August 19, 2021

BCDR Recovery Options for Ransomware

By John Maxwell

When it comes to recovering from a ransomware attack, backup truly is the last line of defense. Luckily, when implemented, a Business Continuity and Disaster Recovery (BCDR) solution can allow an organization to recover.

Assuming that a ransomware attack cannot be mitigated in time, backups can be used for partial or full recovery, depending on the severity of the attacks. In this second blog in our series, we look at the various recovery methods for ransomware and highlight the BCDR functionality.

Recovery Point Objectives (RPO) and Recovery Time Objective (RTO)

Once the affected server or virtual machine has been isolated and the ransomware task killed, the system must be recovered to the most recent recovery point, meaning the latest unaffected backup. Most organizations have Recovery Point Objectives (RPO), which determine how granular their backups are. For example, some organizations are fine with a 24 hour RPO which means they are backed up once a day; others have more stringent requirements, which could require multiple backups per day. The longer the RPO, the more significant the impact on end-users who may lose data.

In the case of Datto BCDR, the backup granularity can be as low as five-minute increments, while the default backup schedule is every hour.

Recovery Time Objective or RTO is the amount of time an organization deems acceptable to perform data recovery. Some organizations find 24hrs acceptable, while others require systems to be made available in hours or even minutes. Just as backup granularity impacts the RPO, the recovery technique will drive the RTO. For example, an instant local or cloud virtualization can recover an entire system in minutes but can complicate the “failback” to the original server compared to a file-level recovery of the infected data.

Is the Backup Recoverable?

No recovery is going to happen if the backups themselves have been corrupted. There are several best practices that can provide assurance that the backup itself is safe to recover.

  • Is the backup itself free from ransomware?
    • Some backup files are susceptible to ransomware, thus negating that ability to recover the infected system. Datto BCDR solutions utilize ZFS for creating backups that cannot be infected with ransomware.
    • Secondly, it is important to ensure that no ransomware is lurking in the backed-up data, which is why a ransomware scan of the backup itself is critical. In the case of Datto BCDR,post-backup a post-backup ransomware scan is performed.
  • Is the backup recoverable?
    • Ensuring that the recovered system will boot and all associated applications will be accessible is essential. If a recovery is performed and for whatever reason, the system won’t come up, the process must be repeated.

Utilizing tools that verify the integrity of the backup is important. For example, Datto BCDR provides two levels of verification to guarantee the backup can be recovered. One is a patented screenshot verification process that performs a Windows system boot, and the other is advanced verification utilizing scripts to log in to business-critical applications.

Suggested Next Reads

What Is Network Topology Mapping?

Network topology mapping is the process of visually documenting the physical and logical structure of a network.