Is Backup Alone Enough, or is Full Disaster Recovery Required to Mitigate the Threat of Ransomware?
To pay, or not to pay? Is it better to suffer the pain and outage of ransomware – or pay up, and by doing so, end it?
Like all such questions, there is no easy or simple answer. Can the affected organization afford a loss of operation? Does it have SLAs that will cause legal problems if they are broken? Does it have the support of a larger organization – government or insurance – that can either force its hand or support the cost of disruption? Is it in thrall to shareholders?
The best solution to difficult questions is to avoid the question. For ransomware, that either means prevention or simple, low-cost recovery. Since it is currently impossible to guarantee prevention, the onus is on low-cost recovery to avoid the choice between downtime and paying up.
Here the choice is between data backup and disaster recovery. The question now becomes, is backup alone enough, or is full disaster recovery required to mitigate the effect of ransomware? By ‘disaster recovery’, we mean the full gamut of backing up data, recovering that data, and business restitution without loss of business continuity.
Organizations have always used backups to mitigate unforeseen problems, such as hardware crashes that cause a loss of current data. A good backup system will allow rapid if not immediate recovery minimizing the loss of data to an annoyance rather than a disaster.
It gets more problematic if the cause affects the whole site – such as a power outage coinciding with the crash, or a fire affecting the computer room. In these circumstances, the backup is also down, and cannot be used.
To solve this, best practice has always recommended the 3-2-1 approach. There are three copies of data: operating; copied and stored onsite; and copied and stored safely, elsewhere, offsite. The onsite copy is made daily or continuously. The offsite copy is made regularly – perhaps once per week or at least once per month.
This worked well in the early days of computing; but three contemporary developments threaten its current value. The first is the sheer volume and sophistication of threats against data from criminals and nation states; the second is digitalization and business transformation; and the third, related to the second, is the complexity and spread of corporate computing infrastructures. Computers are no longer used to store data and later aggregate it into spreadsheets for businessmen to analyze – it is analyzed online in real-time, often by artificial intelligence, from dispersed locations with immediate responses.
Recovering data from backup can now be a complex operation that will spread to days and could more likely take weeks or even months to fully recover. If the recovery must come from offsite storage, it could be days if not weeks old and may no longer be relevant to the current state of the business.
Backup against ransomware
‘Backup your data’ is the most common advice given to minimize the threat of ransomware. Its value, however, is questionable. Ransomware does not merely destroy data; it often leaves computers inoperable. “Backups play an important role during ransomware attacks by allowing you to restore your data,” comments Sam Woodcock, iland’s senior director of cloud strategy and enablement. “But what happens if your primary site no longer exists? You have nothing to recover back to.”
The ransomware may have also destroyed the backup copy. Without the third offsite backup – and many companies do not have one – there may be no backup. Targeted attacks against individual organizations are growing. The process pioneered by SamSam is now quite common. Criminals hack into networks and plan their attack from within.
In January 2018, Hancock Health was a SamSam victim. CEO Steve long said at the time that the organization paid the ransom to expedite recovery. He subsequently admitted, “Several days later it was learned that, though the electronic medical record backup files had not been touched, the core components of the backup files from all other systems had been purposefully and permanently corrupted by the hackers.”
Even where restoration from backup is attempted, it is rarely easy or cheap. The City of Atlanta announced that it was a victim of SamSam in March 2018. The ransom set was approximately $51,000. Atlanta refused to pay. By June it estimated that one-third of the software programs used by the city remained offline or partially disabled. It estimated that it would require an additional $9.5 million (beyond the $2.7 million already spent) to effect full recovery.
In March 2019, Norwegian aluminum giant Norsk Hydro became a victim of LockerGoga ransomware. Norsk also refused to pay the ransom. It was later estimated that the ransomware cost the firm around $40 million through disruption to operations, and that the total cost might eventually be up to $70 million.
Disaster recovery (DR) is often given the full title of ‘business continuity and disaster recovery’. Its purpose is to ensure no loss of business functionality following or during a disaster, whether that is natural (such as fire or flood), or man-made (such as ransomware).
Backup remains the basis for DR. However, explains John South, senior director of NTT’s global threat intelligence center, “DR is a more comprehensive program to protect the company should a disaster occur. Whereas the backup strategy is important to recover important data, DR takes into consideration all the factors that would be important in bringing the business back to life. Where will the employees work? What equipment will they use? What business processes are the most critical to bring back into service first as the recovery process begins?”
The business continuity aspect adds an additional complication – how do you keep the business running with current data while the recovery takes place.
A ransomware attack is different to most physical disasters. Here the office building and the physical existence of computers will remain intact. The priority is not to move to an alternative site, but to return the existing site and computer infrastructure to full operation with minimal or no disruption.
“The safest way to eliminate ransomware on an impacted system,” says NTT’s South, “is either to replace the impacted computers with computers that have never been on your network, or to forensically clean each impacted disk (overwriting every sector on the disk with 0s and 1s) and then reload the operating system, applications and data (from your backups).”
