Skip to content

Search the site

Amid a ransomware endemic, image-based backups are emerging as a strong recovery vector

With ransomware endemic, more comprehensive back-up strategies are a must, says Datto CISO Ryan Weeks.

As the Coronavirus pandemic continues to wreak havoc worldwide, businesses have increasingly felt its secondary impacts, too. Ransomware attacks surged in the third quarter of 2020, partly fuelled by the need to work from home and shift workloads to the cloud – a process which has left some organisations more vulnerable. Cybersecurity firms have warned that while overall malware volumes declined, ransomware jumped by 40%, reaching 199.7 million attacks in Q3 2020. And in a recent survey conducted by Datto among more than 1,000 managed service providers (MSPs), 59% of respondents agreed that remote working due to Covid-19 has resulted in more attacks.

Ransomware may sound like old news, but businesses should still sit up and take notice. While the average ransom demanded has roughly stayed the same year on year, the average cost of the associated downtime per incident has, in fact, skyrocketed. This cost has doubled since 2019, grown by a staggering 486% when compared with 2018, and is now nearly 50 times greater than the ransom demand itself. Four in ten MSPs saw their clients hit by business-threatening downtime that almost crippled their business over the last year.

image-based backup will likely become the norm in the next few years, says Datto CISO Ryan Weeks
Ryan Weeks, CISO, Datto.

It has clearly never been more important to combat the ransomware threat. But, despite increased security spending, attackers still manage to outwit the cyber security tactics organisations put in place such as employee education, antivirus, email filtering, pop-up blockers and endpoint detection solutions.

Worse still, once ransomware has taken hold, returning to normal business can be a struggle. Nearly 20% of MSPs in the Datto survey reported that their small and medium sized clients were eventually forced to pay the ransom in order to resume operations – highlighting the need for a business continuity solution that can kick in quickly when other security measures have failed.

Every minute counts: image-based backups can be instantly booted as a VM

As organisations strive to minimise the amount of downtime following an attack, restoring from backups has become more prevalent, overtaking re-imaging machines from scratch as the number one recovery vector. When dealing with an incident, every minute counts. Outdated backup methods simply can’t keep up. Image-based recovery doesn’t require physical access to the affected computer; the backup can instantaneously be booted as a virtual machine and business operation resumed.

With the trend towards remote working continuing, as well as the need for more mature recovery mechanisms, image-based backup will likely become the norm in the next few years. It is the most innovative, reliable method of safeguarding a business by protecting the critical data on its servers. Traditional solutions only capture data, whereas image-based backup captures a picture of the entire workstation or server and stores it as a unique point in time. This means that when a business needs to rebuild or virtualise a machine due to damage or disaster, it can quickly restore all of the files, applications and operating systems in one step.

Apart from drastically reducing downtime, image-based backup offers other benefits that traditional methods can’t. Recovery can be performed onto a server of any make or model, including bare metal. IT administrators can remotely carry out file-level or full-server restorations from geographically dispersed backup servers to new or repaired hardware located anywhere in the world.

SaaS platforms are the next target

For most organisations, however, protecting their servers and endpoints is no longer enough. This is because ransomware has not only become more sophisticated at evading defences, but also more destructive. The ransomware in use today is designed to crawl business networks, looking for other machines to infect. Undetected, it can quickly encrypt numerous devices, servers, and even data in SaaS applications. This tallies with the findings of the Datto survey, where nearly a quarter of MSPs reported ransomware incidents affecting popular services such as Microsoft 365, Dropbox and Google Workspace.

With Microsoft Teams now counting 115 million daily users and growing, organisations relying on SaaS must consider carefully what recovery capabilities these platforms offer. IT and security professionals will need to assure they have proper backup and continuity plans in place for the data they store and process in the cloud. A SaaS backup solution should therefore be considered essential.

A strategy for recovery

When creating their individual backup and recovery strategy, businesses should ask themselves how many hours’ or days’ worth of data they can afford to lose and how much downtime they can survive. A typical strategy is to take a snapshot of a system’s state in the morning, once during the day and again in the evening. Most organisations should store at least 90 days’ worth of backups, but this could rise to 300 days and more if the organisation has a big risk profile for persistent threats. The cost associated with storing this amount of data, the risk of damage to the business in case of data loss and other factors will dictate how much backup history to store.

As part of evaluating their ransomware protection, businesses must also make sure they understand the capability of their chosen backup solution fully. A comprehensive continuity and disaster recovery solution should include features such as instant recovery, point-in-time rollback that “turns back the clock” to a time before the ransomware attack occurred, and ransomware detection during the backup process. Ransomware detection works by identifying patterns of change in the file types that are most likely to be encrypted by ransomware. Automatic backup verification is crucial, too: alongside regular disaster recovery testing, it confirms the integrity of the backup data and ensures that the backups can be used for reliable recovery.

Finally, backups don’t replace the need to understand what exactly happened during an attack – including how long the malware has been in the network and how it entered in the first place. Businesses cannot run the risk of restoring from a backup that has the ransomware still lurking in it, or that keeps the doors wide open to a second attack – so they must make sure they have eradicated the threat properly.

See also: We got hit by ransomware. This is how it played out.