Ransomware became international news in the last week with the broad attack of the so-called WannaCry ransomware. Ransomware operates as a computer virus, infecting computers and typically spreading to as many systems as possible. The ransomware encrypts data on infected systems to block it from use and then demands a “ransom” to decrypt the data.
Much has been written about how to prevent ransomware from infecting systems. But how do you make sure you can recover your data if your business does become infected with ransomware? This article briefly explains steps to ensure recovery without paying the ransom.
Recovery from ransomware
Encryption of data by ransomware can require recovery to an earlier version of the data which hasn’t been contaminated by the ransomware.
• Create regular backups and keep multiple backup versions
Ensuring systems are backed up is step one in helping to recover from ransomware. If a backup is taken after a ransomware attack, the backup copy likely will also be contaminated. By keeping multiple versions of backups, a previous clean backup may be available to restore the data.
Along with performing a periodic, policy based backup, it is essential to keep a strict vigil on the restorability of the backup. Restorability can be accomplished via following a few governance steps.
i) Backup success reporting – detailed analysis of a backup with respect to its status (success, failure, partial, open files etc..), consecutive failures.
ii) Backup coverage validations – comparing the asset, server and storage inventory with backup inventory to help ensure that no server or storage from an operational system is missed in backup coverage.
iii) Data integrity verification is a key component in validation of backup configuration correctness and provides a means to help ensure that restore requests can be met in the event of a ransomware attack. Continuous analysis of the backup metrics, intelligent selection of backup images for automated restore on cloud or on-premises, intrusive/non-intrusive validation of recovery of data provides trust in restorability (this process is also known as Restore Testing).
IBM Spectrum Protect provides policies to govern the number of versions of backup data. By enabling retention of multiple backup versions, a backup prior to the ransomware data takeover may be used to recover the data. For Spectrum Protect environments that were configured using a published IBM Blueprint and associated configuration scripts, the number of versions is unlimited and managed only by how many days data is retained.
Spectrum Protect can optimize this process using data reduction techniques such as incremental forever backups, deduplication and compression. Individually or in combination, these techniques allow multiple backup versions to be stored at a low cost.
• Create regular read-only snapshots and keep multiple snapshots
A snapshot is a point in time copy of a file or volume in the storage system and can be coordinated with the application to create a consistent copy using products like IBM Spectrum Protect Snapshot or IBM Spectrum Copy Data Management. A read-only snapshot prevents updates to the snapshot while writes to the current version preserves the data in the snapshot, typically through a copy on write or similar operation. A ransomware attack could corrupt the current version of the data but can be prevented from writing to the snapshot version. Reverting to the snapshot version after detecting the attack can allow for a quick restore to a clean copy of the data. Note, however, that ransomware on some platforms is becoming sophisticated enough to remove or make writeable read-only snapshots, meaning a secondary copy is recommended. A secondary copy can be created via copying the snapshot to a separate backup system such as IBM Spectrum Protect.
Protecting backup systems
Backup servers and associated data must also be protected against ransomware. If ransomware infects the backup environment, no secondary copy will be available to recover from the attack.
• Ensure proper permissions and security have been applied to the backup server.
IBM Spectrum Protect Blueprints configure the backup server with proper permissions and security to help protect the Spectrum Protect server software from direct attacks by ransomware. Customers can also avoid typical attack methods by not having activity on the backup server that provides a potential opening such as email.
• Backup server replication.
Leveraging backup server to backup server replication creates a gap between the primary copy of the backup data and the secondary copy. Contamination of the primary server by encrypting data should not affect the secondary copy. The secondary copy could then be used to recover the primary. In addition, with Spectrum Protect, dissimilar policies can be used at the secondary site to keep backup versions longer (perhaps on lower cost storage), providing further protection against ransomware.
• Create a gap between the backup server and backup data.
A gap can be created by storing the backup data in a storage medium which cannot be attacked by ransomware access to the backup server. Storing data on tape is one method for creating such a gap. Even if the local backup server is compromised, the data should still be available in the separate tape system. IBM Spectrum Protect can store the primary copy or a second copy of backup data on tape. Similarly, object storage could be used to store the data. Object storage is accessed over REST interfaces with credentials specific to the object system. A contamination by ransomware of the backup server shouldn’t affect the data on the object storage system. In each case, the metadata tracked by the backup server should be backed up to the tape or object storage system to support recovery of the backup server and the backup data.