printer friendly version

Ransomware is part of disaster recovery

Hemant Harie.

There can be no doubt that ransomware attacks are on the rise across the globe. A simple online search will reveal thousands of statistics in this regard and South Africa is no exception.

What is also clear from numerous examples of successful breaches, is the potentially devastating effect of a ransomware attack, which can cripple a business and shut down essential services for extended periods, not to mention cost a fortune to recover from. They are, in fact, a legitimate business disaster and need to be considered as such when it comes to disaster recovery and business continuity planning.

Under siege

There is no shortage of high-profile examples of ransomware attacks in South Africa over the past two years, from Johannesburg City Power to the Life Healthcare hospital group, Transnet Ports to the Department of Justice and Constitutional Development. To highlight the magnitude of the problem, according to the Interpol African Cyberthreat Assessment Report, in the period January 2020 to February 2021, there were 230 million threat detections. The report also lists ransomware as one of the top threats affecting Africa, with nearly two-thirds of companies in the region affected by ransomware in 2020 alone.

Mind the gap

Malware can infect anything and everything that is online and these days, almost everything is online. With the risk of cyber-attacks so high, it has become imperative to have a plan to deal with the eventuality. Prevention is obviously better than cure, but when the threat simply cannot be prevented, the ability to recover is crucial and that is where data management needs to come into play.

One tried and tested method of protecting data and thus of having a copy of data available to recover from, is the concept of air gapping or data isolation. An air gap can either be physical or virtual, but it is, in effect, exactly what it sounds like: putting space between the copies of your data, to ensure that if one copy is infected, it cannot infect the other – like social distancing for your data. This can be done with physical copies of data, or in the cloud, by using separate clouds to store production and backup data copies.

Data isolation is a similar concept, which involves removing a copy of data to another location to separate it and prevent infection. Tape is an excellent example of this, where backup data is taken offsite to secure storage and repatriated on request. Data isolation limits access to data and creates an immutable copy through Write Once Read Many (WORM) architecture. Using WORM means that in the event of a ransomware attack, backup data cannot be corrupted or infected.

The threat lies in wait

Air gapped, isolated and immutable data copies are an essential component of data management. However, ransomware often lies dormant in an environment for an extended period, gathering information before it is activated to attack. This means that there is a distinct possibility that the air gapped, isolated and immutable copy of data is already infected and if it is used for restore purposes, the ransomware can simply be reactivated.

This is where regular maintenance, testing, threat detection and above all, keeping multiple copies of data from multiple points in time, becomes imperative. This way, should it be discovered that a backup copy is infected, you are able to roll back further to a previous copy that is free of the malware. Data management, data protection and disaster recovery around data requires multiple tools in multiple layers to ensure adequate coverage.

Best practices are best for a reason

Following a best practice framework for ransomware protection and recovery can prove to be invaluable. One such example is the National Institute of Standards and Technology (NIST) which proposes five steps to help mitigate the risk and impact of a cyber-attack:

1. Identify – assess and mitigate risks.

2. Protect – isolate, lock and harden data from changes.

3. Monitor – detect anomalies and threat patterns.

4. Respond – analyse the data and perform the actions as outlined in the plan.

5. Recover – restore clean data quickly to get business back up and running.

Ransomware attacks have become inevitable and being prepared for them is key to surviving the onslaught. This means having a recovery plan that aligns with business, maintaining readiness and responding when they occur. It means having an expert partner to assist with data management, protection and recovery. It means planning, testing and responding effectively. In short, it means that cyberthreats like ransomware are a disaster and they need to be treated as such or businesses face risk that could shut them down for good.

Share this article:

Further reading: