How to Recover Quickly From a Ransomware Attack

Ransomware attacks need to be viewed under the same category as power outages and natural disasters. The requirement to recover quickly is a necessity. Recently, I’m seeing many vendors in the data protection industry advertise immutability and ransomware detection features. Both of which should absolutely be part of a company’s ransomware strategy, but an immutable copy coming from spinning disk or tape can result in too much downtime for the business. It’s an easy decision for a CEO or CFO if an attacker’s ransom is $100,000 and the cost of downtime for a day is $500,000. The only question at that point becomes how do we make a Coinbase account to transfer Bitcoin?

In addition, companies most likely already have ransomware detection and prevention tools. Realistically, if your backup software is what’s detecting ransomware from a backup taken days or even weeks ago, the cost of data loss might be too great to restore anyway. It’s not that immutability and detection capabilities aren’t great features to have. Veeam takes those features seriously, but the top priority to the business should be the ability to recover quickly in the event of a ransomware disaster.

Without further ado, below are Veeam recovery capabilities that can provide fast RTOs to give companies a realistic chance at avoiding paying ransoms.

Replica from backup – Replicated VMs from backups, which keeps load off production

Recovery from storage snapshot – Quick file or VM restores off storage snapshots

Recovery from fast performing repository – Backup to fast performing media

Failover/failback capabilities – Traditional DR capabilities in the same UI and license

Replica From Backup

Replica from backup is one of the most underrated features Veeam offers. The beauty of replica from backup is it creates a VM in the DR site off the backup repository that is ready to be failed over to in the event of a disaster. Meaning, it creates a replica without putting any load on the production VM. RPOs will most likely be ~24 hours coming from a backup source, but it significantly increases your RTOs since the VMs in DR just need to be turned on for the most part! As a side note, you can also do this off the backup copy job!

To dig into the “how-to” of this a little more, just be sure to select “source” when choosing your virtual machines for the replication job. As you can see below, you have the option to replicate from backups instead of the production storage.

Lastly, you can see how this achieves insanely fast RTOs as the VM is already built and ready to go. All you have to do is failover in the event of a disaster and the VM will power on.

Recovery From Storage Array Snapshot

Another undervalued feature Veeam offers is recovery from storage array (Pure, NetApp, EMC, HPE and many more) snapshots, whether Veeam orchestrated them or not. Something that continually wows customers when I show them this feature is how Veeam can act as a catalogue for snapshots it didn’t even take and provide a tree view into the Array > LUN > Snapshot > VMs as shown below.

In the case of an Instant VM Recovery, you can see how it clones the snapshot and mounts it to the ESXi host, so it’s ready for immediate use.

Lastly, just in case there are any doubters that think these are mockups, below is the restored VM in vSphere ready to be logged into.

Recover From a Fast-performing Backup Repository

One of the greatest advantages of Veeam is that it is software only. There is no vendor lock-in or mandatory hardware platform that needs to be used. Now, I wouldn’t expect a company to backup all of their workloads to a flash-based repository, but it’s not uncommon to protect Level 0 or Level 1 workloads (5-10%) of the environment to a repository that can achieve fast RTOs via an Instant VM Recovery. In my experience, I see Veeam users that apply this strategy and backup to EMC Unity, Pure Flash Array C, HPE Nimble and many other similar offerings in the marketplace. As a side note, you can also instantly restore physical machines to VMware, providing a great alternative to bare metal recovery.

Failover and Failback With Snapshot-based Replication or Cdp

The more commonly known capability Veeam is famous for is traditional snapshot-based replication or Continuous Data Protection (CDP) for SLAs that demand second type RPOs. There is already so much great content out there on this topic, so there is no need for me to recreate the wheel. The goal here is to highlight that for those workloads that don’t just require fast RTOs but also low RPOs, CDP and snapshot-based replication are offered in the same UI and license. There is no additional cost or management overhead.

In summary, the elephant in the room when strategizing with companies on an effective ransomware recovery plan is that it’s not cheap. It needs to be viewed in the same light as a data center power outage or natural disaster. Restoring from tape or spinning disk might not be worth the downtime compared to just paying the ransom in the eyes of the people making the big bucks up top. Sometimes a more effective ransomware strategy means having a little more compute for replications and faster performing storage for backups to avoid paying a ransom or dealing with branding/reputation issues post-attack.

 

Article language
Similar Blog Posts
Business | December 10, 2024
Business | December 3, 2024
Technical | November 25, 2024
Stay up to date on the latest tips and news
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam’s Privacy Policy
You're all set!
Watch your inbox for our weekly blog updates.
OK