How Evolved Ransomware has hit Instant Recovery for six

image of pirate flag to support article about evolved ransomware

Recovering from a DR situation in less than a minute is a desired outcome for organisations of all sizes, including corporates. Being able to resume work quickly means minimal levels of lost productivity and companies are paying big sums to be able to achieve this. So why does it take so long for many companies to recover from a ransomware attack? While it’s not quite this simple, adding SSD storage combined with management control of the virtual machines that must be recovered in minutes, adding a few more bells and whistles, and that’s IR in a nutshell. Surely there shouldn’t be a problem.

Ransomware has evolved

Ransomware is continuously evolving, and at a faster pace than vendors in the Instant Recovery market can respond. Since 2017, the people developing this type of malware have identified that disrupting the recovery of data makes it more likely that an organisation will pay the ransom.

New strains of ransomware are discovering and deleting backup files on a network, and across cloud systems that are linked to their network. These strains hold search libraries of around 40 different backup files types across as many vendors. They simply search out those file types to attack.

Network breaches

Organisations are taking, on average, 190 days to identify a network breach. What do the hackers do during this time? They are searching for invoices that they can redirect payments for, they are compromising mailboxes, and are seeding ransomware into the file data with a delayed detonation.

When identifying a network breach huge numbers of files are infected and simply restoring from a backup image won’t work.

Instant Recovery Attack Loops

When the ransomware detonates, or a DR situation occurs, Instant Recovery kicks in. A few minutes later, there is a recovered network – and then it is infected again! The attack loop begins. And so the time taken to actually get the organisation working again continues to lengthen…

Put simply, an Instant Recovery, based on virtual machine snapshots will NEVER restore your network if there has been an evolved ransomware attack, without the loss of XX days of data, going back to when you have a clean backup, if indeed you have one. With most backup solutions based on 90 days of images, you may not have a clean image to work from.

The Solution

Recovery from Cyber scanned files. This backup and recovery process operates at a file level. It is protecting the unique assets of users’ data, ensuring that any ransomware that is infecting files is detected through a zero day Cyber scan. The scan is integrated with the both the backup and recovery process. No sandbox, no multiple recovery and no unnecessary delay. Clean data back when you need it. When compared to a real-world recovery using Instant Recovery instances, when ransomware is involved, a scanned file recovery will be faster every time.

Tiered Recovery

We’re not saying that Instant Recovery doesn’t have a place. Data2Vault sells Instant Recovery solutions, but we look at what should be IR’ed and what needs further protection. In a “normal” DR situation – flood, fire etc. – they are great. Having an Instant Recovery solution in place for your business-critical data is right, providing you have an alternative solution too. Our file backup and recovery with scanning is agentless. That means it can happily work alongside existing investments in agent based backup and DR solutions. It protects the most critical of user data, preventing Attack Loops from evolved ransomware attacks.