6 Steps to Using Backup for Ransomware Recovery

Save to My DOJO

6 Steps to Using Backup for Ransomware Recovery

Did you think ransomware had gone away? Think again.

It has perhaps declined since last year but is still very much alive and well, and as always, attackers have new tricks up their sleeves. Consider the below impacted items.

  • Infected Endpoints – For every workstation that ransomware can infect, the cybercriminal has that much more able to find and encrypt data valuable enough that the ransom will be paid. According to a recent KnowBe4 report, the average ransomware attack infects 16 workstations, which clearly demonstrates the effectiveness of phishing campaigns. (Another reason to train your customers how to spot them!)
  • Infected Servers – While servers are less susceptible to infection, because they are generally not used for reading email (a top entrance medium for ransomware), they too are often caught up in an attack. According to the KnowBe4 data, the same ransomware attack infects 5 servers in addition to the workstations.
  • Impacted Data – In the end, ransomware authors program their malware to seek out the data they believe will be valuable to the victim organization. It can exist on the infected workstations or servers, or even exist across mapped drives or SMB connections on other systems that are, otherwise, infected. According to KnowBe4, 97% of ransomware targeted Office-related files, regardless of the system they were on.
  • Even Services like O365 can be affected – Consider how many organizations today are using exchange online. A vast majority of MSP supported customers fall into this category and the email data of these organizations has become a large target or ransomware. While less likely than on-premises infrastructure, there have been reports in the last year or two of Office 365 being affected from time to time, adding to the headache caused by ransomware.

Ransomware’s reach within an organization is quite remarkable. It affects a large number of endpoints and servers, and material amounts of data, both on-prem and potentially in cloud storage. This level of potential impact warrants being ready to address an infection, should it occur, and occur it will eventually.

There are several mitigation techniques available today to help deal with the effects of a ransomware attack, but in the end, your ace-in-the-hole will always be your backup and restore operations.

So, how do you plan a ransomware recovery strategy?

The largest unknowns are what endpoint will be the entry point and where the data is that will be impacted. Depending on the size of your customer’s organization, this may be pretty much impossible to determine. Instead, what you need to do is to instead look at this from the business perspective and work backward. In addition to the usual backup targeting exercise you’ll go through with your customer, below are 5 steps to take to properly leverage backups as part of a ransomware response effort as well.

  1. Identify What Data is Important – Instead of reacting to a ransomware scenario and hoping to find that you have a very recent viable backup from which to recover, identify those data sets that are most valuable, critical, proprietary, compliance protected, etc. now. Determine what kind of recovery objectives that data requires and put a backup plan in place to be able to restore in the case of a ransomware infection. According to the KnowBe4 report listed above, 61% of organizations recovered server-based data from backup. You don’t want to be part of that other 39%
  2. Identify What Endpoints are Important – Even if you pay the ransom, you still, technically, have malware sitting on one or more of your endpoints. Every single infected endpoint needs to be put back into a known-good (read: pre-ransomware infection) state, and more realistically, fully wiped and redeployed. By identifying the ones owned by users whose productivity is critical to the organization (e.g. your executive team), you can build a backup plan for those machines to facilitate a fast recovery from backup as well.
  3. Identify What Servers are Important – This should really already be in place due to the critical nature of the systems. If you already have a backup strategy that allows for fast recovery of critical systems, simply walk through a ransomware infection and/or encrypt scenario and ensure you have the ability to recover. You are already doing regular quarterly test restores right? If not, this should be added incentive to do so!
  4. Determine How You Can Recover Non-Essential Endpoints – For those endpoints deemed non-critical, you still need to have a plan on how you will bring them back into the same known-good state. It’s either restore, reimage, or rebuild. You may also have a method of restoring or reimaging a gold configuration and update using scripts or a systems management solution, whatever solution you have here, it needs to be defined now, and not during the aftermath of a ransomware attack.
  5. Protect the Backups Themselves – Most backup systems on the market today use disk as the most common medium. The days of tape are long gone. With that said, an online medium such as disk can make backup data a prime target for this type of attack. With that in mind, you need to make sure you’re following the best practice of (Just-Enough-Admin) for your backup operations, in that only the rights needed to get the job done should be assigned to the user, and service accounts in use to provide the backup services.
  6. Have an Offsite Copy – Should the worst happen, and your on-prem backups also become encrypted, it will serve you well to have an offsite, disjointed, location that contains a copy of the backups. The big thing here is that it should not be easily accessible from your production network. Proper use of application service accounts, file/folder permissions, and network topology should make it much more difficult for an attacker to reach these offsite backups, let alone find them.


The concept of ransomware recovery isn’t really that difficult; it’s more about proactively having an understanding of what’s important to your customer, following industry best practices, and putting a plan in place to recover, just like in any other disaster scenario. An ounce of prevention is worth a pound of cure.

To learn more about creating a solid Backup-as-a-Service to offer customers read this free ebook

3 steps baas ebook banner

Are you using similar steps in your ransomware recovery strategy? Has it worked well for you? Let us know in the comments section below!

Altaro O365 Backup for MSPs
Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

Leave a comment

Your email address will not be published.