Security and Backup Alignment Critical to Ransomware Recovery

This syndicated post originally appeared at Zeus Kerravala, Author at eWEEK.

Despite the critical role that backups play in data recovery, the majority of business lack proper collaboration with their security team.

Ransomware continues to plague organizations all over the world. The most common entry points of ransomware into enterprise IT environments are phishing emails, malicious links, and dubious websites, according to Veeam Software’s 2022 Ransomware Trends Report.

The provider of backup, recovery, and data management solutions found that 44 percent of organizations have experienced such cyberattacks in the past year, while 41 percent named infected patches and software packages as the other ransomware culprits.

Veeam surveyed 1,000 independent IT leaders in 16 countries to determine the impact ransomware has had on various organizations. All respondents experienced at least one cyberattack in 2021, with many experiencing at least two attacks. Approximately half (47 percent) of their data was encrypted by ransomware.

Ransomware Attacks are Rampant

Once bad actors enter the IT environment, they typically target mainstream platforms like backup repositories (94 percent) and production platforms (80 percent). Many ransomware attacks are based on known vulnerabilities within mainstream hypervisors and operating systems or database servers. Hence, organizations should have broader conversations not only with their cybersecurity team, but also database administrators to ensure that database servers are secure, hypervisors are patched, and updates are routinely administered.

Veeam also surveyed 3,393 organizations in a separate 2022 Data Protection Trends Report. According to those findings, 76 percent of organizations have experienced at least one ransomware attack last year, while 24 percent either avoided attacks or weren’t aware of an attack. This data underscores the fact that ransomware attacks are extremely common and affect most organizations.

Paying Ransom Does Not Guarantee Recovery

The most shocking data points in the study revolved around what happens when customers pay for the ransom. Only about half (52 percent) of those with encrypted data successfully recovered their data when the ransom was paid.

A whopping 24% of organizations were not able to get their data back, even when the ransom was paid. When paying ransom, most (72 percent) organizations used some form of insurance. Fifty-seven percent of respondents said they have cyber insurance that includes ransomware coverage, 30 percent have cyber insurance without ransomware coverage, and 13 percent don’t have cyber insurance.

The likelihood that organizations will pay a ransom following a cyberattack is high, not only because they value their data but also to avoid remediating significant portions of their infrastructure. Veeam’s ransomware report found most organizations were able to start remediation either the same or the following day. Those respondents said recovery took an average of 18 days to complete.

The usual remediation options for ransomware are either restoring from backups or paying a ransom to recover data. Restoring from backup can result in data loss if an organization doesn’t have the right capabilities in place. Organizations should have tested and secure backups that can be restored quickly. For this reason, a backup infrastructure should be part of every organization’s cybersecurity defense plan.

It’s important to understand the difference between protecting backup repositories and having clean data within the repositories. Just because a repository is protected doesn’t mean the contents are malware-free. Using clean backups is key to successful recovery. Nearly a third (31 percent) of organizations surveyed by Veeam relied on immutability, while 46 percent used a sandbox and 36 percent restored directly to production and then scanned for safety.

Good Backup Strategies Lead to Ransomware Protection

Secure backup is the last line of defense against ransomware. Organizations should have at least three copies of data on two different media with one copy being offsite, one being offline, air-gapped, or immutable. By applying this modern 3-2-1-1-0 rule, organizations can be better prepared to deal with cyberattacks, especially as the threat of ransomware keeps growing.

Luckily, 95 percent of organizations now use at least one method of retaining isolatable backup data. The report found 74 percent of organizations use some type of cloud-service and 67 percent use on-premises storage.

Most organizations use a combination of cloud services and tape data storage, which is a lower cost alternative to other storage solutions. Smaller organizations are likely to choose cloud services, while large enterprises are more selective when it comes to long-term data retention due to scale and regulatory challenges.

While backup is fundamental to data recovery, the alignment between cybersecurity and backup teams is currently lacking at most organizations. In fact, 52% of the respondents said their organization needs to make significant improvements for cybersecurity and IT backup teams to collaborate successfully.

Therefore, in addition to having backup solutions and comprehensive disaster response plans in place, sharing those plans with other security teams is what will help organizations improve their incident response.

Author: Zeus Kerravala

Zeus Kerravala is the founder and principal analyst with ZK Research. Kerravala provides a mix of tactical advice to help his clients in the current business climate and long term strategic advice.