. We even optimized tiering to accommodate the backup use case.

Combining these innovations means StorONE can deliver consistently high performance from a handful of flash drives, affordably meeting your RPO and RTO demands. It also means you can safely use high-density hard disk drives as our vRAID recovers from a drive failure of even the highest density hard disk drives in less than three hours. You can also seamlessly integrate new higher density drives without needing to create new volumes and reconfigure backup jobs. Optimizing Veeam Backup Storage with S1:Backup also provides 360° Ransomware Protection.

Learn More

Join StorONE for our next live webinar: “Four Ways to Optimize Veeam Backup and Recovery.”

What is 360° Ransomware Protection?

by

IT professionals need to look for 360° Ransomware Protection of their backup infrastructure. Bad actors know that the backup infrastructure is critical in recovering from their ransomware attacks and avoiding paying the ransom. As a result, they target backup data and metadata to make recovery impossible or slow the process down.  

As we will discuss in our upcoming webinar “Three NEW Ransomware Exploits – How to Close the Backdoor” 360° Ransomware Protection shuts the backdoor that legacy backup storage solutions leave open. 

360° Ransomware Protection Requirements:

  • Improve Protection of production data by increasing backup frequency and improving recovery point objectives (RPO).
  • Improve Protection of protected data by providing instant immutability across all protocols. 
  • Improve Protection of Backup indexes and configuration files by hosting them on the backup storage target, storing them immutably while not impacting performance. 
  • Improve the Recovery Environment with standby storage to deliver on-demand production class performance on the backup storage target. 

Improve Protection of Production Data

Ransomware’s primary goal is still to encrypt your production data. The number one responsibility of any backup infrastructure is to ensure that production data is protected. Improving protection means enabling more frequent data capture events in the ransomware era. Using change block tracking (CBT) or block-level incremental (BLI) backup, organizations should be able to backup every hour instead of once per day. The problem is legacy backup storage solutions can’t keep pace with the dozens of backup jobs per hour this schedule would create. 

Increasing backup frequency using CBT or BLI backups creates another challenge. Backup software can only support so many of these jobs before they must consolidate them and synthetically create a new full backup. While full-synthetic backups eliminate the need to perform full backups over the network, they are very IO intensive. Legacy backup solutions can’t handle the IO demands of synthetic fulls, and most customers find that an over-the-network full backup is faster than the synthetic process. 

360° Ransomware Protection Improves RPO

The 360° Ransomware Protection capabilities of S1:Backup enable customers to take full advantage of CBT/BLI capabilities. They can execute backups every 30 minutes or less. The high-performance flash tier of S1:Backup can easily handle the dozens, even hundreds, of simultaneous data capture jobs this design can create. While an All-Flash Backup is not necessary, StorONE can provide a cost-effective, high-capacity flash tier sufficient to store an entire full backup + incremental jobs. When it is time to create a new synthetic full, StorONE’s ability to keep these most recent jobs on the flash tier means that the consolidation effort occurs in record time. 

Improve Protection of Protected Data

The copies of production data that the backup infrastructure stores are critical to a successful ransomware recovery. Protecting that data from being encrypted is now a new responsibility of backup storage targets. The backup storage target must provide immutability and it must provide some form of a physical or virtual air gap. 

ransomware protection

Most legacy backup storage targets don’t provide either of these capabilities. To compensate, many backup software vendors add another storage silo to their backup infrastructure to provide these capabilities. The addition of even more storage silos leads to further complexities and costs. First, additional jobs must be created to move the data from the primary backup storage target to the immutable storage target, which adds to operational overhead. Second, a data transfer needs to occur when moving data from the primary backup storage device back across the network to the immutable storage device, which takes time and may require additional networking. Third, most of these immutable systems force customers to learn a new storage protocol like S3/Object, again adding to operational costs. 

While storing protected data immutably is essential, the cost of that process can’t be so expensive that only a few organizations can afford it. The practice also can’t be so complicated that most organizations can’t consistently apply it. 

