We can't ignore it anymore: malware is evolving, and with it, also the available solutions for ransomware data recovery.
Yet, the global ransomware attack that exploited VMware vulnerabilities (February 2023) has shown how this threat can directly attack entire infrastructures, bringing 1.000+ servers offline and hitting 5.000+ companies worldwide.
That's why, for IT leaders and developers, it's more important than ever to stay updated on the latest ransomware backup strategies.
By reading this article, you'll learn the following:
- The average cost of a ransomware attack (hidden impacts included)
- 6 myths and misconceptions about backup and ransomware
- The importance of Recovery Time Objective (RTO) and Recovery Point Objective (RPO) in an effective ransomware backup strategy
- 6 solutions for ransomware data recovery
- The ultimate ransomware incident response plan checklist of 2023
What’s the average cost of ransomware attack? (Hidden impacts included)
Ransomware attacks are not just a matter of financial costs associated with ransom payments but also result in significant long-term expenses.
Beyond the direct costs of the attack, such as the ransom payment itself, organizations face 3 main 'expense items':
- Cost of downtime
- Fine for GDPR violation
- Reputational damage
The most significant consequence of a ransomware attack is the cost of downtime ($5.600/minute, according to Gartner). A successful ransomware attack can prevent access to critical data and systems, resulting in disrupted operations, loss of revenue, and reduced productivity. The impact can be particularly severe for companies that rely on real-time data or operate in time-sensitive industries.
In addition to the cost of downtime, organizations may also face severe fines for violating GDPR. These regulations are designed to protect personal data privacy, and organizations that fail to comply with them may face substantial penalties that can be a significant financial burden. Fines for non-compliance can amount to the highest, between €10M or 2% of the annual turnover, putting even large companies in financial jeopardy.
Related reading: Does ransomware steal data? (And the cost of it)
Reputational damage is another significant risk associated with ransomware attacks. A successful attack can lead to losing stakeholder trust, generating long-term consequences for a company's reputation and revenues. Consumers avoid companies that fail to ensure compliance and resilience in managing their data. A study by IBM and Forbes Insights found that 46% of companies that suffered a cybersecurity breach experienced a significant decline in their brand value and reputation.
To conclude, IBM's 2022 report says that the average cost of a ransomware attack is $4.54M — without considering the ransom payment itself. Yet, this statistic is quite optimistic and doesn't consider 100% all the nuances and hidden costs of this threat (e.g., downtime, non-compliance fine, and reputational damage).
6 myths and misconceptions about backup and ransomware
When defending against cyber attacks, there are several myths and misconceptions about ransomware backup strategies that can leave organizations vulnerable. Here are six common misconceptions about backups and ransomware and the reality behind them:
Myth #1 — Regular backups protect you against ransomware
While making regular backups is a good practice, more is needed for effective ransomware data recovery. According to the Veeam 2022 Ransomware Trends Report, over 90% of ransomware attacks now specifically target backups by encrypting or destroying them. Lately, we've also seen how ransomware directly attacks servers and infrastructure, as in the case of the VMware attack with 5,000+ victim companies.
Myth #2 — Backing up to tape is the gold standard
While backing up to tape is a proven and reliable backup method, there are better options for ransomware data recovery. Tape backups can take a long time to restore, and in a ransomware attack, every second counts. Companies should adopt reliable solutions for ransomware that ensure quick data recovery. However, tape backups can still be vital in long-term data retention and archiving.
Myth #3 — Ransomware cannot encrypt a backup
Unfortunately, ransomware can encrypt a backup, which happens more frequently than you think. To protect against this, companies should implement data immutability, which prevents data modification, even by users with administrative privileges.
Related reading: How to decrypt files encrypted by ransomware (free, 6-step process)
Myth #4 — Backing up only critical data is enough
Backing up only critical data is not enough to defend against ransomware. Attackers can target not only critical data but also infrastructure components, such as servers and network devices — provoking downtime. Companies should implement a comprehensive ransomware backup strategy that covers all infrastructure components, from virtual machines to servers.
Myth #5 — Backup encryption is useless
Backup encryption can be a valuable solution in preventing data exfiltration, as it protects data stored in backup files from unauthorized access. It’s not a panacea for ransomware attacks — yet it avoids double extortion ransomware to cause urgency in the victim, as happened with the Colonial Pipeline attack.
Myth #6 — Paying the ransom is cheaper than investing in prevention
Paying the ransom should never be considered a viable solution for ransomware data recovery. Not only does it fund criminal organizations, but no guarantee paying the ransom will result in data retrieval.
