How has ransomware recovery changed in recent years?

The threat of ransomware has evolved over the past few years, causing many organizations to re-examine how they plan to recover data in the event of an attack.

History has shown that anyone can fall victim to ransomware. Ransomware infections don't discriminate and have caused data loss in countless organizations -- from large enterprises to individual users.

In the past, ransomware recovery meant one of three choices: Pay the ransom, suffer data loss or restore a backup. In fact, the availability of a backup was usually the determining factor in whether or not a ransom was paid.

A couple of years ago, there was a sudden, sharp decline in ransomware infections. Ransomware had become pervasive, and the epidemic received so much media attention that organizations began to make an extra effort to ensure that their data was being securely backed up. Paying the ransom was effectively removed from the list of viable options, with IT experts across the board urging against it. After all, there is hardly a guarantee that paying the ransom will result in the promised return of data. Instead, the ransomware recovery focused on prevention and pre-emptive measures to ensure a quick recovery in the event of an attack.

Unfortunately, this trend did not lead to the extinction of ransomware. With fewer people paying ransoms, ransomware became far less profitable, and many ransomware creators began to look for a different scheme. That was about the time when cryptomining started taking off.

Enter the attack loop

Instead of ditching ransomware entirely, attackers realized that, if they wanted to get paid, then they needed to do something to prevent backups from being used as a means of ransomware recovery. Their answer was a relatively new type of attack called a ransomware attack loop.

The basic idea behind this type of attack is simple. Previously, when a computer contracted a ransomware infection, the ransomware would immediately begin encrypting files. Once the encryption process was complete, the ransom warning was displayed to the victim. The fact that the message was not displayed until the encryption process finished kept the victim from stopping the encryption process midstream.

In contrast, a ransomware attack loop infects a system in the normal way but then lies dormant -- possibly for months. The idea is that most organizations only retain a few months' worth of backups. By the time the ransomware actually begins its attack, all of the organization's backups will presumably contain the ransomware. Hence, restoring a backup does no good.

Attack loops are difficult to prevent, because you might not even know that you have a problem until it is too late to do anything about it. The best way to protect your data is to take a layered approach to ransomware prevention. You should start by blocking email messages from dubious sources, as well as incorporating a good malware scanning engine onto your backup server to actively scan your backups.

Next Steps

Best practices for ransomware data recovery

Take our ransomware quiz to see if you're covered

Ransomware recovery steps important for 'constant battle'

Dig Deeper on Disaster recovery planning and management

Data Backup