360° Ransomware Protection Provides Instant Immutability

S1:Backup’s 360° Ransomware Protection capabilities include making an immutable copy of every backup job less than 30 seconds after it completes, regardless of what protocol the backup infrastructure uses to transfer data. It does not require a separate storage silo or the scheduling and maintaining of additional backup jobs. The copies are capacity efficient and can be retained for months, creating a virtual airgap. S1:Backup’s immutability is simple, consistent, and transparent. S1:Backup can even alert you of a potential attack, so you can stop it early. 

Improve Protection of Backup Metadata

Recent attacks like the one that impacted Kronus, show that immutability by itself does not beat ransomware. Bad Actors also target backup metadata, the indexes, and configuration files that backup software creates. Without this data, the backup software does not know what production data it protected or where it stored it. Backup metadata is usually stored directly on the server that hosts the backup application, making it vulnerable to failures beyond ransomware. 

While most backup applications can recreate this data from manually scanning the files that store production copies, the process can take weeks to complete in some cases. Until the process is complete, you can’t recover data. 

360° Ransomware Protection Protects Backup Metadata

The 360° Ransomware Protection built-in to StorONE’s S1:Backup also protects backup metadata. It does this not by forcing you to create a separate task to copy the metadata. Instead, the performance of S1:Backup enables you to directly host backup metadata on our solution and apply the same immutable policies to it that you apply to protected data. If the ransomware attack gets to your backup metadata, you are less than 30 seconds away from a known good copy. Most customers will find that operations like searching for a file version will execute faster, making the backup application more responsive. Only StorONE’s S1:Backup can host backup metadata on the same system as the protected data and provide instant immutability to both. 

Improve Recovery Performance

The first three steps provide a quality data capture infrastructure and data resiliency, but a ransomware attack brings new recovery challenges. There is more pressure to recover quickly after a ransomware attack because your data center is physically intact, the lights are blinking, and users can’t figure out why it is taking you so long! There is the added pressure of paying the ransom, which may seem like the easy way out. 

Another challenge is you need time to disinfect your production storage properly. As the attack on Kronus proves, it can take months to disinfect your environment correctly and confirm which data sets were infected. This challenge conflicts directly with the need to recover quickly. 

360° Ransomware Protection Provides Sterile Standby Storage

For years, backup software solutions could instantiate virtual machines and applications on the backup storage target. The problem is the performance of these targets is disappointing in the production use case. In addition, the protocols supported are minimal, usually just one. Finally, they don’t have the high availability that organizations require of production systems. 

StorONE’s S1:Backup is the first backup solution to provide these instantiated VMs and applications with performance similar to production. For a prolonged outage, as Kronus experienced, a native restoration provides even better performance. It also provides full protocol support and complete enterprise-class availability.

Wrapping it Up

360° Degree Ransomware protection enhances your current backup software application to provide a complete ransomware protection and recovery environment. It enables you to recover from an attack quickly without the expense of buying new software and the overhead of learning how to use it. Each element of the strategy is critical to closing the circle. If your current backup storage target can’t improve RPO, protect protected data from the backup metadata, and provide a sterile standby storage area, then you are exposed to a potential attack and should check out our webinar.

Ransomware’s Backdoor

by

As IT professionals look to shore up their defenses against ransomware, they must understand ransomware’s backdoor. Ransomware’s frontal attack is well known. A compromised system or clicking the wrong email link can deposit a ransomware trigger file. That trigger file replicates itself and, then as quickly as possible, starts encrypting production data. At that point, most IT professionals turn to their backup software and start recovering data. The problem is that while this attack is going on, or increasingly before the frontal assault begins, ransomware is using the back door which your backup storage vendors have left open, making recovery much more difficult. Ransomware uses the Backdoor to:

• Encrypt Backup Data

• Encrypt Backup Metadata

• Slow down attempts to recover data

If the Ransomware attack is successful at any of these three backdoor entry points, you may be forced to pay the ransom even though you have a solid backup strategy. It is time to close the back door! In our upcoming webinar, “Three NEW Ransomware Exploits – How to Close the Backdoor,” we will detail these new exploits and provide ways that you can prepare for them and beat them. 

