Ransomware Recovery – 10 Ways to Fortify Your Last Line of Defense

Ransomware has become a ‘cyber-pandemic’ that shows no signs of diminishing anytime soon. Your ransomware recovery capabilities must be up to the challenge, as these attacks have gone well beyond just another cybercrime to becoming a threat to our society as well.

Just recently, we have seen some high-profile ransomware attacks lead to serious shortages in oil, gas and meat supplies as well as interruptions to transportation systems and country-wide health systems. And those are only a small part of the ransomware iceberg that is visible as many organizations avoid publicly disclosing that they have been compromised.

The growing threat of ransomware

From a business perspective, ransomware recovery has never been more important as attacks are increasing exponentially. Multiple research studies found that over 50% of all organizations were hit by ransomware in 2020. According to Gartner1, by 2025, ransomware attacks are expected to increase by 700% and at least 75% of IT organizations will face one or more attacks.

The costs to the infected organizations are increasing as well. A Forrester2 study found that only 25% of organizations were able to recover between 75% and 100% of their data after a ransomware attack. And IBM3 calculated that the average cost of a ransomware attack has now reached $4.4 million (USD) — and that doesn’t include the intangible costs of losing customers and partners’ confidence.

Anti-malware and employee training can repel many of the attacks

To minimize the risks and potential losses from ransomware attacks, organizations must have a multi-layered approach to ransomware recovery. Antivirus, anti-malware and employee security training form your first line of defense. These measures will help to prevent many of the known malicious attacks that arrive in the form of phishing emails, email attachments, web downloads, weak passwords and more. But they won’t catch every known piece of malware code, let alone any malware that security vendors may not have encountered yet.

Data backup is your last line of defense in ransomware recovery

Security software and training are a great start but there’s more to do. IT departments must be well-prepared to prevent, detect and recover from ransomware attacks. Rigid controls for preventing and detecting ransomware attacks are highly important, but let’s face it, some attacks might get through even the most unyielding defenses. This means that the backup and recovery measures need to be protected, proven and fast as they form the last line of defense against one of the costliest threats your organization will face.

10 ways to fortify your backup and recovery system

The security and performance of your backup system is integral to your ransomware recovery capabilities. Backup systems are increasingly becoming a key target of ransomware attacks. If the data backup is breached, the attacker may be able to stop backup operations, infect and encrypt the backup data, or possibly completely delete the data. In addition, the backup system can provide the cybercriminal with a ‘roadmap’ of sorts to where critical data is stored on the network so they can expand their attack and make their ransom demands more compelling.

For these reasons and more, it is vitally important to implement the following 10 data protection principles for fortifying your backup system.

1)    Maintain multiple copies of your data

While most organizations already follow this proven rule, it’s vital that your people, processes and technology align to the 3-2-1 backup strategy or some derivation of it. If you haven’t already implemented it, the 3-2-1 backup strategy is where you use data replication to maintain three copies of your data (one production and two backup copies), store the data on two different media (typically disk, tape or cloud), and have one copy off-site at a secondary location or with a cloud provider in a different geographic region. This rule is a foundational element to your ransomware recovery capabilities.

2)    Dedupe and compress your backup data

Deduplicating and compressing your backup data will not only save you storage space and costs, but it will also add layers of abstraction that make it much harder for attackers to read and know what’s in your data repository. Deduplication and compression also abstract and reduce the amount of data in motion to your replicated copies which means attackers have less of a chance to capture your data.

3)    Encrypt data in motion and at rest

Encrypting your backup data adds another layer of abstraction and security, that when combined with deduplication and compression, will make it nearly impossible for attackers to read and know what’s in your data repository. In addition, protect your data in motion with SSL encryption or with the use of proprietary protocols.

4)    Harden the data backup with immutable storage

Another measure vital to your ransomware recovery capabilities is to place a copy of your backup data into immutable storage. Immutable backup storage, or WORM (write-once read-many) storage, uses media that prevents the data from ever being changed or erased unless you have pre-specified a deletion date based on your retention policy. Once data is written to it, the original data cannot be deleted or encrypted by ransomware.

5)    Create physical air gaps between copies of your data

Ransomware recovery principles #5 and #6 are based on the premise that once backups are stored on “unconnected” media, it makes it virtually impossible for an attacker to penetrate. When you backup data off-site or on systems that are not connected to your network, you have established a physical ‘air gap’ between the copies of your backups. Physical air gaps between the copies of your backup data make it much, much harder for a cybercriminal to infect all copies of your backup data.

6)    Create virtual air gaps between copies of your data

In addition to implementing physical air gaps, you should also create virtual air gaps between systems. You can accomplish this by using different storage types, environments, operating systems and accounts for each copy of your backup data. For instance, you could have your backup system outside of the Active Directory domain and/or in a different operating system like Linux.

7)    Limit access to the backup software and repositories

It is always a ransomware recovery best practice to limit access to the backup console and repositories. To accomplish this, you should consider creating more than one backup admin role and assign non-overlapping privileges and responsibilities to each role. For instance, you could assign backup job creation, retention policies and reporting to different admins.

8)    Use multifactor authentication (MFA) for admin accounts

If you’re not already using multifactor authentication (MFA) for your admin accounts, you should implement it as soon as possible. If an attacker breaches the backup console, they can change policies and jobs, and even delete data from your system. This applies to your backup repositories as well if they reside on systems separate from the console.

9)    Require multiple authorizations for configuration changes

The ‘four-eyes’ principle should rule here. Implementing the four-eyes principle means requiring multiple authorizations for any configuration changes. This prevents an attacker who gains access to a single admin account from making changes that would compromise backup job definitions, retention policies or the data repository.

10)  Ensure a fast and safe data recovery

Unless you are very fortunate, at some point, your organization will become a victim of a ransomware attack. When you plan your data recovery, you will need to consider that your data backup may be infected. A best practice is to assume that it is infected and to restore and clean your backup data in a sandboxed environment prior to putting it back into production.

And since you will need to restore a large amount of data in a short timeframe, you should have a plan for scaling the performance of your data recovery capabilities and for how you can orchestrate and optimize the recovery process to meet the recovery time objectives (RTOs) for each application.


Ransomware attacks are only increasing. How you prepare to prevent, detect and recover from them will be crucial to the success of your organization. Now is the time to fortify the core of your ransomware recovery capabilities – your backup system – the last line of defense against one of the costliest threats your organization will face.

1   Gartner, “Detect, Protect, Recover: How Modern Backup Applications Can Protect You From Ransomware”, January 2021.

2   Forrester Research, “Ransomware Recoverability Must Be a Critical Component of Your Business Continuity Plans”, October 2019.

3   IBM, “2020 Cost of a Data Breach Report”, July 2020.

Related Articles