We all love our data. Whether it resides on premise, in the cloud or a combination of both, we can’t do without it. We use our data to provide services to our customers, run our daily internal operations and it even helps us determine our strategy moving forward. At the same time we also know our data is under constant attack and at risk of being held hostage. According to the Gartner report “Detect, Protect, Recover: How Modern Backup Applications Can Protect You From Ransomware”  by 2025 at least 75% of IT organizations will face one or more ransomware attacks.
What is even more worrisome is that in the same report Gartner states that more and more sophisticated ransomware attacks are specifically targeting backup data and administrator functions. This means that ransomware is actively trying to gain access to the very heart of what manages your backups and backup data.
This new and unique threat requires a whole new way of looking at the backup solution and its data, or as we like to call it, the last line of defense.
Malware protection requires a multi-layered strategy and at its very core sits a backup and recovery solution that must be able to recover and do so within the required timeframe.
Where in the past a backup solution was mostly about data integrity and bringing the data offsite for disaster recovery purposes we now have to add backup data and backup data application protection to the mix and bring it to the forefront.
While most restores from the backup solution involve a document from a user or mailbox item, ransomware recovery has quickly become the main use for a backup solution at scale. Ransomware recovery pushes the backup environment to its limits while the future of the company hangs in the balance. This is where reliability and performance really come into play and ransomware demands a solution that optimizes your chances for a successful and speedy recovery.
Framing the ransomware risk as “when”, not “if” an attack happens at some point in the future, will help create the required mind set and think about ransomware recovery just like one does with regards to ransomware prevention.
When the attack takes place it usually occurs in phases.
- Penetration of the network - thru stolen credentials and remote access malware.
- Stealing of credentials for critical accounts – gain access to directory service, DNS and the storage/backup consoles.
- Attack on the backup administrative console – access to the backup admin console allows attackers to modify or turn off backup schedules and gain insight into where sensitive data is stored, or simply delete backups all together.
- Data theft – Why only encrypt if one can steal the data for future criminal activities.
How the right backup solution helps you recover from a ransomware attack
Detection of malware - Detection of the attack is a vital step in preventing further impact and a swift recovery. It might seem that detection of an attack is easy but small scale attacks can go unnoticed for weeks while the attackers look for ways to gain further access to the environment. The backup solutions should not be the one and only solution for the detection of malware but it can fulfill a unique role.
Protecting the backup system – The protection of the backup solution itself as a whole has become a #1 priority for backup solutions.
Ability to recover – When the times comes to recover the solution need to be ready and able to recover and do so within the required timeframe.
Preparing for ransomware recovery with Rubrik
Rubrik is uniquely equipped to enable organization to improve the detection of ransomware. It enables organizations to recover from ransomware without paying the ransom and do so within the required timeframe.
Detection of malware
Backup solutions have a unique and overall overview of all changes to data that occur within the environment over time. When the solution is smart enough it can learn the organizations data-usage patterns and report irregularities commonly associated with malware activity.
Rubrik’s Radar uses the backup metadata and uses machine learning to scan the metadata for anomalies, Rubrik has a 98% success rate when it comes to correctly identifying ransomware attacks because it uses a multitude of factors to calculate the probability of an actual ransomware attack.
Protecting the backup system
Running a backup solution on top of an operating system that is known to be the most vulnerable to ransomware attacks and storing your data on its drives is not the way forward.
A holistic ground-up approach to the protection of the backup system was needed and this is where Rubrik stepped in.
Based on a vault-like Linux layer Rubrik engineers build a immutable (append-only) clustered filesystem that offers data integrity features such as auto-healing from bit rot and no way for ransomware to mutate your valuable backup data.
Rubrik’s UI and CLI offers multi-factor support making sure stolen credentials don’t lead to mutations of retention or backup interval settings within the Rubrik environment.
Ability to recover
When the attack comes and encryption takes place without your IT environment it is time to recover.
With Rubrik this starts with determining the bast radius of the attack thru Rubrik’s Radar UI and selecting a point-in-time from before the attack that Rubrik has determined was before the ransomware became active and starting the recovery.
Whether Ransomware has impacted a few hundred user files or a number of virtual machines, they can all be recovered from the same Rubrik Radar recovery wizard.
Depending on the attack one might still need to remove malware executables that are dormant within your backups afterwards. Rubrik’s Radar enables you to quickly go back to a time from before the encryption took hold of your data, enabling you to work with the appropriate experts and their tools to remove the dormant ransomware from your environment.
For your most mission critical systems Rubrik can start an instant recovery. This means the virtual machines or databases, regardless of their size, will become available from the backup storage within moments. Due to Rubrik’s build-in flash storage this provides a fast recovery and usable solution for most environments. Migration of the virtual machine back to production storage can take place at a later time and does not impact availability.
The Gartner checklist
In the before mentioned Gartner report Gartner lists a set of failings that next generation backup solutions address, lets map these onto Rubrik offering.
As you can see Rubrik ticks most of the boxes and is working on the last missing piece of the ransomware puzzle. This is why Rubrik ensures a very high level of backup data protection against ransomware attacks.
Automate recovery testing
Adding Rubrik’s next-gen backup offering to BPSOLUTIONS BART tool was an easy decision and easy implementation due to Rubrik’s API-first design.
BART helps IT organizations with, amongst others, ISO and organizational compliance by automating recovery tests and reporting restore results an real-world recovery-SLA compliance. Read more about BART at www.bpsolutions.com/keep-it-up-and-running/bart.
Interested in a Rubrik demo or a recovery Q&A? Contact me at Stefan.firstname.lastname@example.org
published at the start of 2021, link here