Ransomware Backdoor # 1: Encrypting Backup Data

The first ransomware backdoor exploit is backup data, the copy of production data that the backup architecture is storing. Even unsophisticated ransomware attacks may see success in this effort by accidentally stumbling upon the backup mount point. However, ransomware is increasingly targeting the backup storage repositories first, then moving on to encrypt production data. If the attacker can encrypt your backups and production data, you will likely have to pay the ransom.  

ransomware backdoor

The answer is to make sure that all your backups are stored immutably. Most immutable solutions can’t perform well enough to be the first backup ingest point, and they can’t be deemed suitable for recovery. Organizations are forced to implement yet another storage system and learn another protocol. And as we discussed in our blog, “Does Immutability Beat Ransomware,” you need more than immutability to beat ransomware. 

Ransomware Backdoor # 2: Encrypt Backup Metadata

Another ransomware backdoor exploits encrypting the data that the backup-server software needs to operate, its indexes, and configuration files. Without access to these files, you can’t recover data, regardless of where you store it or whichever media format you choose. The good news is you may be able to rebuild this information; the problem is that rebuilding an index requires manually rescanning every single backup job (if they are not corrupted), which can take hours, if not days. 

Ransomware Exploit # 3: Slow Down the Recovery Process

The final ransomware backdoor is for the malware to slow down your recovery efforts. If it takes you days or weeks to recover, you may be tempted to pay the ransom. Encrypting backup metadata is an example of slowing down the recovery effort. Ransomware tries to replicate itself repeatedly, changing its file name to make it hard to detect. As a result, even after you have identified the attack and the source file, there may be dozens of copies of that file scattered throughout your data center’s storage environment. When you restore data into this infected environment, the ransomware works to encrypt the data a second time rapidly. 

Close The Backdoor with 360° Ransomware Protection

Closing the backdoor that Bad Actors are using to exploit your environment is critical to surviving the attack and not paying the ransom. It would be best if you built a wall of protection around your data to make sure that your recovery efforts are not only successful but happen quickly. StorONE’s S1:Backup provides 360° Ransomware Protection that closes the back door and reinforces the “front door.” S1:Backup’s 360° Ransomware Protection provides

• The total value out of block-level backup technologies to backup more frequently, lowering the recovery point objective. 

• The complete immutability of every backup job across any storage protocol, protecting data from a ransomware attack. 

• The performance backup software vendors need to host backup metadata from storage. Once actively used on S1:Backup, all backup metadata is also stored immutably. Most customers also see improved backup application operations like searching for file versions.   

• A Sterile Recovery Target that delivers production-class performance and features at backup storage prices. S1:Backup will dynamically reallocate its flash tier during recovery to deliver needed performance for these applications or data sets. IT can run S1:Backup as production for weeks while they take the time to complete the necessary forensic work to root out the ransomware trigger files. 

Learn More

A Complete Ransomware Recovery Strategy

by

One of the challenges IT faces when developing a complete ransomware recovery strategy is to think holistically about the process. Focusing on just one capability may expose the organization to ransomware damage in other areas. IT needs a 360° Ransomware Recovery Strategy that protects production data backup metadata and rapidly returns the organization to an operational state.

The Elements of a Complete Ransomware Recovery Strategy

  • Frequent Backups
  • Immutable Storage
  • Rapid Recovery
  • A Sterile Recovery Environment
  • Affordability
a complete ransomware recovery strategy

Ransomware Recovery Requirement 1: Frequent Backups

For years (decades?), backup vendors have claimed: “it is all about recovery!” While recovery is a critical part of a ransomware recovery strategy, it is not all about recovery. If your architecture doesn’t enable you to execute fast, frequent backups, your recovery point objective (RPO) may lead to losing hours and even days’ worth of data. This delay may lead to a temptation to pay the ransom instead of completing the recovery process. A complete ransomware recovery strategy requires the frequent protection of production data. Also if that data isn’t written securely to persistent media, there may not be quality data for recovery.

