top of page
Search

Why Conventional Disaster Recovery Won’t Save You From Ransomware

This guest post was contributed by Justin Giardina is the Chief Technology Officer at 11:11 Systems.

Justin Giardina is the Chief Technology Officer at 11:11 Systems

The conventional formula for maintaining business continuity in the face of unexpected IT disruptions is as follows: Back up your data. Make a recovery plan. Test the recovery plan periodically.


That approach may work well enough if your primary concern is defending against risks like server failures or data center outages caused by natural disasters. But in the present age of widespread ransomware attacks, conventional backup and recovery planning aren’t always enough.


Instead, what businesses need is a backup and recovery plan that includes cyber incident recovery. Here’s a primer on what that means and why it has become a critical component of effective disaster recovery.

The unique requirements of ransomware recovery

There are two distinct causes for IT outages. One is technical problems, like power failures or IT equipment breakdown. You can recover from these incidents easily enough as long as you have backup data on hand.


The other common cause of outages is cybersecurity incidents – like ransomware attacks, which have become so widespread that 72 percent of all businesses were impacted by ransomware in 2023 alone.


Unlike other types of outages, ransomware recovery presents several unique challenges and risks.

1.   Compromised backups

The threat actors who execute ransomware attacks often attempt to encrypt or destroy backups. Indeed, Tech Republic reports that backups are targeted in 94 percent of ransomware breaches. If attackers succeed in rendering backups unusable, recovery based on backups becomes impossible.


Loss of backups is not a serious risk in other recovery scenarios because as long as you store backup data at a different site from your primary data center, you’ll be able to count on accessing that data for recovery purposes.


2.   Infected backups

If the cybersecurity breach that enabled a ransomware attack occurred weeks or months in the past, all recent backups may include malware. As a result, if you recover from your backups, you may end up replicating the malware, leading to a second ransomware attack. You must remove the malware from your backups before you can use them for a successful recovery.


3.   The need for cyber forensics

Typically, the environment that was compromised during a ransomware attack must remain unchanged while researchers analyze it to understand how the attack occurred and ensure that they mitigate the root cause.


This makes it impossible to recover using the original environment – unlike other recovery scenarios, where you can typically reuse your original infrastructure once it’s back online.


4.   Varying attack scope

In a ransomware attack, it’s often not readily obvious which systems or data were impacted. Attackers may have compromised some servers or databases but not others, for example. For this reason, it’s difficult to know exactly what you need to recover or where to start.


This tends not to be an issue when you’re dealing with a complete data center failure caused by a problem like a power outage. In that event, you know that everything in the data center went down.


The role of cyber incident recovery

For each of these reasons, backup and disaster recovery strategies aren’t a reliable safeguard against ransomware attack unless they include cyber incident recovery plans.


Cyber incident recovery planning means taking measures that mitigate the unique challenges of ransomware recovery, such as:


  • Immutable, offsite backups: Immutable backups that are stored offsite minimize the risk that threat actors will be able to destroy backup data.

  • Clean-room recovery environments: A clean-room recovery environment is a secondary environment where workloads can be spun back up following a ransomware attack. This makes it possible to keep the original environment intact for forensics purposes while still performing rapid recovery.

  • Malware removal: To avoid replicating the malware that led to a ransomware breach, cyber incident recovery must include a process for finding and extricating malware from backups prior to recovery.

  • Recovery flexibility: The unpredictable nature of ransomware attacks means that cyber incident recovery operations must be flexible enough to enable a nimble reaction to unexpected circumstances – like redeploying individual applications instead of simply replicating an entire server image in the event that the server was compromised but the apps were not.

Simplifying cyber incident recovery with DRaaS

Maintaining these capabilities can be challenging, even for organizations with extensive IT resources. In addition to the operational complexity of having to manage a secondary, clean-room recovery site and formulate intricate ransomware recovery plans, it’s costly to acquire and maintain the infrastructure necessary to ensure successful recovery.


One way to tackle this challenge is to work with a Disaster-as-a-Service (DRaaS) provider. DRaaS effectively allows businesses to outsource the effort of cyber incident recovery to a third party that specializes in this domain, freeing organizations from having to manage their own backup infrastructure or implement and test recovery plans.


Conclusion: Ransomware-ready disaster recovery planning

In a world where 1.7 million ransomware attacks occur daily, a disaster recovery plan that protects your business only against technical failures is no longer enough. Modern disaster recovery must include cyber incident recovery. And while cyber incident recovery is not always easy or inexpensive to implement, DRaaS offers a simple means of obtaining key ransomware recovery capabilities without having to build a cyber recovery plan and infrastructure from scratch.



bottom of page