Ransomware attacks have a simple premise: organisations need access to their files to operate, and if they’re locked out of those files, a ransom payment is the simplest way to get back to work.
But that assumes the organisation only has one copy of those files. If they had backups, they could simply wipe the infected devices and rebuild their systems in a safe environment.
Yes, that will take some time – anywhere from a couple of hours to a couple of days – but decrypting your systems isn’t much quicker, and it comes at a far greater cost.
How can you put yourself in a position to ignore cyber criminals’ demands? We provide our top five tips in this blog.
1. Protect your backups
As the threat of ransomware has grown, more organisations have come to understand the importance of backups.
Unfortunately, that hasn’t gone unnoticed by cyber criminals, who have responded by developing ransomware strains that seek out backups in addition to the original files. The way they do this depends on how the organisation backs up its files.
One of the most common ways organisations back up files is by simply creating copies, which might be saved in the same folder, another local folder or a network-connected file server.
This is fine if you’re worried about the file going missing or corrupting, but it won’t protect you from ransomware. The malware will soon spread through your organisation’s systems, encrypting everything.
Meanwhile, the Cloud has quickly become a popular solution for organisations that want to protect themselves from widespread problems in a server – such as in the above example – but it’s still not a foolproof option.
Many Cloud storage providers, such as Dropbox, OneDrive and Google Drive, automatically synchronise local files with those stored in the Cloud. If those local files are infected, the Cloud will apply those changes, encrypting your backups and rendering them unusable.
So what can you do to make sure this doesn’t happen? Here are our top tips for protecting your backups in the event of a ransomware infection.
Find out how to prepare your staff for disaster with our Phishing and Ransomware – Human patch e-learning course.
The course boosts your team’s awareness of ransomware and the ways your organisation can fall victim. It describes the link between phishing attacks and ransomware, and what staff need to be aware of to help prevent attacks.
2. Look out for suspicious backup activity
One of the biggest weaknesses when it comes to ransomware is your system’s willingness to replace clean backups with the infected originals.
But with the right preparation, this can turn from a flaw into a strength.
When a malicious program encrypts your files, it is essentially updating it, which will trigger a warning that the new files needs to be backed up. If these alerts start occurring at a much faster pace than usual, this is a sign that something suspicious is happening.
If you open one of the updated files and discover that it has been encrypted, you should pull the plug on automatic backups and take your systems offline to isolate the infection.
3. Create multiple backups in different locations
Don’t just rely on one set of backups to protect your organisation. As we’ve seen, it’s possible for an infection to spread from the original files to backups even if they’re stored on the Cloud.
You should therefore have another set of backups that isn’t connected to your servers. This might be physical paperwork or an offline server.
It’s obviously harder to maintain these backups, so you’ll probably only do this for core information. However, the effort is certainly worth it when disaster strikes.
4. Establish a recovery time objective
An RTO (recovery time objective) is a key metric in business continuity planning, referring to how long it takes for a product, service or activity to get up and running again after a disruption.
In the case of ransomware infection, the RTO concerns the length of time it takes to wipe the infected machine and restore it in a safe environment.
Why does this matter? Depending on how much data was infected, it could take days to restore all your systems from backups – and that might ultimately cause more problems than it solves.
As such, it might be worth being selective with what information you back up. The less information you need to restore, the quicker the process will be and the sooner you can get back to work.
5. Regularly test your recovery process
Backups aren’t any help if they’re not reliable. The last thing you want to do is wipe your systems after an infection only to find that there’s a problem with the restore process.
Don’t leave backups as an automated task. The process should involve a manual test in which you make sure you can access backup files wherever they are being stored – whether that’s locally, in a separate server or physically.
Free download: Cyber Security and Business Resilience – Thinking strategically
You can find out more about the ways in which you can protect your organisation by reading Cyber Security and Business Resilience – Thinking strategically.
This free green paper explains the elements to take into account as you plan your cyber security defences, and the value of thinking resiliently.
It also covers:
- The basics of risk assessment;
- Why it makes sense to take a defence-in-depth approach; and
- The key points to consider around prevention, detection and prevention.
A version of this blog was originally published on 6 February 2020.