In part 2, we looked at how a ransomware attack is commonly uncovered – the statement from a colleague of “err, I cant access my files”
If you have read this far, you’ll have no doubt spent some time thinking about what would happen at your business if this happened. In part 1 we spoke about how we regularly are engaged to provide consultancy to help businesses define and design a best fit cyber resilience solution. What we are really talking about here is a ‘disaster recovery event’. You’ll know what your impacted systems are, you’ll know what you need to get back operational and how quickly, and your DR management plan will already have detailed how you need to talk to, what to tell them and when. In the case of Ransomware though – First things first though
***DO NOT ENGAGE WITH OR PAY THE RANSOM!***
This cannot be emphasised enough and there is a load of reasons why, but most important is we don’t want to confirm that their efforts have been successful, and our focus should be solely on returning the business to operation, limiting the blast radius, and making sure we don’t get double, triple (or more) extorted.
Recovery follows some key focus areas:
Isolate and contain – the focus is returning to business, and making sure that the infection cannot contaminate the recovered systems. You may need these isolated systems for specialist forensic analysis or for law enforcement review, so be prepared to engage your IT supplier that can quickly provide platforms for you to recover your systems to, most likely using a blend of public cloud, private cloud and on premise to ensure best placement of systems.
Assess the damage – hopefully you’ll have detected the ransomware quickly enough to limit the spread. If this is the case, you’ll have some options on the non-infected systems, whether you keep them in place or recover wholesale.
Determine the recovery strategy – almost always the strategy is to recover the systems from backup.
Restore from backups.
Implement enhanced security measures.
Verify and monitor for residuals.
The DR plan will have detailed what systems need to be recovered, how quickly and in what order.
Recover!
First thing we need to quickly understand is what are we recovering to? – Depending on the organisation, there may be a requirement to engage law enforcement, and understand forensically what has gone on, in this case, you’ll be looking to leverage your friendly infrastructure consultancy to see if they can provide compute and storage – this will likely be across the whole stack too – public cloud, private cloud, and on premise. In practice, even without these requirements, it’s a sensible approach to provide alternative platforms to restore to, as this has the best way of guaranteeing their cleanliness.
Once we understand this, we are into a methodical approach leveraging the capabilities of your data protection solution to recover your data and services. Your super high priority systems will leverage technologies such as instant recovery to spin these services up and make them accessible, directly from the backup repository. They will of course be migrated off to their permanent homes, but this will happen in the background to keep the systems online. The remainder of the systems will be recovered, and service will be resumed within your business.
Ideally you will be thinking something along the lines of “that was a close call – that could have been much worse” quickly followed by “its probably likely that this may happen again, how do I make sure this doesn’t happen again!” There are a myriad of questions and considerations, and our best advise is to engage industry experts to help guide you through working out what is best for your business – dataplanet can help here!
Closing out this series of posts though, you will have noticed a common theme in all three parts – the words ‘data protection solution’ and ‘Backup Solution’ what we might traditionally call ‘backups’. This is because where ransomware is concerned, these solutions are the most effective in making sure your business continues to operate. Data is the lifeblood, or crown jewels of almost any business and it’s a common belief that its not IF ransomware will hit, its WHEN, so ensuring you can get your crown jewels back is the best response! Ensuring you are protecting it, ensuring that it cannot be damaged, and ensuring that you can get it back when you need it, as fast as you need it!
Dataplanet enables our customers to take back control. From simple best practice advice around your current backup solution, through to taking a fully Managed Service covering all key pillars of these blogs (Assess, Prevent, Detect, Respond, and Recover )- we can help.
I have been in London recently installing an HPE MSA array for a client – whilst they have an incredibly well sorted main infrastructure solution from HPE, with enterprise-class flash storage giving them incredible resilience, performance and AI driven management and planning, they needed something for a specific workload. It needed to be highly performant, …
In a similar style to my previous M365 backup post (yet-another-m365-backup-blog/) this isn’t just a re-write of other posts – the post by Henrik Brusgaard, VP of Product at our partners Keepit is up there with the best of them, and well worth a read – why-back-up-azure-active-directory/ Henrik’s post details the impact of an Entra …
Losing access to your business’s data – even temporarily – is a nightmare worthy of a horror movie. Data backup tools create copies of your data and store them in a safe place. If something goes wrong, recovery tools will use these copies to restore your lost files. So, if your business already uses backup …
Take back control! Respond and Recover from a ransomware attack – Part 3
Following on from our first two posts on Cyber Resilience (Take back control! Cyber resilience and ransomware – Part 1 and Take back control! Prevent and Detect Ransomware – Part 2) today we look at two other pillars in a Cyber Resilience strategy – Respond and Recover.
