2021 was the year of ransomware. You couldn’t watch or read the news without hearing about another business falling victim. Cybersecurity Ventures estimates that a ransomware attack took place every 11 seconds in 2021, with global damages reaching an estimated $20 billion – that is 57x more than it was in 2015. Unfortunately, the reality is that ransomware is here to stay, and every organization, regardless of industry or size, is a potential target.
To make matters worse, attackers are now targeting backups to limit the ability to recover. With backups as the new target, many organizations are asking themselves, “Can we rapidly recover from a ransomware attack?” This question can be challenging to answer, but the good news is that there are a few key questions that can help you determine if your backups can serve as not only your last line of defense but your best line of defense.
Let’s explore these must-ask questions and why they are important to consider. You can also complete the Rubrik Ransomware Recovery Assessment for a personalized assessment of your cyber preparedness:
1. What could a ransomware attack cost my organization?
The first question won’t help you understand if you can recover from a ransomware attack, but knowing what an attack would mean to your organization is essential. Everyone tends to agree that the risk posed by ransomware is more about “when” than “if” an attack will strike. However, what is often not understood is what an attack would mean in terms of costs and data loss. But it's important to remember that your risk isn’t just limited to downtime. To fully understand your risk, it’s also just as important to consider the other potential costs related to loss of staff productivity and brand damage, possible legal fees, detection, investigation, notifying customers and regulators, and even post-breach response.
2. Is your backup data safeguarded from malicious encryption and deletion?
This next question is probably one of the most important to consider. After all, your ability to recover from ransomware almost certainly relies on having reliable backups. With bad actors now targeting backup data, maintaining immutable backups are key to ensuring you can recover your data after a ransomware infection and avoid paying a ransom. While primary storage systems must be open and available to client systems, your backup data should be isolated and immutable – that way, as soon as your data is written, it cannot be changed, modified, or deleted.
3. Can your backup data only be accessed via proprietary storage protocols to protect it from attackers?
As mentioned, attackers will routinely target backups to limit your ability to recover, making immutability key to ensuring your backup data cannot be changed, modified, or deleted. However, it is just as important to prevent your backups from ever being discoverable in the first place. Bad actors will often discover backup systems that are accessible via standard protocols such as NFS and SMB. That’s why it is essential that your backup and recovery solution leverage proprietary protocols and authenticated APIs to securely access data. This will block your data from being discoverable or accessible over the network, providing yet another strong layer of security.
4. Is your backup data secured with multi-factor authentication?
We have talked about protecting your backup data from external threats, but what about protecting your backup system itself? Attackers often use compromised credentials to gain unauthorized access to your backup system and wreak havoc on your environment to increase the likelihood you’ll pay the ransom. Multi-factor authentication is an effective security method that validates against either something you know or have. This additional authentication mechanism mitigates cyber attacks when an account is compromised. Without multi-factor, an attacker only needs compromised user credentials to gain system access.
5. Can you quickly assess which data files have been maliciously encrypted as part of a ransomware attack?
As you would expect, when ransomware strikes, it’s all about how quickly you can recover and get back to business as usual. However, like anyone who has experienced an attack would tell you, determining what files have been impacted during an attack is time-intensive and can dramatically prolong recovery. Therefore, you must be able to determine what files have been maliciously encrypted and where they reside to speed up recovery operations. Knowing what data to recover will prove to be just as important as having a clean backup.
6. Do you know where all your sensitive data resides?
All data is important but certain types can be more critical than others. Knowing what data needs the highest protection and what doesn’t is crucial to mitigating risks. It helps you develop a solid data protection plan to secure different types of information with the appropriate levels of protection, or remove it from your network altogether. This is important because attackers can also threaten to exfiltrate your data beyond just encrypting it. Understanding what sensitive data you have (e.g., PII, PHI, financial information) and where it resides will help you better protect it and help you determine if it was exposed during an attack.
7. Can you hunt for malware that has infiltrated your backup data?
Having backups to recover from is one thing, but ensuring you have clean backups is something else entirely. Attackers will often lie in wait, sometimes for months, gaining access to your systems and infecting key workloads and applications before initiating their attack. This can make identifying the last known clean backup difficult. Therefore, it is vital to proactively detect ransomware threats in your backup data. Without it, there is an increased risk of re-infecting your environment after initial recovery from an attack.
8. Can you rapidly recover your data and applications after a ransomware attack?
A recovery plan is critical, but it isn’t enough. You need a backup and recovery solution that can deliver the fast RPOs and RTOs you need. Not every recovery is the same, so it is critical to have a solution that offers options that range from near-instant recovery and mass restores to file-level recovery. Your ability to rapidly recover your data after an attack can be the difference between an inconvenience and a catastrophe, and it starts with having the right recovery options available. The faster you can recover the data you need, the more downtime costs and data loss you can prevent.
Traditional IT security defenses are failing. Attackers are breaching firewalls, bypassing endpoint protections, and targeting backups. The breakdown of the perimeter is driving a need for new backup and recovery requirements based on Zero Trust principles to deliver security at the point of data. Securing your data means securing your business, and it starts with being able to answer these questions.
Are you prepared to recover from a ransomware attack?
Check out the Rubrik Ransomware Recovery Assessment to assess your ability to recover with your current backup solution and how Rubrik can help you become even more resilient. The assessment also provides a potential cost range of a data breach for a company in your industry with a similar headcount.