The importance of Recovery Time Objective (RTO) and Recovery Point Objective (RPO) in an effective ransomware backup strategy
As organizations seek to mitigate the risks of ransomware attacks, Recovery Time Objective (RTO) and Recovery Point Objective (RPO) have become essential for ransomware backup strategies. RTO and RPO are vital metrics that help organizations determine the downtime and data loss level they can tolerate during a ransomware attack.
In a nutshell, Recovery Time Objective (RTO) is the estimated time it takes to recover data and systems from the moment of the attack. The RTO metric helps organizations set realistic expectations for recovery and ensures that critical business operations can be resumed quickly.
On the other hand, Recovery Point Objective (RPO) is the amount of data loss your company can survive, expressed as time. In layman's words, it determines the frequency of backups you should establish (e.g., if your RPO is 120 minutes, you should run a backup every 120 minutes, otherwise — if a disaster occurs — you'll lose the data created after this time-lapse).
Another set of metrics closely related to RTO and RPO are the Recovery Point Actual (RPA) and the Recovery Time Actual (RTA).
Recovery Point Actual (RPA) is the actual point in time at which data can be restored after a disruption (i.e., the point in time of the last snapshot you made). Recovery Time Actual (RTA) is the actual time it takes to recover systems and data after a disruption.
RTO and RTA may look similar, yet RTO expresses the estimated recovery time, while RTA it's the actual time.
In conclusion, RTO and RPO are essential metrics that help organizations set realistic expectations for the recovery process and ensure that critical business operations can be resumed as quickly as possible. Therefore, for a proper ransomware incident response plan, it's essential to establish appropriate RTO and RPO targets.
6 solutions for ransomware data recovery
Ransomware can encrypt 100% of your data and system in seconds. That's why always having a complete, updated backup is essential.
Also, note that some backup companies zero your egress fee but put a daily quota on your download. This allows you to have an efficient backup of your critical data but not an efficient recovery of all your company assets — hindering your business continuity.
Here are 6 best practices you should always follow to keep your company up and running:
#1 Check your bandwidth availability with a full-capacity recovery test
The primary backup criticality for most companies is not ransomware, yet the available bandwidth your firm has for a prompt and bloodless recovery.
Companies need to make backups and recover data in a reasonable time. Let's say, for example, your available bandwidth is 100MB (e.g., headquarters are located in a non-optic fiber zone). During the day, the company already saturates it about 50%. On the other hand, if we use 100% of our bandwidth at night for backups, we will make anti-theft and other systems unavailable due to internet saturation.
That's why, on top of running regular backup tests, it's crucial to know in advance what's the maximum bandwidth we can use for recovery and how long it takes to restore our business continuity after a disaster.
This issue can be addressed via a little-used (yet highly efficient) Veeam method, the forever incremental backup. This strategy has 2 benefits:
- It lowers file size thanks to deduplication technology.
- It does only patches/upgrades to your initial full backup.
This way, when it's ransomware data recovery time, you only need to restore the initial backup (instead of hundreds of incremental backups) — and you'll be able to do it in a reasonable time.
#2 Review and update storage policies
Ransomware is evolving; it can now delete and exfiltrate critical backups. That's why it's increasingly important to check your backup policies.
One important thing is to enable policy-driven immutability.
Based on the S3 Object Locking feature, immutable storage means that you choose what data you want to protect, along with an expiration date: within that time, no one — no hacker, no ransomware, not even the provider — can delete, encrypt, or modify your data.
Here are some main points your company should follow:
- Verify and test your backups daily.
- Use immutable storage as a solution for ransomware resiliency.
- Adopt a WORM ('Write once, read many') strategy.
- Store one copy in air-gapped, offline storage.
- Always check you're using backup with versioning.
- Ensure endpoint protection on backups and servers.
- Keep different restore points with backup copy jobs.
- Apply Veeam's 3-2-1-1-0 backup rule with more than one immutable storage.
#3 Apply Veeam’s 3-2-1-1-0 golden backup rule
The 321 backup rule says that you should:
- Make 3 copies of your data.
- Store them on at least two media.
- And save one of them offsite.
The industry leader Veeam updated this excellent rule of thumb by suggesting the 3-2-1-1-0 backup rule. The added 1 & 0 stand for:
1: Store one of the remaining 2 copies offline, air-gapped, or on immutable storage.
0: Backups and recovery should be verified daily. If you find errors, solve them quickly. You never know when the next disaster or ransomware will occur.
Related reading: 321 backup rule & hybrid cloud: diversify your disaster recovery plan for 2023
#4 Enable end-to-end encryption to avoid data exfiltration
With the rise of double extortion ransomware like Ryuk, the victim faces not only downtime but also the legal and reputational risks of the publishing of their private data.