But this is not a quick or cheap solution. Cyber insurance can help with the cost, but doesn’t help to maintain business continuity. The traditional approach has been to operate some form of separate mirror infrastructure. If one site goes down, operations can switch and continue from the mirror – but this is expensive and beyond the budget of most organizations.
Now, however, the emergence of inexpensive cloud storage and infrastructure-as-a-service (IaaS) options make this a viable route for continuity and disaster recovery. “Investing in multi-cloud strategies for attack prevention along with disaster recovery backup plans and cyber recovery,” suggests Rüya Barrett, VP of data protection at Dell EMC, “should be a key element of a modern business continuity strategy.”
The cloud is making full disaster recovery capabilities more affordable, and a new offering of disaster recovery-as-a-service is evolving.
Disaster recovery against ransomware
The key to disaster recovery is maintaining business continuity. There is no single way to achieve this – the ability to maintain continuity is more important than the precise methodology employed. But if it works, it can work very well. The need is to recover systems and data to their condition immediately prior to the ransomware.
In September 2016, the Barnstable, Massachusetts, police department became a victim of ransomware. Just two months earlier, however, Barnstable’s CIO Craig Hurwitz had deployed a backup and back-dating DR capability from Reduxio. The logs showed exactly when the infection occurred. Hurwitz requested that Reduxio back date his systems to just two minutes prior to the infection. This was achieved in just 35 minutes, with Barnstable PD operational without ransomware and without paying a ransom.
How to choose
This isn’t about which backup or which disaster recovery solution to select, but how to choose between the two routes. As with most decision points, it comes down to a horses for courses consideration, and the right horse for a specific course can be highlighted by risk analysis.
The first point to note is that the cost isn’t simply a comparison between backup and DR.
“Backups are typically required for operational or regulatory/compliance reasons, making them a given cost of operating as a business,” explains Joseph George, VP of product management and global recovery services at Sungard AS. “The question is, ‘what is the cost difference between recovering from backups (i.e. delta costs of adding recovery capabilities and leveraging backups you are already performing) versus recovering from replicated data or a DRaaS solution’.”
It is that cost difference that should be part of a risk analysis. “The industry best-practice approach is to conduct a Business Impact Assessment (BIA) with inputs into a Risk Management program to estimate the value of systems, their operations, and identify remediation or mitigation solutions commensurate with the value at risk,” says Derek Brost, director of professional security services at InterVision.
The value at risk should include realistic resource expenses, brand reputation loss, customer satisfaction anticipation, and potential legal liabilities in risk scenarios such as ransomware.
It is also worth noting that many regulations require organizations to go through this type of analysis. “Compliance frameworks, such as PCI DSS, HIPAA Security Rule, NIST 800 series, and so on, nearly all spell out the need for administrative programmatic and technical controls for backups, business continuity, and disaster recovery,” continues Brost. While in practice it may not be required to have full disaster recovery, it is required to have this justification and evaluation in a governance program.
Large enterprises are more likely to need and be able to afford a full DR solution. Luckily, SMBs who are less able to afford the more expensive solutions are also less likely to require them.
“For a larger organization with a large number of systems including network file shares, a disaster recovery plan and a solid offline backup are needed in order to recover efficiently from a successful ransomware attack,” says Chris Morales, head of security analytics at Vectra. “For a really small business with only a few systems or for personal use, a backup alone is sufficient as restoring data is a simple process.”
However, while small companies are better able to recover their own data from their own backups, they are also more exposed to financial disaster in the event of problems. The need for speed then becomes an important question. “Any organization that relies on digital data for their business operations should choose disaster recovery,” comments Kevin Hoffman, CTO at Axcient.
“As the technology has matured, prices have come way down for a DR solution. For an SMB the annual cost of DR is often less than 1% of revenue,” he continues. “That’s a small price to pay for peace of mind against this level of threat to your business.”
Businesses that don’t rely on electronic data for day-to-day operations could still choose the less expensive option of backup, since their business operations could continue for the days that it could take to rebuild servers and restore data after a ransomware attack.
This principle could also apply to larger organizations that have contained a ransomware infection. “If the environment that is affected is a single volume or a single instance, it is preferable to restore from backup to minimize costs and operational down-time,” suggests Fausto Oliveira, principal security architect at Acceptto.
It appears that DR is a more certain solution against ransomware for most companies in most cases. The economy of cloud is bringing down the cost of disaster recovery-as-a-service (DRaaS) to the extent that it should be considered by even small companies. In the final analysis, a business impact assessment based on risk should be the arbiter.
But there is one further issue to consider. Cyber insurance is making inroads into cyber security largely based on its ability to mitigate ransomware costs. This is a cost solution rather than a business solution. However, any company using or considering the use of cyber insurance should consult with the underwriter. It may be that use of disaster recovery is required by the policy, or that a premium reduction could be negotiated if you used disaster recovery.