Latest News

Ransomware Attacks: Addressing the Recovery Gap in Organisational Cybersecurity

Written by Christopher Rogers, Senior Technology Evangelist at Zerto, a Hewlett Packard Enterprise company

According to recently published industry research, 75% of organisations have experienced at least one attempted ransomware attack in the last 12 months. Add to this the finding that two-thirds of businesses understand the potentially devastating problems any successful attack could bring, and it’s easy to appreciate why ransomware is now seen as one of the top three most serious threats to organisational viability.

While this relatively high level of awareness can be taken as a positive, what should remain of serious concern is the ability of organisations to recover from a ransomware attack. For those who have been put in this position, the research revealed that only 16% retrieved all of their data, including those who went as far as paying the ransom demand. In addition, nearly half (40%) lost hours or days of data because they were unable to restore everything prior to the point of the attack.

The recovery challenge

Today, the risk posed by ransomware attacks has become so great it’s arguably no longer a question of if or when an organisation will be targeted but how often. As a result, organisations are faced with a very real and immediate threat, and even more concerning is the finding that nearly six in ten organisations reported that regulated data, often in the form of personally identifiable information, was the target of successful ransomware attacks.

What’s more, by encrypting critical elements of network systems and servers, attackers are intent on disrupting core infrastructure components to render them inoperable. In fact, over half of the respondents in the study confirmed that these systems had been affected by ransomware.

Threat actors also target backup systems so organisations are unable to restore data, further adding to the pressure they can put on victims who have no appropriate resilience and recovery technologies in place. This is ringing alarm bells among IT leaders, with nearly a third (29%) expressing serious concerns. In response, many are considering how they can implement additional precautions to safeguard their backup data so they can quickly recover in the event of a crisis.

Backup scanning and air-gapping can strengthen defences against attacks

So, how are organisations addressing these issues? In many cases, backup scanning remains a tried and tested approach which, performed in real or near real-time, enables any suspicious files or executable code to be identified, generating immediate alerts when remediation action is required.

The research showed that most organisations already use backup scanning, which provides a solid basis for ransomware preparedness, although only a third are running detailed scans of backup data and user activity in near real-time.

In addition, scanning can also be carried out after backup across data stored on physical media or in the cloud to check data for security issues, corruption, errors or any inconsistencies that may have arisen during the backup process. While this approach is best for early threat detection, post-process solutions may be preferred by operations where performance or cost is an overriding issue.

Taking protection a stage further, however, is the use of air-gapping, which is seen by over three-quarters of survey respondents as a viable way of mitigating the effects of a ransomware attack. Air-gapping works by physically isolating critical backups from unsecured systems, such as the Internet or potentially compromised networks. This is usually achieved by creating a physical disconnect – or air gap – which means that if ransomware infects one network, it cannot easily access or compromise the isolated backup system.

Air-gapped backups are at their most secure when they remain fully isolated from applications, databases, users or workloads operating in production or live environments. In practical terms, this means data should only be accessed during protected and monitored sessions to prevent threat actors from encrypting and/or stealing data.

Encouragingly, the research showed that nearly half (40%) of respondents protect all their backup copies, which should increase the chances of successful recovery from a ransomware attack. In contrast, and of serious concern, is that only just over a quarter of organisations have deployed air-gapping while a further 18% are in the process of testing and implementing a solution. The bottom line, therefore, is that most organisations remain unprepared to address the issues posed by a ransomware attack.

In an ideal world, IT teams would put both real-time malware detection and air-gapped recovery in place to build the level of protection required to address the risks posed by increasingly sophisticated ransomware attacks as well as other major risks to data, such as a major system failure. With this approach in place, the chances of mitigating a ransomware attack – or avoiding the impact of one altogether – are significantly increased, representing a major step forward for data security and organisational resilience.