Recently, I had the chance to visit with an IT pro who had experienced a ransomware encryption attack, and he told me about the scariest words he heard during those first several minutes. Upon receiving the ransom demand, the first thing they did was check their backups — only to discover that the backups were just as impacted as the production data.
So, he called his backup service provider and was told:
Ok. I just looked at your cloud backups. Please don’t react until I finish what I am about to tell you.
That might be a paraphrase, but those are the terrifying words he “heard” regardless of how it was actually said. 😊 Here’s what was said next:
- It DOES appear that your cloud-backups were also affected, as the bad actors were likely able to log in to the local backup server.
- BUT there were other backups that the backup server and the bad actors were NOT able to affect because our storage service has an immutable tier that ensures an air gap that the bad actors could not see.
- AND I’ve confirmed that those protected backups are available to restore from the past XX timeframe.
- SO, here’s what we’re going to do …
Over the next few hours, a clean recovery environment was invoked within a cloud-hosted infrastructure and a workstream started where the hardened backups were staged, scanned, restored, and reconnected to the production users.
This experience aligns with four powerful statistics that were recently revealed in the 2024 Ransomware Trends Report:
- Backup repositories: 96% of cyberattacks target the backups. With 76% of attacks being able to encumber the backup repositories. Unfortunately, this cyber victim met both of those circumstances.
- Immutability: 85% of organizations have a cloud repository that has an immutable capability, though not everyone turns it on. Thankfully, this organization did subscribe to a BaaS offering that had enabled immutable backups for their clients.
- Recovery sites: 75% of organizations have an ability to recover to cloud-hosted infrastructure (86% can recover to alternative on-premises servers). This organization didn’t have a secondary data center, which was one of many reasons that they subscribed to a managed service provider. In this case, they did exactly what they planned for — they recovered from a cyber disaster to cloud-hosted infrastructure.
- Ensuring cleanliness: Unfortunately, only 37% use a staged-restoration methodology, where the recovery data is initially restored into a quarantined area to ensure the data and executables do not contain malware prior to reintroducing back into production. The other 63% are at risk of reinfection during restoration. Again, a key benefit of a managed service that provides DRaaS — beyond just BaaS — is that those service provider engineers can rally alongside the IT team to accelerate the recovery time and get the business back into production.
Ransomware might be a “when” not an “if” — but it does not have to be a catastrophe if you prepare and partner well. Kudos to this service provider and to the IT team who did what was necessary beforehand, so that this was a survivable event.
If this had been your organization, how would you have answered the questions:
- Are at least some of your backups immutable and air-gapped?
- Can you recover to a cloud-hosted infrastructure?
- How do you ensure that your restorations won’t re-infect?
- Do you have a partner who is ready to help you persevere through your worst day?
Originally posted on LinkedIn.
Jason Buffington .com 
Leave a comment