Consider using a strategy of quarantine when implementing a ransomware recovery strategy, as reinfection can easily occur.
Speaking as part of Druva’s Cloud Data Protection Summit, Charles Green, sales engineer at Druva, said the shift of data outside the company perimeter and firewalls led to an increase in ransomware payments, as well as more cyber insurance options to cover those payments.
He explained that there are a number of challenges when dealing with a ransomware event, and he said anything you can do “that could be automated should be automated,” including:
- Respond – quickly via automated or orchestrated response
- Prevent – download of infected snapshots
- Identify – last known good copy to recover from
- Recover – with confidence
That last point, he claimed, requires air gaps, as data protection is “a last line of defense when all your other preventative controls have failed.” He said that your data protection solution should be able to provide automated anomaly detection, especially where there is a large number of files added or deleted from a backup set. “This will all enable an administrator to identify a last known good copy that they can recover from,” he said.
“Also, while you’re working through your environment, you should be able to quarantine backups and prevent users from reinfecting the environment.”
He recommended using a more granular quarantine approach, rather than having to quarantine all data. If you are also able to quarantine by a specific date range, you will be able to restore from snapshots that are “known good” and you can continue to function as a business whilst this is going on.
Also, remote wipe devices, to prevent further malware spread. This he called “defensible deletion,” as it deletes from devices and backups, and is something that is very critical when you’re dealing with ransomware.
He said ransomware recovery tools, such as one provided by Druva, can be used “to quarantine snapshots, know where your data is being accessed from and also leverage things like our federated search and defensible deletion process” to deal with ransomware attacks.
Green said ransomware prevention is reliant on backup, which he said was critical, and should be “secure by design; it should not be an add on or an option.” He also said you should know that a backup set is protected “and to get more from your backup, look for things like detective controls and anomaly detection that will alert you to a challenge to your environment.” He concluded by saying this will help you recover successfully and securely.