VMware Exec Reveals 4 Ransomware Recovery Strategy Mistakes to Avoid

Ransomware Recovery Strategy Mistakes

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. In this feature, VMware‘s Mark Chuang reveals key ransomware recovery mistakes to avoid.

Ransomware attacks have consistently been on the rise in recent years. In fact, VMware research shows that nearly 60 percent of companies surveyed experienced a ransomware attack in the past 12 months, while 65 percent noted an increase in attacks since Russia invaded Ukraine. The bigger challenge, however, isn’t that these attacks are becoming more prominent – but that the nature of the attacks has significantly changed.

Ransomware attacks have evolved from scattered threats by small-time hackers into multi-stage, targeted campaigns executed by sophisticated criminal organizations and state-sponsored groups. Cybersecurity Ventures predicts that ransomware will cost victims more than around $265 billion (USD) annually by 2031.

Meanwhile, some ransomware groups are offering ransomware as a Service (RaaS) where they sell their tools for other criminals to use. RaaS is growing as a business, with total ransomware revenues in 2020 totaling around $20 billion, up significantly from the previous year. With the rise of RaaS, the barriers to entry for being a cyber-criminal have been greatly reduced, making it far easier to carry out a ransomware attack.

According to the NIST (National Institute of Standards and Technology) Cybersecurity Framework, a robust ransomware protection plan must include both preventative and recovery measures. Even if a company has the absolute top-of-the-line preventative cybersecurity measures in place, they cannot assume they will be 100 percent effective all of the time.

This is where ransomware recovery comes in.

Ransomware Recovery Strategy Mistakes

Ransomware recovery helps ensure systems can effectively respond and recover after an attack, acting as the critical last line of defense. While companies who have fallen victim to devastating ransomware attacks understand this, many who have not yet been attacked don’t realize what it takes to have an effective strategy in place.

Here are the common mistakes organizations need to avoid when creating a ransomware recovery strategy:

Relying on Traditional File Scanning to Test & Cleanse VMs

The ransomware landscape has changed. In the past, bad actors would use file-based techniques whereby they enticed users to open certain types of files to execute malicious code. However, fileless attacks started to emerge and have proliferated in the last five years. In fact, 60 percent of today’s attacks exclusively use fileless techniques. A fileless attack is one in which an attacker uses legitimate software, applications, and protocols to conduct malicious activities.

Because fileless attacks are never written to disk themselves, they cannot be detected by traditional file scanning of at-rest backup copies. They are only observable leveraging Next-Gen Anti-Virus (NGAV) with behavioral analysis, which looks for abnormal behaviors in running workloads. This needs to be part of your ransomware recovery solution.

Assuming Existing Backup and Disaster Recovery Solution are Sufficient

There is a common misconception that if your enterprise has backups, your ransomware recovery strategy is good enough. While backups are important, they are table stakes and insufficient to recover from modern ransomware. Immutable snapshots and air-gapping are also things you should have, but table stakes and insufficient. Fileless attacks can remain undetected and dormant in the backups, and “reactivate” themselves when the backup VMs are powered-on again.

Restoring VMs without identifying and removing these attack points during the remediation process could re-introduce ransomware back into the production environment. The recommended approach is to restore the backup data to an Isolated Recovery Environment (IRE), which is a dedicated and secure environment that isolates the powered-on VMs from other networks, the internet, and other VMs in the IRE. NGAV with behavioral analysis can then be leveraged to observe the workloads running in the IRE.

Dismissing Comprehensive & Automated Ransomware Recovery Solutions

Ransomware recovery has become a complex problem that can cause months of downtime. Recovering from ransomware attacks these days involves multiple parts of the IT infrastructure. You need backup storage, NGAV to identify modern ransomware strains, and advanced software-based firewall rules to contain the VMs and prevent reinfection, as well as a secure and isolated environment to recover into. This is not something that should be manually stitched together during a stressful situation.

Assuming the Security Team Will Handle Ransomware Recovery

Identifying, protecting, detecting, and securing the perimeter fall within the realm of the security team. However, recovering from a ransomware attack is not a security problem alone. When a successful attack has occurred, it is the primary responsibility of the infrastructure team to collaborate with the security team to recover, as it involves compute, storage, networking, and getting business-critical applications back up and running.

Designing a Winning Ransomware Recovery Strategy

When crafting your enterprise’s ransomware recovery strategy, you must ensure that you are able to recover from ransomware attacks as quickly as possible while minimizing data loss. To achieve this, your strategy must include a purpose-built solution for ransomware recovery that will ensure confident recovery from existential threats, quick recovery with guided automation, and simplified recovery operations.

Ransomware attacks will keep rising – it is not a matter of if an organization will get hit by a ransomware attack anymore, but when. These attacks will continue to become more and more sophisticated, which is why it is so critical that organizations of all sizes are prepared with solutions that can help them recover from modern ransomware attacks.

Mark Chuang