This case study of an unfortunate cyberattack incident provides a chance to discuss and learn about the best practices to ensure you can recover from ransomware attacks.
A US client business was recently attacked by ransomware. Fortunately, the client had enabled BackupAssist CryptoSafeGuard (CSG) in BackupAssist Classic and their backups were protected while their production data was corrupted. The client proceeded by running virus cleaning tools to remove the ransomware from the server and chose to selectively restore the affected files – rather than carry out an entire system recovery to return the server to a known state before the attack.
Unfortunately, the ransomware was not properly removed. Furthermore, while recovering files from the backup, the client selected to disable CSG to facilitate the process. This removed the protection CSG had over the backups. It is at this point that the ransomware was triggered again, and it went on to corrupt both the recently restored production data as well as the backup themselves.
The client did not have a separate backup for redundancy and was left with no option but to pay the ransom.
Learnings and best practices:
The following best practices would have enabled the client to successfully recover from the ransomware attack, and avoid paying the ransom:
Protect your backups – Always
Unless your backups are offline and securely stored, you should always assume that it is open to cyber threats. In this case study, even though the client thought they had removed the malware from the infected system, it is wise to take precautions and keep CryptoSafeGuard (and in particular, the CSG Shield) enabled at all times before, during, and after the recovery process to stop ransomware from being able to modify the backups. If you must disable CSG for any reason, be sure to re-enable it ASAP.
Practice 3-2-1 backup strategy
The 3-2-1 backup strategy is universally recommended by experts because it provides many layers of risk mitigations. In particular, it calls for a second set of backups that are kept offsite (and ideally offline). With a second set of backups that the ransomware is not able to access, it provides an extra layer of protection that would have prevented the need to pay the ransom in this case study.
Consider using imaging backups and full image recovery
BackupAssist Classic System Protection backups can provide recovery of both individual files as well as an entire system image – using RecoverAssist.
A system image recovery has the benefit of recovering your entire system to a particular point in time. This allows you to restore back to a point before the ransomware infection so that you can be more certain that the ransomware is not in your system.
It is recommended that once the recovery process is completed that you disconnect the backups before booting up the recovered system again – just in case.
As demonstrated in this case study, ransomwares target backups (your last line of defense) to ensure you have no choice but to pay the ransom. BackupAssist CSG is an indispensable feature that shields your backups from malicious actors as well as from accidental deletion. Furthermore, it is important that CSG is kept enabled at all times to maximize protection of your backups.