In 2017, there was a 2,502% rise in the sale of ransomware through the dark web, as noted by Carbon Black. This year, the malicious software has already been blamed for attacks upon the city of Atlanta, an aerospace company and several healthcare providers. Isolated data recovery has emerged as the most effective defense.
Typically launched by a malicious link in a phishing email, ransomware quickly encrypts all files on an infected hard drive and then goes burrowing through the network, looking for other machines to compromise. Attackers demand payment of a ransom in exchange for the decryption key, but there’s no guarantee they will uphold their part of the bargain once the ransom is paid.
Ransomware is one form of attack you need to prepare for. Having current backups in place can enable organizations to recover within a few hours. But what if the backups are also infected? And what happens if infected data is inadvertently backed up, overwriting good data?
That’s where being able to isolate critical data for recovery purposes comes in. The concept isn’t new, but the ransomware epidemic has rekindled interest in this “belt and suspenders” technique for safeguarding backups against tampering. Properly isolated data works on the principle of creating an “air gap” between your networks connected to the public internet and those that are safely locked away behind a firewall. The air-gapped network is used for backup purposes only. It’s inaccessible to the main corporate network most of the time, and is only activated briefly and randomly during backups.
Backups are usually conducted over a secured, encrypted connection — and they’re isolated in a “sandbox” that is logically or physically separate from other backup copies. Files in the sandbox can be analyzed for the presence of malware or other suspicious files. Only after the risk of a ransomware infection has been ruled out is the backup written to the server.
Making backup files read-only may also provide you with an extra layer of protection, as doing so makes it impossible for new data to overwrite your files. Several generations of backups may be kept in this state to minimize the downtime that would result from an infection. Older backups may be “aged out” for automatic deletion based upon policies.
While isolating critical data to protect it against a cyberattack is an appealing option for companies that deal with highly sensitive information, it can considerably increase the cost and administrative overhead of maintaining backups. For one thing, you must have a robust backup infrastructure — capable of storing at least two generations of production data — in place. IT must provide sufficient bandwidth to perform backups quickly to minimize connection time. And an administrator’s time may be required for each backup, or software may need to be purchased to automate the process. Additional time may also be needed to analyze sandboxed backups before releasing them.
Companies should consider working with a third party focused on data protection to alleviate these challenges. A solution that isolates critical data by disconnecting from the network significantly reduces the risk of ransomware infection and aids in the recovery from a cyberattack.