Don’t pay the ransom: how to recover from a ransomware attack

Everyone is petrified of ransomware attacks right now, and with good reason. The attacks have penetrated every sector, from academia to local government organizations, to manufacturing, healthcare, high tech and every other sector. By Bill Andrews, President and CEO of ExaGrid.

  • Thursday, 22nd July 2021 Posted 3 years ago in by Phil Alsop

The ransoms that hackers demand have increased drastically in recent years, with the most audacious at over $12M dollars (10 million Euros). Ransomware attacks occur all of the time, studies estimate that a ransomware attack is carried out every 14 seconds.

Ransomware disrupts the functionality of an organization by restricting access to data through encrypting the primary storage and then deleting the backup storage. Ransomware attacks are on the rise, becoming disruptive and potentially very costly to businesses. No matter how meticulously an organization follows best practices to protect valuable data, the attackers seem to stay one step ahead. They maliciously encrypt primary data, take control of the backup application and delete the backup data.

The challenge is how to protect the backup data from being deleted while at the same time allow for backup retention to be purged when retention points are hit. If you retention lock all of the data, you cannot delete the retention points and the storage costs become untenable. If you allow retention points to be deleted to save storage, you leave the system open for hackers to delete all data.

How Do Hackers Get Control of Backed Up Data?

Often, hackers are able to gain control of a server on a network and then work their way into critical systems, such as primary storage, and then into the backup application and backup storage. Sometimes hackers even manage to access the backup storage through the backup application. The hackers encrypt the data in the primary storage and issue delete commands to the backup storage, so that there is no backup or retention to recover from. Once the backup storage is deleted, organizations are forced to pay the ransom, as its users cannot work.

How Can Organizations Recover from a Ransomware Attack?

One of the best practices for data protection is to implement a strong backup solution, so that an organization can recover data whenever it is deleted, overwritten, corrupted or encrypted.

However, even standard backup approaches, such backing up data to as low-cost primary storage or to deduplication appliances, are vulnerable to ransomware attacks. To eliminate this vulnerability, a backup solution needs to have second non-network-facing storage, so that even if the hacker deletes the backup they cannot reach the long-term retention data.

If an organization is hit with a ransomware attack but their backup data remains intact, then the organization can recover the data without paying a ransom.

ExaGrid’s Unique Feature: Retention Time-Lock for Ransomware Recovery

ExaGrid has always utilized a two-tiered approach to its backup storage, which provides an extra layer of protection to its customers, called Tiered Backup Storage. Its appliances have a network-facing disk-

cache Landing Zone Tier where the most recent backups are stored in an undeduplicated format, for fast backup and restore performance. Data is deduplicated into a non-network-facing tier called the repository where deduplicated data is stored for longer-term retention. The combination of a non-network facing tier (virtual air gap) plus delayed deletes and immutable data objects guards against the backup data being delete or encrypted.

As ExaGrid monitored the growing trend of ransomware attacks, the backup storage company worked on a new feature to further safeguard its repository tier: Retention Time-Lock for Ransomware Recovery. This feature allows for “delayed deletes” so that any delete commands that might be issued by a ransomware attack are not processed for a period of time determined by the ExaGrid customer, with a default of 10 days that can be extended by policy. ExaGrid released this feature in the 2020 and many of its customers have already successfully recovered from ransomware attacks.

Don’t pay the ransom! Implement a solution that is designed to help your organization recover.