BCDR Recovery Options for Ransomware

By John Maxwell

When it comes to recovering from a ransomware attack, backup truly is the last line of defense. Luckily, when implemented, a Business Continuity and Disaster Recovery (BCDR) solution can allow an organization to recover.

Assuming that a ransomware attack cannot be mitigated in time, backups can be used for partial or full recovery, depending on the severity of the attacks. In this second blog in our series, we look at the various recovery methods for ransomware and highlight the BCDR functionality.

Recovery Point Objectives (RPO) and Recovery Time Objective (RTO)

Once the affected server or virtual machine has been isolated and the ransomware task killed, the system must be recovered to the most recent recovery point, meaning the latest unaffected backup. Most organizations have Recovery Point Objectives (RPO), which determine how granular their backups are. For example, some organizations are fine with a 24 hour RPO which means they are backed up once a day; others have more stringent requirements, which could require multiple backups per day. The longer the RPO, the more significant the impact on end-users who may lose data.

In the case of Datto BCDR, the backup granularity can be as low as five-minute increments, while the default backup schedule is every hour.

Recovery Time Objective or RTO is the amount of time an organization deems acceptable to perform data recovery. Some organizations find 24hrs acceptable, while others require systems to be made available in hours or even minutes. Just as backup granularity impacts the RPO, the recovery technique will drive the RTO. For example, an instant local or cloud virtualization can recover an entire system in minutes but can complicate the “failback” to the original server compared to a file-level recovery of the infected data.

Is the Backup Recoverable?

No recovery is going to happen if the backups themselves have been corrupted. There are several best practices that can provide assurance that the backup itself is safe to recover.

  • Is the backup itself free from ransomware?
    • Some backup files are susceptible to ransomware, thus negating that ability to recover the infected system. Datto BCDR solutions utilize ZFS for creating backups that cannot be infected with ransomware.
    • Secondly, it is important to ensure that no ransomware is lurking in the backed-up data, which is why a ransomware scan of the backup itself is critical. In the case of Datto BCDR,post-backup a post-backup ransomware scan is performed.
  • Is the backup recoverable?
    • Ensuring that the recovered system will boot and all associated applications will be accessible is essential. If a recovery is performed and for whatever reason, the system won’t come up, the process must be repeated.

Utilizing tools that verify the integrity of the backup is important. For example, Datto BCDR provides two levels of verification to guarantee the backup can be recovered. One is a patented screenshot verification process that performs a Windows system boot, and the other is advanced verification utilizing scripts to log in to business-critical applications.

Choosing the Best Recovery Option

Assuming the backups themselves are recoverable, it must be decided what type of recovery will be performed. Generally, there are five types of recovery available to recover a system from a ransomware attack.

  • System image-level restore
  • Local instant virtualization
  • Bare Metal Restore
  • File-level recovery
  • Cloud-based recovery

System Image-Level Restore:
There is image recovery, which is precisely what it sounds like, restoring a backup image of the system by overlaying the current files. This is popular for virtual machine recovery since it is relatively easy to recover an individual VM by simply provisioning a new VM and recovering all of the data associated with it.

With Datto BCDR, the Image Export recovery simply entails selecting image export in the UI, Selecting the file-sharing format you would like to use, and mounting that share to your hypervisor. From there, you can either copy the images to the production storage or even start using them right away if the server is needed quickly and migrate the image after hours.

Local Instant Virtualization:
This option allows you to instantly access a copy of your backup running as a virtual machine. This virtualization can run on separate physical hardware or on the production hypervisor. This option generally provides the fastest RTO or access to the restore.

In the case of Datto BCDR, either the SIRIS hardware appliance (SIRIS 4 or SIRIS Imaged) can be used as a hypervisor, or in the case of SIRIS Virtual, the SIRIS can communicate with the hypervisor it is running on to start the virtualization. Effectively utilize a backup as a data store (e.g., for VMware ESXi) that connects to either a new VM in the ESXi host or a VM running in a backup appliance (such as Datto SIRIS). Use this option when you need the continuous operation of a protected system, have available capacity on a VMware host, and want to use the computing power of your ESXi host or backup appliance to recover the affected system.

Bare Metal Recovery (BMR):
Bare Metal Restore (BMR) is used to restore data back to specific physical hardware such as the original hardware the server was running on. This restore method is useful when original hardware or specific physical hardware is required, and virtualization is not viable. Although restoring back to hardware can be time-consuming, BMR can be used in conjunction with rescue agents to get the initial RTO of an instant virtualization but still return to specific hardware after hours. It can be more time-consuming than instant recovery in the cloud, but in some cases, organizations may not have strict Recovery Time Objectives (RTO) that require a system to come back up as soon as possible.

Datto BCDR provides a BMR utility that allows access to any available restore point over the LAN.

File Level Recovery:
In the instance where a ransomware attack is found quickly and stopped, file or folder level recovery makes sense since only the infected files need to be recovered. This can, in many cases, be performed much faster than an entire system recovery. Simply select the files or folders that were infected and manually replace them. File restores are also useful if the ransomware infection took time and some work was done during the infection. In these cases, another restore may be performed to get the bulk of the data in a good state. And in cases where work from the time of the infection is missing, data may be restored individually. This process may save time as most users can be quickly up and running while users who were actively working on files can ask those to be fixed individually. An additional benefit is that files can be restored “in place” by basically re-writing over the existing file, or they can be restored under a different name to verify the content. In the scenario of restoring under another name, the original infected file can be deleted and the recovered file renamed.

With Datto BCDR, administrators can select a specific file or entire folder to recover. Another feature of Datto BCDR is Backup Insights, which compares a file or files during a particular period of time and shows which change. This can also help determine which files were impacted by ransomware.

Cloud-Based Recovery:
If the system to be restored is inaccessible, either because it is offline or is being kept off the network for further investigation, a cloud-based recovery may be warranted. By recovering in the cloud, the IT team can rest easy knowing that completely different infrastructure is being used instead of a potentially compromised network.. Once the new system is running, network connectivity can be made to the recovered system so that end-users can get back to work.

In the case of Datto BCDR, instant recovery for one or more systems is available in the immutable Datto Cloud at no additional cost.


According to Datto’s report on ransomware, “91% of MSPs said clients with BCDR products in place are less likely to experience significant downtime from ransomware”. Hence the need for a secure, reliable BCDR solution can make the difference between paying or not paying a ransom and recovering from an attack.

Disaster Recovery Tests Made MSPeasy

The purpose of IT disaster recovery testing is to discover flaws in your disaster recovery (DR) plan, so you can resolve them before they impact your ability to restore operations.

View the Resource

Suggested Next Reads