Oct 18, 2016
Winning The War Before The Ransom(ware)
In traditional corporate espionage, data has value to the intruder. With ransomware, the data has the most value to the business under attack. Traditional threats are “one-time” events, but with ransomware, the threat is recurring. It is “the gift that keeps on giving!” The cybercriminals behind today’s sophisticated ransomware are not seeking to destroy or steal the data. The majority of the time, the end goal of these hackers is for their victim, desperate to avoid business-threatening downtime, to pay up as quickly as possible so they can move on to their next target. That said it’s not uncommon for the hacker to return to a previous victim for more money.
Unfortunately, there is no guarantee that the data will be returned even if the ransom is paid. In fact, one in four who paid a ransom in 2016 did so and never recovered their data which is largely why the FBI recommends victims do NOT pay up. The request can be recurring, which suggests that a paid ransom is only an invitation to another attack as the ransomware may still be present. This is due to a second unique characteristic of ransomware attacks which is indirectly related to how the data is valued - the delay between infiltration and ransom request.
When trying to beat a ransomware attack, restoring data to a safe known point is not as simple as opening the last good backup. Unlike standard data loss situations, the data loss may be gradual or delayed, and this places emphasis on the longer-term retention strategy as well as the ability to search through backups. It is this ability to reconcile the delayed attack that differentiates the success of different data backup strategies with recovering from a ransomware attack. Hence—not all backup solutions provide equivalent protection, and the largest differentiator is the recovery.
The most expensive part is the recovery
The best solution for preventing ransomware is, of course, flagging the intrusion before it takes hold. End user education on phishing scams is easiest and early detection is next. However, neither of these are 100 percent guaranteed to protect your business. The only surefire solution for protection from ransomware is a fast and reliable backup and recovery solution—rolling back time and getting the business back up and running. But how capable is that recovery process?
A ransom of a few hundred dollars or a few thousand dollars pales in comparison to the real financial cost of a ransomware attack—revenue lost during recovery time and rollback. Consider the following three questions:
How many additional customer transactions will be lost in the database (going back to the last good backup before the attack)?
RPO: How much data will be lost due to the granularity and frequency of your backups, and your retention policy?
How many hours did your IT staff work on it? Or - how many hours need to be billed to your managed IT service? Or if you are an MSP, how many billable hours did you need to give away to resolve a problem you promised immunity from?
The effort to repair (and RTO): How long will it take you to find the right data?
How many additional hours of productivity or business will your company lose while waiting for the recovery?
RTO: How long to get your business operations back running? Will restoring from an offsite tape be required if a rollback of more than one month is required?
Consider a scenario where the cost of continued downtime—and the quantity of lost data since the last good backup—is determined to be higher than a $1K ransom. In that situation, the ransom itself may be the better deal, a sticky scenario, considering there is no guarantee paying will help. If the backup solution’s capabilities are limited by its ability to deliver low RPO and RTO, it may still be advantageous (or necessary) to pay the ransom and hope for the best!
How Datto can help with on-premises attacks
To minimize the real cost of ransomware, this how Datto helps with RPO, RTO, and minimizing the effort to recover:
RPO: Datto supports a very high backup frequency for providing the best RPO thanks to Inverse Chain Technology. - AND with backup and archive copies available locally and in the Datto Cloud, even if you need to go back in time several weeks, you will never need to dust off the tape library to recover from an archive, which would only make a bad situation worse!
The effort to repair (and RTO): Immediate access to all recovery points : With Datto, every backup is fully constructed and ready to load—with backup insights you effortlessly and quickly scroll through backups to find what was lost and the point of infection. See Backup Insights.
RTO: The ability to restore nearly in an instant with Instant Virtualization: Right on a Datto appliance, on your ESX hypervisor, or in the Datto Cloud. Within seconds start the boot of any protected server—physical or virtual, to minimize RTO.
But there is more to differentiating solutions. Consider:
Image or file? Can you choose? Datto BDR solutions provide both
Are both your physical and virtual servers protected?
Integration between backup and advanced disk (B2AD), and the storage efficiencies of not duplicating weekly full backups.
We hope this helps. Good luck with it!