Jump to Content
Public Sector

It’s about “time”: A proactive approach to ransomware recovery

June 29, 2021
Jerome McFarland

Product Manager, Google Cloud

Ransomware is a pervasive, ever-evolving threat impacting organizations globally, regardless of size, geographic location, or industry. Taking a proactive approach to cyber resilience, including implementation of a robust ransomware recovery strategy, has emerged as a fundamental aspect of security preparedness and business continuity planning.

Preparation is key. Ransomware attacks typically strike without warning, leaving the targeted organization faced with a high-pressure, high-stakes recovery challenge. The speed and effectiveness of that recovery can have critical implications for both the organization and for any end customers who are impacted by the corresponding disruption. To recover quickly and mitigate the damage caused by an attack, organizations should design and implement proactive, tactical approaches to ransomware recovery, including specific methodologies to capture, protect, and restore mission-critical data assets. 

Rapid recovery requires an intentional, proactive approach

When deciding on a ransomware recovery strategy, it’s important to consider the specific challenges presented by a ransomware event. When an attack compromises access to critical data, the financial and business implications can be catastrophic and recovering data accessibility can be difficult or impossible if the organization has not explicitly architected their infrastructure to facilitate an effective, rapid recovery. 

Today, many organizations rely on their standard backup and disaster recovery (DR) implementations as a potential means of ransomware recovery. Unfortunately, relying solely on generic backup / DR strategies may prove ineffective or inefficient, as ransomware attacks are often designed to frustrate standard recovery plans. For example, a ransomware intrusion may remain undetected for days, weeks, or even months before an attack is triggered, allowing ransomware to propagate into stored backups. In such scenarios, recovery time extends as the organization works to successively restore (often copying the data from one location to another) and validate multiple backups (each corresponding to a prior point-in-time) to identify an uninfected backup copy. Worse, many organizations have heightened vulnerability due to their backup infrastructure and data copies both residing on-premises alongside their production systems. This makes the co-located backup data readily accessible to the same cyberattack that compromises the production infrastructure. 

Carefully considering such pitfalls, and proactively designing with an intentional, “ransomware-aware” approach can make the difference between delivering a rapid recovery or having to endure a much longer recovery timeline.

Consider a cloud-integrated ransomware recovery strategy

The unique challenges associated with ransomware recovery warrant a proactive, tactical approach to: 

  • Capture - Store application-consistent, point-in-time representations of mission-critical data states

  • Protect - Secure and isolate captured data

  • Restore - Enable rapid recovery to a valid, pre-ransomware data state

Google Cloud is uniquely suited to satisfy these requirements, thereby enabling your organization to build confidence in its preparedness to efficiently recover from a ransomware attack. 

Capture

Leveraging Actifio GO running on Google Cloud, your organization can efficiently preserve multiple immutable, application-consistent, point-in-time data states for mission-critical on-premises environments and applications, like VMware VMs and databases, including SQL Server, MySQL, PostgreSQL, SAP HANA, Oracle, and more. These data states can be captured regularly on a predetermined schedule, as specified by user-defined policies. They are then stored cost-effectively and securely, with automatic at-rest encryption, in the cloud on Google Cloud Storage (GCS).

https://storage.googleapis.com/gweb-cloudblog-publish/images/Ransomware_Recovery_with_Google_Cloud-01.max-1500x1500.jpg

A Google Cloud ransomware recovery architecture leveraging Actifio GO

Protect

Keeping data on GCS reduces your risk profile by leveraging a secure, Google-native storage service and by storing recoverable data in physical isolation from an on-premises environment. 

Also, to add an additional layer of protection, Google Cloud Scheduler can be leveraged to restrict on-premises access to the cloud-based storage. Cloud access, managed via a service account, can be automatically granted in advance of each scheduled data capture...and then revoked once the corresponding data transfer has completed successfully.

Restore

Finally, when recovering from a ransomware attack, speed is everything. Before recovery can take place, however, an uninfected data state must be identified. Unfortunately, since ransomware typically lurks undetected in advance of an attack being triggered, the ransomware files may have already been present during recent data captures. Therefore, the ability to rapidly access and interrogate multiple point-in-time data states is crucial to accelerating ransomware recovery. If the stored data must be copied to a new storage location before it can be accessed and evaluated (e.g. leveraging malware scanning tools), the process of identifying an uninfected data state can drag on interminably, extending operational downtime. 

With Actifio GO supporting ransomware recovery on Google Cloud, multiple point-in-time data states can be accessed simultaneously and instantaneously in place (i.e. with no need for a time-consuming copy to a secondary storage location). This capability enables your security personnel to rapidly inspect and reject/approve the stored recovery candidates, accelerating the identification of a desirable recovery point and minimizing overall operational downtime. Finally, Actitio GO also provides flexibility regarding the recovery location. Data can either be restored directly to the original production environment or to separate infrastructure, mimicking the original production environment, but running on Google Cloud (e.g. for additional testing).

Start planning now

With ransomware attacks accelerating, there’s no time like the present to start assessing and improving your recovery preparedness. Taking a proactive approach can make all the difference and Google Cloud can help. To learn more, register to attend our Google Cloud Security Summit taking place on July 20th. And if you’re interested in learning more about security offerings tailored to the government, register to attend our Government Security Summit on the same day. 

Actifio GO is available in the Google Cloud Marketplace today. For more information about Actifio GO, contact your Google Cloud sales representative.


Posted in