Malware such as Ransomware could have a major impact on business operation, it even could cause severe damage. You should prepare for a case that ransomware has taken over computers in your company and has already encrypted file content.
Ransomware installs on a victim`s computer and encrypts file content on disc drives. It then asks for a ransom payment to decrypt the content so it could be used again. Even if you pay, your files might not be converted back and if you decide not to pay, encrypted files most probably cannot be decrypted and are lost.
It is almost impossible for an organization to make sure that no ransomware finds its way into a company`s network, since infected links could be anywhere e.g. on websites or in emails. Anti-malware scanners can only detect known ransomware scripts used, so there is always a great chance to get attacked.
How can you protect your organization?
Obviously, you need to have anti-malware, virus scanners etc. to prevent attacks by known Trojans or other dangerous scripts. In addition to that it makes sense to frequently educate your company`s employees to detect possible dangerous malware attacks themselves.
What else can you do?
You should prepare for a case that ransomware has taken over computers in your company and has already encrypted file content. This could include network drives, since most employees store their data on servers for better sharing, backup and fast access.
You should assume that ransomware could damage all accessible content on all employee`s computers, including the servers they have access to.
What is the easiest way to handle this catastrophic event?
If all employees sync with or have access to servers to store their file content the best idea is to have other servers that synchronize with the servers, the clients have direct access to. No employee should have direct access to these “backup” servers for day to day use.
In case of a ransomware attack, the file content would be encrypted on machines the employees have direct access to. This content will be synced to the other servers including the backup machines.
Servers with no direct users such as the backup servers will only get the encrypted content being synced after the ransomware software has encrypted the content. Only the file content might be encrypted since there is no way for the attacker to directly encrypt other parts on this disc, such as parts of the operating system.
On these “no direct access” servers you should run the cloudplan software with “versioning” being switched on.
How to solve the situation?
After having detected that ransomware has infected computers you should first detach these computers from the network. In most cases, you need to re-setup these machines from scratch.
On the server with “versioning” switched on you can restore all content encrypted very easily. Through the web frontend you can manage the restore operation remotely. For example, you could opt for a complete restore of all files being changed within a certain timeframe.
Recommended is a setup of one or more “frontend” servers that sync all file content with the cloudplan software as a storage cluster. For redundancy reasons the best setup would be to use locations spatially separated from each other e.g. in different rooms or better on different floors or buildings. Another backup server should be part of the storage cluster, but will get a lower “node level”, so that the accessing clients will choose the frontend servers only for access.
The versioning on the backup server will be switched on. For maximum security, a second backup server with versioning is used. After a ransomware attack these backup servers could restore all encrypted file content back to all servers and computers in the company`s network.
Other backup software on the market
Compared with other backup solutions these products mostly run their backup jobs on a certain point of time or frequently e.g. every X hours. If you restore from those backups you probably restore from the last backup, meaning all files being changed in the meantime will get lost or will be overwritten. With the cloudplan solution you can restore with a few mouse clicks from the web frontend all files that have been changed during a certain timeframe. This way you can only restore file content that was changed after the attack. Not affected files are not touched.
With this “real-time” versioning feature being used Ransomware loses its destructive power.