Ransomware Recovery Requirement 2: Immutable Storage

Immutable storage is critical to your ransomware recovery strategy. Your backup storage target should store every backup in an immutable state and be able to retain that state for months without impacting performance. It should also store your backup software’s metadata in an immutable state, which means your backup storage target needs to deliver the performance your backup-server software requires to update these files quickly. If the ransomware attack encrypts either the backup data or the backup metadata, you might not be able to recover anything. A complete ransomware recovery strategy requires immutable storage of the protected data and the backup configuration files and indexes.

Ransomware Recovery Requirement 3: Rapid Recovery

Frequent backups and protected storage of that data set the stage for a successful recovery. However, these recoveries have to be some of the fastest IT has ever done since they are under pressure from users and application owners who want to get back to a productive state as quickly as possible. There is also pressure from the executive team, weighing the cost of paying the ransom versus the time it will take for IT to complete the recovery. Finally, there is the possibility that the “bad actors” have set a time limit for you to pay the ransom, or they will delete all your data. A complete ransomware recovery strategy requires that instant recoveries or even native recoveries occur quickly. Backup storage needs to provide the ability to host production data with a performance profile similar to that of the production environment.

Ransomware Recovery Requirement 4: A Sterile Recovery Environment

Unlike a natural disaster, the state of your production storage after a ransomware attack is at best “unknown.” Ransomware trigger files often make copies of themselves as they encrypt your environment. If IT doesn’t have the time to complete the forensic work, which can take hours, to ensure the removal of these files, then the likelihood of reinfection, with even less “pay the ransom” time, is very high.

A complete ransomware recovery strategy requires a sterile recovery environment. It buys IT time to remove the trigger files properly and potentially the infected data as well. The sterile recovery environment needs to deliver production-class performance and reliability to get the time IT needs to inspect the production environment thoroughly. The sterile environment also needs to protect itself with immutability. The need for a sterile recovery environment is new because of ransomware but is helpful for recovery from many other outages. To learn more, read our latest Whitepaper,” What is Standby Storage.”

Ransomware Recovery Requirement 5: Affordability

The ransomware recovery strategy has to be affordable. Part of a 360° Ransomware Recovery Strategy means that all applications and data are protected the same way. Today, IT has to piecemeal this type of strategy together using solutions from multiple vendors, which significantly raises the purchase, implementation, and operational costs. The fragmentation also forces IT to either pick which component of the strategy to implement, which leaves open attack vectors, or pick only a few data sets to protect, which means the rest of the environment is still exposed.

It should also intelligently leverage flash and high-density (20TB) hard disk drives to keep costs low. Using a hard disk tier means the solution needs to rapidly recover from a drive failure because RAID Rebuild times are more relevant than ever.

Delivering a 360° Ransomware Recovery Solution

Implementing a 360° Ransomware Recovery Strategy means IT needs to look for a single solution that can provide cost-effective backup storage while meeting the five previously listed requirements. The solution needs a small flash tier to handle the hourly ingest of backup data from dozens, if not hundreds of virtual machines, application servers, and NAS systems. The flash tier should be large enough to support recovery and enable customers to use backup-server applications with “instant recovery” features to exploit that capability fully.

A 360° Ransomware solution should also support the native restoration of data and become Standby Storage. It should provide native sterile volumes mountable via any storage protocol and enterprise-class performance and availability. Standby Storage is valuable for more than just ransomware recovery by also providing a recovery area during a storage controller failure or storage software failure.

Only StorONE’s S1:Backup delivers all of these capabilities in a single, cost-effective solution that is easy to implement and operate. To learn more, watch our on-demand webinar “Beat Ransomware with Standby Storage.”

Learn More About the Hidden Cost of Dedupe

  • This field is for validation purposes and should be left unchanged.