• Home
  • /
  • Storage
  • /
  • Can you recover if hit by a ransomware attack?

Can you recover if hit by a ransomware attack?

Ransomware is becoming a fact of business life. A lot of money and effort is going into preventing these attacks, but much too little into ensuring a quick recovery.
Peter Clarke
By Peter Clarke, Founder and MD, LanDynamix
Johannesburg, 01 Jul 2021

Ransomware attacks are a growing and unwelcome phenomenon. The Colonial Pipeline incident in the US highlights the fact that because of IT's ubiquity, these attacks can target critical infrastructures as well. On the home front, City Power was targeted in 2019, and earlier this year, Virgin Active was the victim.

During the past 12 months, the average cost of remediating a ransomware attack in South Africa was estimated at $447 097 (R6.4 million), with the global average total cost of recovery from a ransomware attack revealed to have doubled in a year from $761 106 (R11 million) in 2020 to $1.85 million (R26.5 million) in 2021.

Here's the real kicker: just under half (42%) of ransomware victims in SA paid the ransom to restore access to their data last year. However, for 19% of those, coughing up did not see their stolen data being returned. This was one of the findings of a global report by Kaspersky, dubbed “Consumer appetite versus action: The state of data privacy amid growing digital dependency”, that surveyed 15 000 consumers.

Cue the music: this is the key point that I worry most businesses are not getting. We're getting to the point that a ransomware attack is something like a certainty and even by paying, you are far from guaranteed to get your data back.

So, yes, it's good to make sure you have good defences in place − especially against attacks that target specific high-risk individuals − you should also spend the same amount of time, energy and budget on ensuring you are able to recover data in the shortest possible time to minimise reputational damage and keep the organisation functioning as normal.

There are several pieces to getting this right, which should each receive the urgent and sustained attention of the CIO/CISO or equivalent, as well as the board − let's not forget that Principle 12 of King IV makes the governance of technology and information a board responsibility.

Data must be backed up regularly. The definition of "regularly" will differ from organisation to organisation, but given the advances in technology, daily backups are quite practical. There is a plethora of solutions to consider. The data could be replicated into the cloud or backed up onto a server on site. Tape backups remain popular for many reasons − in fact, tape is experiencing something of a resurgence − and external hard disks are often used.

A key principle is that all backup data (in flight as well as at rest) should be encrypted.

Backed-up data must be stored securely. Here's where the responsible persons need to consider which of the many possible backup methods combines the maximum security for the data, is most reliable and, of course, the most cost-effective.

One of the reasons tape remains popular and continues to be the focus of R&D by leading vendors such as Veeam, is that it is cost-effective: a single tape can hold so much data − 16TB as compared to the 8GB a DVD can hold − and is not as fragile as, say, an external hard drive.

A dropped tape is a non-issue, but a dropped hard drive could be damaged. Tapes can also be automated to a certain extent − as a rule of thumb, the less human involvement, the more reliable the process.

An on-premises server that stores backups is attractive because it's so easy to automate, but then it's important to keep the server shut down except when backups are being done; isolating it in this way means it is literally unreachable by anyone who accesses the system. Replication to the cloud is also attractive because it can be automated, but the stored data is vulnerable to an attack, either via the cloud provider itself or the organisation's own system.

Leading cloud providers are waking up to this vulnerability and are putting measures in place to protect client data from cyber attacks; for example, immutable backups that cannot be deleted or changed within certain parameters. It's not perfect but it's a step in the right direction.

A key principle is that all backup data (in flight as well as at rest) should be encrypted.

Test and monitor, then repeat − get the right processes in place. In a real sense, choosing the most appropriate technology and medium for backups is the easy part. No technology is worth anything unless it works, and that means putting the right processes in place.

There are two issues here. The first is that organisations should not assume backups have taken place as planned and were successful − somebody must check not only that the scheduled backups took place but that they are usable. A green tick on a piece of software is not enough!

The second thing to get right − and this is critical − is to ensure the backups can be used to restore the data. This requires regular testing in order to refine the process, which should be exhaustively documented. Regular testing will also reveal any inadequacies in what has been put in place. It can't be stressed enough that this meticulous testing is vital to ensure that in the stress of a ransomware attack, the process for data restoration is well understood and, most important of all, delivers the expected results.

Time spent thinking through these issues, and putting the right procedures in place, will mean that when a ransomware attack happens, your data is safe, and you know exactly how to restore it. That's real peace of mind.