The Evolution of Ransomware Recovery

By Christopher Rogers, Technology Evangelist at Zerto a Hewlett Packard Enterprise company.

  • Monday, 7th November 2022 Posted 2 years ago in by Phil Alsop

Back in 1989 when the first ransomware attacks occured, they were relatively unsophisticated – at least by today’s standards. Distributed via floppy disks, their encryption methods could be easily reversed, and the ransom payments being demanded were a tiny fraction of the eye watering amounts seen today.

Since this relatively low-key start, ransomware has grown into an incredibly lucrative international cybercrime industry with the ability to bring organisations large or small to their knees.

As the cost of extortion, downtime and levels of disruption have rocketed, data-driven organisations are becoming more focused on recovery as well as prevention. Yet, most ransomware victims still regularly suffer extended outages and are unable to recover all their data. In fact, a recent study found that only 1 in 7 companies recover all their data after an attack. Worse still, paying the ransom offers no guarantee of a return to business as usual with only 14% of businesses who paid a ransom to their attackers in the past 12 months subsequently getting 100% of their data back.

Part of the recovery problem is that as ransomware gangs continue to evolve their methods, current backup vendors are failing to keep pace. Clearly, the best outcome for the target of an attack is to prevent it from deploying malware on the network at all. While security vendors are focused on this objective, in general they still lack a reliable all-round defence against the ever-changing nature of security threats like APTs (Advanced Persistent Threats) and Zero Day exploits. And if that wasn’t enough, there remains the challenges presented by malicious insiders, who still represent one of the biggest threats to organisational security.

The result? Being on the receiving end of a ransomware attack is no longer a question of ‘if’ or even ‘when’ – today, it’s about ‘how often?’. In 2020, for instance, more than 60% of businesses were hit by ransomware attacks, fuelled by trends such as the growth of ‘ransomware as a service’ and nation-state activity.

From backups to data protection

To prepare for this unfortunate reality, many organisations rely on backups as a tried and tested technology used across a multitude of data loss and recovery use cases. Indeed, backup vendors are among the most vocal in the ransomware prevention and recovery ecosystem, aggressively marketing their solution when compared to other manufacturers of data protection software and storage systems that are designed to protect against the impact of ransomware.

These older generations of data protection software and storage systems, however, are simply unable to stop data loss or downtime because the majority of future apps will reside in the cloud or at the edge. As a result, most businesses lack confidence in their backup and disaster recovery (DR) options with an IDC poll suggesting only 28% of participants had complete trust in the capabilities of their backup solution to restore all data.

In addition, many organisations employ a variety of technologies, including disaster recovery solutions to assure data recovery in the event of any loss, such as a ransomware attack, alongside backup and recovery software, snapshots, mirrors and replicas. This brings with it an ever-increasing level of complexity in delivering cost-effective and high performance data protection and disaster recovery strategies.

Instead, IT organisations are searching for solutions that can reduce Service-Level Agreements like RTO and data loss SLAs (RPO) to almost zero. To meet this need, Continuous Data Protection (CDP) is becoming more important because it can dramatically reduce the risk of data loss, regardless of the reason, while also speeding up and simplifying the recovery process. Since CDP records data changes as they are made, the effective RPO is lowered to seconds and the "backup gap," which can be a significant factor in data loss, is essentially eliminated.

IT organisations are dealing with an ever-increasing complexity in providing data security and disaster recovery due to the pervasive danger of ransomware and the deployment of new apps at the core, in the cloud and at the edge. But by using CDP, recovery operations can be completed rapidly and with little data loss, going back to a point that was just seconds or minutes before an attack or any disruption, including those caused by ransomware. This is especially true when combined with recovery orchestration and automation, and as a result, organisations should make CDP, the most important recent development in recovery technology, a top priority if they want to adopt an effective strategy that tackles the threat posed by ransomware head-on.