Kate Mollett, Regional Director at Commvault Africa
Ransomware attacks have become increasingly common, and they are even available on the dark Web to purchase as a service. There have been many incidents in the news, where major companies have been left with little choice other than to pay the ransom to get their data back, often amounting to hundreds of thousands of dollars.
The reality is that ransomware and other cyberattacks have become a question of when, not if. The ability to respond and recover quickly has therefore become an essential part of successful ransomware defence, but it is something many organisations, especially in South Africa, struggle with.
Consider some statistics
The State of Ransomware report from security firm Sophos reveals that, over the last year, the average cost of remediating a ransomware attack in South Africa was R6.4 million. According to a report by security firm Kaspersky, South Africa ranks third in the world for the highest number of users experiencing targeted ransomware attacks. In addition, from 2019 to 2020 there was an increase of 767% in targeted ransomware attacks. Almost half (42%) of South African ransomware victims paid the fee, but whether they paid or not, only 24% of victims were able to restore all their files, and 11% lost almost all their data.
The cost of a successful ransomware exploit could cripple many businesses in South Africa and paying the ransom just does not guarantee them getting their data back in most cases. Businesses need to be able to quickly recover any data across the environment, across physical servers, virtual machines, and various cloud platforms. They need streamlined recovery operations with actionable alerts and workflows, clean and secure backups to avoid ransomware file reinfections, and the ability to minimise lost revenue and business impact.
A proactive response is key
Responding after a ransomware attack has already infiltrated an environment means that full recovery becomes increasingly unlikely. It is imperative to have proactive measures in place to mitigate the effects of cyber threats. This includes the continuous monitoring of all data, from the production environment through to backup and honeypot solutions, decoy systems that prevent cyber criminals from encrypting business critical data. When an anomaly is detected, it is important to be able to verify that the backup data is sound and to delete threats to prevent them from reinfecting environments on recovery.
It is also essential to automatically validate backups to ensure that, if they are used for recovery, all relevant data will be restored. Workflows and Application Programming Interface (APIs) around data protection should be orchestrated and automated, including tools such as antivirus scans, to ensure that they are always up, running and protecting data. This orchestration can also be applied to create custom, relevant alerts, and automated actions to ensure organisations can respond appropriately – for example, automatically powering down a virtual machine should an anomaly be detected.
The ability to investigate data breaches and perform eDiscovery is also critical, as it assists organisations to learn from past experiences and improve backup and recovery processes for the future. This is key to gaining insight into data and mitigating threats.
Can you recover in time?
Responding fast to threats is essential, but ultimately, recovery is the end goal. It is essential to have a flexible approach because the anatomy of attacks differs, which means that the order in which data can be recovered needs to adapt on the fly. Built-in high availability is a key characteristic of flexible recovery strategies, allowing organisations to failover to their Disaster Recovery (DR) site fast.
This approach requires that the DR site be protected to ensure it is available since if it becomes infected, recovery cannot be guaranteed. Using the cloud for DR protection ensures the agility businesses need to recover quickly. The ability to recover both into and out of the cloud is also important for business continuity. Above all, recovery needs to be simplified to ensure that timeframes are minimised, and organisations can go back to business as usual as fast as possible after a ransomware attack.