How to Respond to a Ransomware Attack the Right Way
It seems that every day we see another ransomware headline. But too often, backup and data protection solutions treat ransomware recovery just like any other type of recovery. The truth is recovery from ransomware has different requirements (and different best practices) than recovery from fire, flood, or hardware failure.
Here are some of the major differences between these two types of disasters:
Consideration |
|
Physical/Natural Disaster |
|
Cyber Attack |
Recovery time |
|
Close to instant |
|
Reliable and fast |
Impact of disaster |
|
Regional, typically contained |
|
Global, spreads quickly |
Data volume impacted |
|
Comprehensive, all data |
|
Selective, targets foundational services |
Recovery technique |
|
Standard DR, failback |
|
Selective, part of incident response plan |
When ransomware isn’t the issue, you want the fastest possible recovery back to your original device or location. You want to minimize downtime and get back to normal as quickly as possible. This is what many backup and disaster recovery solutions are built to do.
However, when cyber criminals attack your network, a more nuanced response is called for. Of course, you want to minimize downtime and become operational as quickly as possible, but instantly restoring back to your original location can actually cause more problems.
There are two major risks:
- Potentially restoring malware back into your production environment
- Contaminating what has essentially become a crime scene, making forensic investigation difficult or impossible
In this scenario, you’ll be best served by a data protection software that reduces the size of the attack surface and helps you recover to a secondary or sandbox environment while investigation is underway.
Reducing the Attack Surface
Cove Data Protection™ reduces the attack surface in two ways. First, it isolates backup copies by default. Cove was built cloud-first, meaning that every backup is sent offsite, isolated in our private cloud, with no need for a local appliance to act as the “middleman.” This puts your primary online backup storage off the local network, out of the reach of ransomware.
But cloud-first doesn’t have to mean cloud-only. If you choose to, you can keep an optional local copy for recovery at LAN speed, using an existing network share or the hardware of your choice and Cove’s LocalSpeedVault (LSV) feature. The difference is that, if ransomware attacks this local copy, your primary backup storage is unaffected.
By contrast, traditional image backup products were built local-first, later bolting on additional mechanisms to push those backups to offsite storage. This adds varying levels of cost and complexity, often requiring additional licenses and manual configuration. Some vendors provide cloud storage, others leave it up to the customer to find, purchase, configure, and manage. Cove includes cloud backup storage, with 30 data centers to help you keep data in region.
The second way Cove reduces the attack surface is by taking the backup application itself off your network. Bad actors typically operate by attacking the applications and data your business needs, then going after backup copies and the infrastructure used to recover those backups—your data protection application.
Because Cove is a fully hosted SaaS application, your recovery mechanism is also safely off the local network, ready for you to log in and begin the recovery process from anywhere.
With Cove, your backup files and your disaster recovery infrastructure are all off the network, resulting in a much smaller attack surface for malware and putting you in a much better position for recovery.
There are other considerations to keep in mind when recovering from ransomware. That’s why N‑able worked with Arcas Risk Management to deliver a webinar on World Backup Day. You can listen to the full discussion with Arcas on “Cyber-Response Missteps that Can Cost You,” here: https://youtu.be/ON28_27swIo
Carrie Reber is senior product marketing manager for N‑able.
If you are interested in finding out more about Cove Data Protection N‑able will be at stand R49 at InfoSec Europe 2022.
© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.
This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.
The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.
Want to stay up to date?
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.