How to Respond to a Ransomware Attack the Right Way

It seems that every day we see another ransomware headline. But too often, backup and data protection solutions treat ransomware recovery just like any other type of recovery. The truth is recovery from ransomware has different requirements (and different best practices) than recovery from fire, flood, or hardware failure.

Here are some of the major differences between these two types of disasters:

Consideration		Physical/Natural Disaster		Cyber Attack
Recovery time		Close to instant		Reliable and fast
Impact of disaster		Regional, typically contained		Global, spreads quickly
Data volume impacted		Comprehensive, all data		Selective, targets foundational services
Recovery technique		Standard DR, failback		Selective, part of incident response plan

When ransomware isn’t the issue, you want the fastest possible recovery back to your original device or location. You want to minimize downtime and get back to normal as quickly as possible. This is what many backup and disaster recovery solutions are built to do.

However, when cyber criminals attack your network, a more nuanced response is called for. Of course, you want to minimize downtime and become operational as quickly as possible, but instantly restoring back to your original location can actually cause more problems.

There are two major risks:

• Potentially restoring malware back into your production environment
• Contaminating what has essentially become a crime scene, making forensic investigation difficult or impossible

In this scenario, you’ll be best served by a data protection software that reduces the size of the attack surface and helps you recover to a secondary or sandbox environment while investigation is underway.

Reducing the Attack Surface

Cove Data Protection™ reduces the attack surface in two ways. First, it isolates backup copies by default. Cove was built cloud-first, meaning that every backup is sent offsite, isolated in our private cloud, with no need for a local appliance to act as the “middleman.” This puts your primary online backup storage off the local network, out of the reach of ransomware.

But cloud-first doesn’t have to mean cloud-only. If you choose to, you can keep an optional local copy for recovery at LAN speed, using an existing network share or the hardware of your choice and Cove’s LocalSpeedVault (LSV) feature. The difference is that, if ransomware attacks this local copy, your primary backup storage is unaffected.

By contrast, traditional image backup products were built local-first, later bolting on additional mechanisms to push those backups to offsite storage. This adds varying levels of cost and complexity, often requiring additional licenses and manual configuration. Some vendors provide cloud storage, others leave it up to the customer to find, purchase, configure, and manage. Cove includes cloud backup storage, with 30 data centers to help you keep data in region.

The second way Cove reduces the attack surface is by taking the backup application itself off your network. Bad actors typically operate by attacking the applications and data your business needs, then going after backup copies and the infrastructure used to recover those backups—your data protection application.

Because Cove is a fully hosted SaaS application, your recovery mechanism is also safely off the local network, ready for you to log in and begin the recovery process from anywhere.

With Cove, your backup files and your disaster recovery infrastructure are all off the network, resulting in a much smaller attack surface for malware and putting you in a much better position for recovery.

There are other considerations to keep in mind when recovering from ransomware. That’s why N‑able worked with Arcas Risk Management to deliver a webinar on World Backup Day. You can listen to the full discussion with Arcas on “Cyber-Response Missteps that Can Cost You,” here: https://youtu.be/ON28_27swIo

Carrie Reber is senior product marketing manager for N‑able.

If you are interested in finding out more about Cove Data Protection N‑able will be at stand R49 at InfoSec Europe 2022.