The dreaded day has come; you’ve been attacked by ransomware. Sadly, it’s unsurprising as the number of ransomware attacks increased in 2023 to 19 attacks occurring every second. While shocking, new remedies have emerged, which can help combat ransomware attacks and ease recovery. Let’s take a look at a few ransomware recovery steps below.
The traditional ransomware recovery steps
The reality is that the steps you take to recover are largely dependent on what you currently have deployed in your data center. The most common cyber-recovery technologies can discover ransomware in a backup volume or file and can restore previously captured snapshots of the application data. While this might sound like a simple, fast recovery of the data, the problem lies in the fact that to have full system recovery, the operating environment must be restored as well. Without an easy OS and cluster recovery solution, your time to recovery can be lengthy.
Step 1: Identify that and where an attack has occurred
The first step is to identify which systems have been infiltrated with ransomware, which is sometimes easier said than done. While your backup technology should be equipped with threat detection technology, discovery is limited to a given backup instance. Depending on when the attack occurred, ransomware will spread significantly in the hours prior to detection within a backup instance. Identifying an attack early is crucial to limiting the spread of the attack and allowing for a speedier recovery.
Step 2: Restore Operating System and Application Binaries
If you have not captured a backup of the operating environment, you need to restore the operating system and cluster environment from known good software sources. Without that, you need to run through steps 2a-2d below. Unfortunately, that can add hours, days, or weeks to your recovery timeline depending on the scale of your affected systems.
Step 2a: Recover Infrastructure Management Consoles
Have the systems running your Infrastructure Management Consoles been infected as well? You will need to recover them first in order to manage and restore the rest of your infected deployment.
Step 2b: Mount and Install Operating System
Do you have a known, clean/uninfected version of your operating system? You could be re-infecting your environment if not.
This can vary from just a few minutes to hours, depending on the size of the infection and what resources you still have available. In many cases, you will want to do a full reinstallation with a new image from the OS vendor to avoid getting re-infected from your existing images.
Step 2c: Configure Operating System Networking & Binaries
Do you have a record of the exact details of your OS configuration? On all systems? And their patch levels? Make sure you document this in the future so that you aren’t starting from scratch. At the same time, you want to make sure that you’re applying the latest patches, or you will run the risk of getting attacked again right away.
Step 2d: Reconfigure Application Cluster
Do you remember the exact details of your Application Cluster? Similar to configuring your OS, make sure your process documentation includes this important information.
Step 3: Repeat Step 2 for every server
How many servers were infected? Note that whether tens, hundreds, or thousands of application servers were encrypted, you will need to repeat the steps above for each one and this could be a timely, and not completely error-proof task!
Step 4: Restore Application Data
You should be able to easily restore your application data from a previously captured snapshot, but you will need to confirm that the copy you have is a clean version that was taken at a point in time before the attack occurred. Once complete, you should be able to complete application recovery and will at last be back up and running.
Time to Recover: Hours to Weeks (or longer)
As you can see, the traditional recovery process once you’ve experienced a ransomware attack is no trivial task, but it can be simpler with the right solution. Let’s explore an alternative option.
Simple and Speedy Ransomware Recovery Steps with Nebulon smartInfrastructure
In the process below, you’ll immediately notice that the 4 multi-part steps outlined above have been reduced down to two with Nebulon smartInfrastructure. In this scenario Nebulon’s software addresses key ransomware mitigation challenges by protecting both the operating environment, configuration parameters, and application data through enterprise data services, enabling near-instant recovery of entire clusters.
Step 1: Identify an attack has occurred
With Nebulon TripLine, customers can pinpoint the exact point of attack (the server and the data volume) in about 2.5 minutes from when the attack first occurred.
Step 2: Restore Operating System, Application Binaries, and Application Data Across All Servers
There are two solutions in the Nebulon ‘smartDefense’ portfolio that contribute to the speedy recovery of physical infrastructure following a ransomware attack. The first is Nebulon ImmutableBoot, which maintains a known good version of the operating system and application stack on every server. Every time the server reboots, it reverts back to this known good software instance, eliminating errant firmware updates or dormant malware in the process.
The second is Nebulon TimeJump, which brings down the ransomware recovery time of physical infrastructure from multiple days to under 4 minutes for both the operating system and application data, for many clusters at once, allowing IT organizations to recover much more quickly. The whole recovery process is automated and orchestrated through Nebulon ON, which operates in a separate security domain from your infected infrastructure. In combination, it is the first and only combined server and storage solution designed to allow complete ransomware recovery (both OS and application data) in less than 4 minutes.
Once complete, you should be able to complete application recovery and should be back up and running.
Time to Recover: Under 4 Minutes