In part 2, we looked at how a ransomware attack is commonly uncovered – the statement from a colleague of “err, I cant access my files”
If you have read this far, you’ll have no doubt spent some time thinking about what would happen at your business if this happened. In part 1 we spoke about how we regularly are engaged to provide consultancy to help businesses define and design a best fit cyber resilience solution. What we are really talking about here is a ‘disaster recovery event’. You’ll know what your impacted systems are, you’ll know what you need to get back operational and how quickly, and your DR management plan will already have detailed how you need to talk to, what to tell them and when. In the case of Ransomware though – First things first though
***DO NOT ENGAGE WITH OR PAY THE RANSOM!***
This cannot be emphasised enough and there is a load of reasons why, but most important is we don’t want to confirm that their efforts have been successful, and our focus should be solely on returning the business to operation, limiting the blast radius, and making sure we don’t get double, triple (or more) extorted.
Recovery follows some key focus areas:
The DR plan will have detailed what systems need to be recovered, how quickly and in what order.
Recover!
First thing we need to quickly understand is what are we recovering to? – Depending on the organisation, there may be a requirement to engage law enforcement, and understand forensically what has gone on, in this case, you’ll be looking to leverage your friendly infrastructure consultancy to see if they can provide compute and storage – this will likely be across the whole stack too – public cloud, private cloud, and on premise. In practice, even without these requirements, it’s a sensible approach to provide alternative platforms to restore to, as this has the best way of guaranteeing their cleanliness.
Once we understand this, we are into a methodical approach leveraging the capabilities of your data protection solution to recover your data and services. Your super high priority systems will leverage technologies such as instant recovery to spin these services up and make them accessible, directly from the backup repository. They will of course be migrated off to their permanent homes, but this will happen in the background to keep the systems online. The remainder of the systems will be recovered, and service will be resumed within your business.
Ideally you will be thinking something along the lines of “that was a close call – that could have been much worse” quickly followed by “its probably likely that this may happen again, how do I make sure this doesn’t happen again!” There are a myriad of questions and considerations, and our best advise is to engage industry experts to help guide you through working out what is best for your business – dataplanet can help here!
Closing out this series of posts though, you will have noticed a common theme in all three parts – the words ‘data protection solution’ and ‘Backup Solution’ what we might traditionally call ‘backups’. This is because where ransomware is concerned, these solutions are the most effective in making sure your business continues to operate. Data is the lifeblood, or crown jewels of almost any business and it’s a common belief that its not IF ransomware will hit, its WHEN, so ensuring you can get your crown jewels back is the best response! Ensuring you are protecting it, ensuring that it cannot be damaged, and ensuring that you can get it back when you need it, as fast as you need it!
Dataplanet enables our customers to take back control. From simple best practice advice around your current backup solution, through to taking a fully Managed Service covering all key pillars of these blogs (Assess, Prevent, Detect, Respond, and Recover )- we can help.
Related Posts
The HPE MSA – Hiding in plain sight?
I have been in London recently installing an HPE MSA array for a client – whilst they have an incredibly well sorted main infrastructure solution from HPE, with enterprise-class flash storage giving them incredible resilience, performance and AI driven management and planning, they needed something for a specific workload. It needed to be highly performant, …
You are backing up Entra ID….right?
In a similar style to my previous M365 backup post (yet-another-m365-backup-blog/) this isn’t just a re-write of other posts – the post by Henrik Brusgaard, VP of Product at our partners Keepit is up there with the best of them, and well worth a read – why-back-up-azure-active-directory/ Henrik’s post details the impact of an Entra …
A third of all data loss is caused by problems with backups
Losing access to your business’s data – even temporarily – is a nightmare worthy of a horror movie. Data backup tools create copies of your data and store them in a safe place. If something goes wrong, recovery tools will use these copies to restore your lost files. So, if your business already uses backup …