Recovery from ransomware: How backup vendors can help
A ransomware attack is not your typical data loss event. Some data protection vendors get the picture and are incorporating ransomware-specific features in their products..
There have been several major ransomware outbreaks this year, and there will surely be more. Once you are infected with ransomware, restoring from backup is the best way to resume operation.
Backup vendors are in a rush to tell you how their products help customers with recovery from ransomware. The reality is that most simply treat ransomware the same as any other data loss: Restore from your backup and the job is done. Some of the newer backup companies have different ideas, particularly if they have insight into the data that is stored in your backups.
The first point is that stopping a ransomware infection is not a backup issue. There are antivirus and network security products whose job it is to keep threats out of the network. Backups are really just going to help you after an infection has made it into your network. No amount of backup will prevent an infection. These same detection tools can also help you identify and stop an infection, which are essential steps before you start recovery from ransomware and restoring from those backups.
The challenge is that we know ransomware is getting past these perimeter defenses and, in some cases, using unpatched vulnerabilities that we cannot see or stop. A further challenge is that ransomware infections have started to target backups, removing or encrypting them, and thus preventing recovery.
How backup software can help
There is a role for backup software being stewards of our data and detecting unusual changes in that data. One kind of unusual change is large swathes of data being infected or deleted. This translates to large amounts of changed data or metadata when the backup runs.
Backup software that detects unusual rates of change could alert the backup operator or operations team of the anomaly. Unitrends shares this view, and it will notify someone when the profile of a backup is very different from the usual.
There are other backup products that are gaining analytics features, and some may gain ransomware insights. In its 5.5 release, Zerto has an analytics feature, and Cohesity has a platform for running data analytics across the backup pool.
Hopefully, we will see prebuilt analytics for these platforms that can detect ransomware. Alerting is nice, and having some automatic response would be great, too. Once an infection is identified, increasing the frequency of backups to reduce the potential data loss could help with recovery from ransomware. Notification that an infection has been cleaned up, by detecting a return to the normal rate of data change, would also be useful, as it would let you know that it is safe to start restoring.
Recommendations for recovery
Even if backup software is not playing a role in detecting infection, it is still critical in recovery from ransomware. We already know that backups need to be protected, either offline or via tight security, to prevent a ransomware infection from encrypting them. Using dedicated storage appliances that are not part of the Windows domain or even cloud services can help.
Veeam recommends using Hewlett Packard Enterprise or Dell backup devices that have their own technology rather than a Windows file share. Even if backup software is not playing a role in detecting infection, it is still critical in recovery from ransomware.
Rubrik has its own backup appliances that, like many others, use deduplicated storage on a custom storage cluster. Deduplicated storage makes it simpler to keep backups for longer and prevent changes to those backups. Each backup is a collection of pointers to unique data blocks rather than being the whole set of data. Custom storage means that it is safe from Windows infections, since it is not on Windows or a Windows share.
Primary storage has a role to play, too, particularly storage systems that are aware of the virtual machines that they hold and allow array-based snapshots of VMs. Primary storage is usually on a separate network and seldom uses Windows shares.
Following a ransomware attack, many backup products simply want to enable you to restore your data from the last backup. Ransomware is a very different type of data loss, and infected organizations could use a little more sophisticated help.
A handful of backup products have features or capabilities that treat ransomware differently. These products help their customers with more rapid recovery from ransomware. We should see more capabilities from other backup vendors as we keep seeing new ransomware infections.