Welcome to Spectra’s webinar Q&A roundup. In this blog series we will pick relevant questions from our recent webinars and publish the responses here.
Spectra Logic recently hosted a virtual presentation on building a storage strategy to withstand a ransomware attack. During the webinar we took a look at how a storage strategy is critical to preparing for a ransomware attack and what steps organizations can take to be ‘ransomware prepared’ including having multiple copies of data on multiple storage platforms, and maintaining an air-gap copy of data, and more. The following questions and answers recap highlights covered in the recent webinar.
Preparing Your Infrastructure before an Attack
What steps should an organization take to ensure data is protected if a ransomware attack occurs?
More than 50% of businesses have been impacted by ransomware in the last year, so it’s important to prepare in advance. Key stakeholders in an organization should have a business-level conversation to ensure everyone is on the same page about their business continuity plans and what plans to initiate in the event of an attack. Building a communication plan for immediately after an attack and getting cybersecurity insurance are important things to do ahead of time to effectively execute a successful recovery. There are a number of layers to a holistic protection strategy, and certainly the storage infrastructure is part of that. Having multiple copies of data on multiple storage platforms, having an air-gapped copy of data, and reducing mission-critical data recovery time by migrating inactive data that can be recovered over time off of primary storage are all essential steps to preparing an infrastructure.
We hear a lot about air-gapping data and having an offline copy. How offline does tape backup data need to be?
Ransomware focuses on destroying data backups because the threat actors know that’s a silver bullet. Tape technology is the most cost-effective, low-cost option to create a truly air-gapped copy of data. What can be considered offline enough can depend. If data is on tape and it’s disconnected – meaning it’s out of the tape drive and it’s sitting on a shelf or slot in the tape library – it would be a very difficult prospect to actually corrupt that data. Even if ransomware takes over the system that’s writing to the tape library, how long would it take for them to actually take control of that system and start overwriting tapes? Modern tape drives are really fast but because it’s sequential media, a 12TB tape, for example, can take six to eight hours to overwrite.
If a backup database is compromised, one that has a record of everything that’s out on all the tapes, then restoring from the tape can be more difficult. One way we’ve seen customers prepare for this is by creating blind copies of a backup out on tape in a way where the tapes are self-describing. So even if the entire backup infrastructure was compromised and those databases are gone, it would be possible to rebuild that environment. This is time consuming, but it’s important to know the IT landscape before an attack to respond in a timely manner when ransomware hits.
Spotting an Attack and Starting Recovery
How do you know you have been hit?
In Spectra’s case, our IT department suddenly started to notice that things weren’t behaving the way that they used to – something had changed and that’s what prompted them into looking deeper and spotting the attack.
How do you determine the best recovery point? What if the ransomware has been sitting in the system before executing?
Not everyone is going to have the tools to determine that on their own. Third-party forensics experts and the tools that the FBI brings to the table can help determine when ransomware first enters a system. This is crucial for recovery because it’s essential to recover a system to a point prior to the attack. We’re seeing numerous cases where ransomware is getting in and lying dormant for a while, logging key strokes and passwords to very quietly create vulnerabilities.
Having the support of the FBI is critical in understanding your options. If you have access to security experts as well, all the better. Recovering 100% of your organization’s data without paying the ransom is possible, and even probable, if you prepare before an incident occurs.