From Ransomware To Recovery – The Role Of Continuous Data Protection

However its impact is measured, ransomware has become one of the most dangerous and high profile cybersecurity problems facing organisations worldwide. During the pandemic, cybercriminals have taken advantage of the state of operational flux many organisations found themselves in, with some security researchers claiming a 715% increase in year-on-year ransomware attacks. And, despite widespread advice not to give in to ransom demands, one recent study estimated that victims paid out at least $350 million to criminal gangs in 2020 alone attempting to recover their systems and data.

Given this context, it is not surprising that some organisations are now taking a much more pragmatic approach to their chances of being hit with ransomware, viewing it as a matter of when not if they will be targeted. This starting point represents an important shift in thinking – acting as the foundation for a more effective cybersecurity and disaster recovery strategy focused on minimising the risks and impact of ransomware.

The Problem with Backup

In the aftermath of an attack, recovery is frequently a major stumbling block for organisations whose only option depends on backups that might be anything from a day to a week, or even a month old. It’s not uncommon, for instance, that an organisation working to recover from a ransomware breach finds that it needs to send tape backups to a third-party data restoration specialist, should the attack render it impossible to restore any data from disk backups. The time and effort required can often be exacerbated by the job of dealing with any time gaps between different recovery points. Only when this recovered data becomes available can the process move forward to testing and then the reconstruction and restoration of file servers and files.

These problems are very real, with the downtime and disruption caused by ransomware often extending from days into weeks, and even when victims refuse to give in to criminal extortion, the impact can be severe. Among the most recent high profile attacks is that experienced by leading games developer CD Projekt Red, which said in February that attackers had stolen source code from several of its titles, including the hugely popular Cyberpunk 2077. Two weeks after the breach was first revealed, employees were said to be still locked out of their workstations and the company was forced to delay the release of an important update.

A Modern Recovery Mindset

In the face of these challenges, an approach is required that focuses on recovering data to a point in time precisely before the ransomware attack took place, eliminating the time gaps and data loss associated with traditional backup technologies. Known as Continuous Data Protection (CDP), this enables organisations to use network, journal, and IOPS statistics to determine the precise moment the ransomware became active and recover to within seconds before it.

This kind of recovery solution works on the basis that, even with the strongest perimeter security, a breach is always possible and protection should enable a return to business as usual after a successful attack while other remediation efforts are taking place. In practical terms, this approach enables organisations to capture and track data modifications and automatically save every version of the data that the user creates locally or at a target repository. Writes are saved to a journal file along with the corresponding file changes and, as a result, users or administrators have the ability to restore data to any point in time with minimal granularity.

Seeing this at work in the midst of a ransomware attack illustrates why the impact and severity of ransomware attacks is not just determined by the attacker, but by the response of the victim. For example, when international textiles and chemical process business TenCate suffered a ransomware breach on one of its manufacturing facilities, the Cryptolocker malware was used by attackers to infect all its file servers. With its data protected by traditional disk recovery, the company experienced 12 hours of data loss and was not able to fully recover for a further two weeks. When the company was subsequently attacked again, its implementation of CDP between the first and second attacks meant that instead it experienced 10 seconds of data loss and was able to recover in under 10 minutes.

Having the power to recover data to a point immediately before a ransomware attack is a transformative response that puts IT teams back in control of their destiny. In adopting an approach to cybersecurity based on CDP, businesses are positioned to meet the realities of ransomware knowing that if their defences are breached, they can quickly recover. For CISOs and their security teams currently facing a wide variety of risks across increasingly complex and widely connected networks, minimising risk and downtime represents a huge win-win.