That's why encryption doesn't protect directly from ransomware but still encrypts data. You'll avoid the urgency of paying the ransom like Colonial Pipeline did, paying $4M+ to get a decryption tool.
Related reading: End-to-end encryption simply explained
#5 Follow digital hygiene practices
According to IBM data, 95% of cyberattacks are caused by human errors. At the same time, Ponemon Institute says that insider threats have increased by 44% over the past two years, with costs per incident up more than a third to $15.38 million.
That's why it's super important to keep everything to the basics:
- Educate employees regularly.
- Minimize the attack surface via the principle of least privilege.
- Update software vulnerabilities.
- Use multi-layered security.
- Adopt unique passwords and enable multi-factor authentication.
#6 Protect your entire business infrastructure
In the battle against ransomware, it's not only your backup and data at risk. Numerous ransomware directly attacks the system and spread through your network via lateral movement (as in the case of the Conti ransomware attack against Ireland health service).
Related reading: How does ransomware get in? 7 attack vectors companies should know
Especially when it comes to big, dispersed enterprises, it is crucial to check the branch offices regarding security education, loophole systems, and more. Avoid them to be an easy initial access for cybercriminals.
The ultimate ransomware incident response plan checklist of 2023
Ransomware attacks can be catastrophic, causing significant downtime, data loss, and reputational damage. To address this threat without stress, organizations must have a comprehensive incident response plan that addresses all aspects of a ransomware attack.
That's why it's essential to have a proven ransomware incident response plan ready. (Already hit? Check this step-by-step guide on what to do after a ransomware attack)
Below are key checklist points that IT managers, CTOs, and developers should consider when creating a ransomware incident response plan:
#1 Before the incident
Before preparing for the worst, ensure you’ve done everything possible to prevent the attack. Following digital hygiene practices like software updates, educating employees, and the principle of least privilege. Also, testing and verifying full backup (and disaster) recovery it’s crucial.
To facilitate the impact analysis, you can develop a risk assessment framework considering the likelihood and potential impact of ransomware attacks on your organization (e.g., downtime, data loss, reputational damage, regulatory fines).
After having followed your ransomware prevention checklist, you should prepare a ransomware incident response plan. Below are mentioned the steps to do that.
First, it’s essential to know what to do during a ransomware attack (and how to get rid of it). Then, you must create a chart of roles and responsibilities: from IT to law and crisis communications management teams. Also, you should know who to notify of the breach (e.g., internal teams, external stakeholders, and law enforcement).
Defining advanced regulatory, insurance, and corporate policies it’s paramount. Ensure that your insurance policies cover ransomware incidents (and the negotiation process!), plus that you understand the terms and conditions of the policy.
Finally, tag and secure your critical data. This last step helps you define the assets you must prioritize for recovery to keep your business continuity. On top of that, you can tag sensitive assets that need advanced encryption for exfiltration prevention.
#2 During the incident
Ransomware is not about 'if' but 'when.' Sometimes, the worst happens even if we have followed all the prevention best practices.
You must act immediately if your business is officially under attack or you notice something wrong.
First of all: wait to restore your backup! (Otherwise, attackers will encrypt it again).
Instead, identify the type of attack, analyze its scope and impact, and isolate it from devices and the network. We've explained all the steps to follow in a dedicated article.
Please note: ensure that there's always a secure environment and that you can recover systems from bare metal. If that's not possible, consider moving applications to the production environment.
Don’t have a backup available? Learn how to decrypt files encrypted by ransomware.
#3 After the incident
Even if you have removed the ransomware and restored all the critical systems, you must learn what worked and what didn't. On top of that, consider implementing tools that let you granularly identify the causes of a data breach in minutes. Then, update your disaster recovery plan accordingly.
In conclusion, ransomware attacks are becoming more sophisticated and prevalent. Therefore, organizations need to be proactive and prepared to handle such incidents. By following the above checklist, you can create an effective ransomware incident response plan that ensures the continuity of your business operations during a ransomware attack.
In conclusion, ransomware attacks are a growing threat whose impact can provoke millions of dollars in hidden costs (i.e., downtime, compliance, and reputational damage).
It's crucial to take proactive steps to prevent and prepare for these attacks, including implementing strong security measures, regularly backing up data, and having a comprehensive incident response plan.
Cubbit offers a secure, cost-effective, s3 compatible cloud object storage solution for ransomware data recovery.
Every data stored on Cubbit is encrypted, split into redundant chunks, and distributed across a global, peer-to-peer network — safe from ransomware, downtime, and data breaches.
To learn more about Cubbit's backup solution and how it can help protect your business from ransomware attacks, you can activate a free trial today. And if you need more customized support or advice on storage and cybersecurity, don't hesitate to contact Cubbit's team of experts.