Ransomware, The Cloud, and Isolated Recovery

Posted by Bill Tolson • May 7, 2018

RansomwareWith the recent ransomware attacks that have been in the headlines over the last year, many companies are reconsidering their data protection strategies to protect their company against these new, growing threats.

Traditional backup has been used for decades as an insurance policy to recover from server issues. Backing up to tape or disk is accomplished by creating an image of an entire server so that in the event of data corruption or server issue, the server operating system and data (present at the time of the backup) can be reinstalled onto the server, quickly. Traditional backup is relied on by most companies for smaller infrastructure problems.

Ransomware and traditional backups

With ransomware in mind, a little-known problem of the traditional backup is the backup server can be quickly infected by time-delayed ransomware due to the cyclical nature of backup processes. A ransomware cyber-attack is sometimes intentionally delayed to ensure all backup systems are also infected. In many cases, it can take weeks or months for companies to recognize that they were hacked. During that time, uninfected server backups are overwritten with the malware or ransomware, infecting the backups. After a predetermined period, the hacker triggers the ransomware, and the company has no way to repair it. 

Because of the nature of ransomware attacks and the fact that backup and DR are not protection anymore, a new method of data protection needs to be utilized. This means the only way to beat this type of cyber-attack is to generate a “gold copy” backup (before infection) and completely isolate it so that when needed, it is pristine and available for use. This process is known as Isolated Recovery - the recovery of known good or clean data. The problem is how do you know when you have an uninfected backup? The only way to be sure is to generate golden copies on a regular basis so that when an infection does occur, the company can fall back on the last clean backup.

Company critical data

Segregating every backup copy is not feasible, so the isolated recovery process is best targeted at mission-critical data the company is dependent on to ensure the business can recover quickly.

Isolated recovery relies on the principles of isolation and “air gaps” - an isolated storage repository that is disconnected from the network and restricted from users other than those with proper clearance needs to be set up. This isolated requirement can be potentially set up in a cloud environment.


Air gaps and immutability

Air gaps are a bit more difficult. An air gap requires a storage system to be disconnected from the outside world. By definition, a cloud storage system is connected and accessible so IT can access it when needed. It seems to me that the main requirement for isolated recovery systems is the “gold copy” status of the backup. One way to guarantee the gold copy status of a backup in the cloud would be to write it to immutable storage. That immutable copy would be “isolated” due to its immutability and can be restored when needed. A regularly scheduled (separate) backup saved to Azure WORM storage would provide a highly secure (against ransomware) isolated recovery option. Organizations in specific industries such as the financial and healthcare sectors could use this method as yet another piece of their disaster recovery process.

This is not to say that isolated recovery should only be utilized for specific industries. Companies across all sectors with company critical data should look at this backup methodology as well.

The Cloud, Isolated Recovery, and Archive2Azure

Archive360’s Microsoft Cloud-based Archive2Azure can act as a golden copy repository because of its Azure-based security protocols and because of the integration of Azure immutable storage. Archive2Azure adds an information management layer as well as additional security, access controls, and integration with Azure immutable storage to your Azure tenancy.

By storing known golden copies of your servers in your Azure tenancy (managed with appropriate retention), your organization can protect against future ransomware attacks.