A Data Recovery Secret That’s (Really) Ransomware-Proof

May 27, 2022 | Retrospect, StorCentric


Cyber resilience is a top concern for businesses in every industry. A key reason for this is that businesses of all sizes continue to face an ever-increasing array of cyber threats including ransomware, malware, and spear phishing.

Ransomware is a particularly pernicious problem and a huge threat to organizations worldwide. According to Cybercrime Magazine, the collective cost globally of damage done by ransomware was approximately $20 billion in 2021, an increase of 100 percent year over year for the last four years, with this terrifying form of malware predicted to attack a business every 11 seconds. Hoping it will get better is a losing strategy, since the emergence of franchised ransomware-as-a-service (RaaS) as a multidimensional business model has made it easier than ever for cyberthieves to pull off their no-longer-just-linear crime spree.

As Barbara Kay reported in Forbes in 2021, “The attackers are responsible for penetrating the organizations, while the franchisers provide the encryption tools, communications, ransom collection, etc., all for a percentage of the ransom collected.” Kay explained that this model “permits talented hackers to use sophisticated and proven tactics, techniques, and procedures to perpetrate the attack, while outsourcing the commodity infrastructure proven out in several years of ransomware attacks.”

The Three Defense Layers

All in all, it’s a pretty grim prognosis for companies that do nothing to try to stop the ransomware threat. When an attack starts, organizations large and small need to detect ransomware as early as possible to defend their data. When they do so, they need not just one layer of defense but a three-pronged strategy:

  1. ProtectionThe first layer of data protection should offer businesses the ability to lock their backups and thus safeguard them for a specified time period, resulting in immutable backups.
  2. Detection: Beyond just protection, organizations also need an algorithm to help them notice source-volume changes that don’t fit the usual variance for behavior-based monitoring.
  3. Recovery: In the case that a ransomware attacker breaks through, enterprises also need a clear recovery path to restore their whole system (excluding affected files).

In short, what today’s organizations need is not only ransomware protection and but also ransomware detection capabilities, with a goal of achieving immutable backups and detecting anomalies in the environment that require immediate attention. Finally, for genuine cyber resilience, businesses must be able to harness recovery that’s truly ransomware-proof to restore their systems without restoring files that were damaged in a ransomware attack.

The Ground Level: Protection

Let’s start with the first layer of defense: protection. Central to this strategy is the ability to lock files for a designated period. Cloud storage providers (for example, Amazon S3) control the API, so they can opt for add-on features like Write-Once-Read-Many (WORM) storage or immutable storage.

Think of this lock as a “retention policy” for a certain version of a file, or a “virtual air gap” in the cloud. No one, including the administrator, can make changes to it because it’s effectively locked from any user modifying it. Unless you actually close the account, it’s impossible to delete the file prior to the retention date.

The Middle Layer: Detecting Anomalies

Part of protection involves detection, so a secret behind optimal data protection is to include a detection function. If IT administrators can detect ransomware before it’s too late, they will have the ability to block the threat. What’s required is for IT to be able to see and recognize flagged changes in an environment so they can remediate resources accordingly.

An ideal system for this will incorporate the ability to filter out innocuous changes and notify when anomalies come up.

The Icing: Recovery via Ransomware-Proof Restore

Finally, the piece de resistance of the tripartite solution is a recovery function. The protection and detection create a framework for what I think of as the icing on the cake:  restoration and recovery of any lost or damaged files. Ideally, this third layer will enable a “point-in-time” restore from an immutable backup from a time before the ransomware attack occurred. IT should be able to do this for a set of files or as disaster recovery (DR) for an entire system (think bare-metal recovery), restoring the backup to the original machine or to a new system.

Let’s imagine a worst-case scenario, which is unfortunately all too common. A ransomware attacker succeeded and encrypted one of your entire systems, and you’re stuck without a paddle: you have no unaffected backups. The three-level solution above will still let you recover and restore your entire system. Even though the backups have been contaminated by ransomware and ransomware-encrypted files, the “icing” layer of this solution can exclude corrupted files from the restore, using file-based data filtering during the restore process.

A three-pronged strategy of protection, detection, and recovery is the data recovery secret that’s truly ransomware-proof. It doesn’t try to get by with a partial arsenal of tools when the enemies are multiplying their attack methods and fortifying their approaches through RaaS. With the right tools in place to protect your backups, monitor your infrastructure, and restore your files from an immutable backup, your data will finally be safe and sound.