You have to feel badly for all the organizations that were victimized in May by the WannaCry gang and watched helplessly as their lifeblood data got stitched up into an unrecognizable and unreadable form. Given the circumstances and how dire the effects might be on some companies, it's pretty easy to resist saying "I told you so" to the storage jockeys caught with their defenses down.
Hopefully, those outfits that bit the bullet and bitcoined their way out of encryption hell are back in business and wiser for the experience. But if this ransomware episode plays out like previous attacks, a lot of companies will pay up and still not get their data back. As the old saying goes, there's no honor among thieves.
Defending against this type of security breach is a lot different from defending against other insidious attacks. What makes ransomware different is that it's all about storage. The bad app locks up your storage, and you either unravel the rogue code's encryption or start learning about blockchain technology and shipping bitcoins into the ether. Alternatively, you can survive the attack using basic data protection techniques you're doing anyway, right?
If your email inbox looked anything like mine in the weeks after WannaCry was set loose, you probably saw a nonstop deluge of messages touting surveys, product announcements, tip sheets and other sage advice to combat ransomware. All were reminding us that backup may be the best defense against these assaults. At least, that was the message from storage vendors -- the security guys probably want to sell you a brand-new, artificially intelligent super app that will build an electronic moat around your data center and sniff out any new variants of the latest in-vogue viruses.
"Backup, backup, backup" is good advice when it comes to ransomware. It is, perhaps, a bit incomplete, however.
Backup may not be enough
Some companies diligently backing up their data on a daily basis may still struggle to overcome a ransomware attack. There are a couple of possible reasons why.
Recovering from ransomware typically involves wiping the afflicted machines and rebuilding them using backed-up data or, in a virtual world, recreating the virtual machines (VMs) on the same or other hardware using the backups. The problem is backups typically only contain application data. So, if you have a clean, pre-ransomware copy of the data, recovering it is only part of the process. You still need an OS, the applications, configuration settings, access rights, and so on to get up and running and back in business. If that sounds like a lot to do and could take a long time to get done, you're right.
Another issue with using your backups to thwart ransomware is frequency. If you back up your data -- even if you back up all your systems -- just once a day or less frequently, you may have also backed up the ransomware Trojan. In that case, recovery could land you right where you started: unable to access your data.
Data protection techniques stymie ransomware
There are ways of getting around these shortcomings.
The first is to back up everything, as in the OS, applications and so on. If your environment consists of virtual machines, this is much easier. Sometimes a simple backup app doesn't provide sufficient defense against ransomware, though, so check with your backup vendor or cloud backup service to make sure backups are fully recoverable. One of the best and most economical data protection techniques is cloud-based disaster recovery, or DRaaS (disaster recovery as a service). Backed-up data system files get shipped to the cloud service where you can fire up a cloud-based VM if ransomware has made your on-premises data inaccessible.
DRaaS may also help avoid the corrupted backup scenario as well, because many of these services perform their backups continuously, often just minutes apart and frequently on a schedule that you set. With multiple timestamped backups, data protection techniques like this make it possible to roll back to the latest uncorrupted version of your data.
DRaaS sometimes seems too good to be true, but it isn't. And given its affordability and effectiveness, it's surprising more companies haven't adopted it by now. A recent survey sponsored by backup app vendor Veeam showed that only 23% of the more than 1,000 survey respondents currently use a cloud DR service. Another 25% indicated they plan to engage one of these services sometime over the next 12 months. Let's hope they do.
Backup vs. DR vs. archive
You may choose to put some data on ice for several reasons. You can back it up so it's handy if a file or volume or some relatively small chunk of data needs to be restored. Or you could use DR techniques to safeguard everything you need to access using that data. Or, maybe, you just want to tuck some old data away, far from primary storage.
Those are three different scenarios, and for years, the common wisdom was to treat each separately. That practice worked as long as we weren't up to our ears in data. Today, we're up to our ears in data, so a more holistic approach to data protection techniques is necessary.
Most organizations don't have resources -- or the will -- to maintain and manage multiple copies of data. That's where copy data management (CDM) comes to the rescue, by helping us manage backup, DR and archive effectively without littering the data center landscape with dozens of copies of data. CDM is another important tool to consider in your battle against the ransomware menace.
Be proactive in the fight against ransomware
What to look for in products promising to ease ransomware recovery
Ransomware protection tools to consider