Ransomware Recovery with Cloud Backup and DRaaS

In light of the recent ransomware attacks involving WannaCry, I wanted to write a blog article about how iland’s various cloud solutions can help customers recover from such attacks. Indeed, our solutions have protected a number of our customers recently, and they have been able to quickly recover, usually without even involving our support teams.

One of the aspects of ransomware attacks is that even fully patched servers, with anti-virus and anti-malware protection, can still succumb to ransomware attacks, due to the different attack vectors that they exploit.

Depending on what is being encrypted, and the urgency with which services need to be recovered, iland offers a number of solutions that have been proven to help in these situations.

As has been well documented in the media, having good, reliable and frequent backups is key – and having off-site backups has also been shown to be beneficial. There have been cases reported where the backup servers on-premises have also been compromised by ransomware attacks as the payload, once established, can move around the network and infect other servers.

First of all, let’s look at how ransomware works, using a free-available ‘friendly’ ransomware product called Shinolocker.

Introduction to Shinolocker ransomware

In the case where user files have been encrypted (Office documents, photos, etc.) then recovering those files from a backup will be fairly straightforward. In a virtualized cloud environment, this could be done at either the whole VM level, or on an individual file/folder basis – depending on what’s been hit.

In terms of cloud backup, iland offers both backup of on-premises servers to the cloud, as well as backup of virtual machines running in iland’s Secure Cloud, where we offer 7 day backups at no extra cost. In both cases this uses Veeam.

Recovering from encryption using Veeam Cloud Backup in iland

As well as offering Veeam for cloud backup, iland also offer Zerto for Disaster-Recovery-as-a-Service (DRaaS). A relatively new feature of Zerto, since version 4.5, is that the replicated storage and journal offer file level recovery capability where the journal can be selected in roughly 5 second increments. The journal can be increased from hours to days to weeks, so the granularity of the recovery can be selected as needed.

File-level recovery using the Zerto journal

For situations where whole applications and their databases have been affected by ransomware, it may be necessary to invoke a DRaaS service. Again, iland partners with both Veeam and Zerto to offer DRaaS.

Many people have commented in the media that replication solutions do not help with ransomware, because the ransomware and the encrypted files just get replicated across to the DR site. This is, of course, true. So, it is necessary to make sure that you have sufficient restore points or checkpoints in the DRaaS solution to enable you to ‘wind back’ to a point in time just prior to the ransomware being enabled. With Veeam, this is achieved by having sufficient restore points (snapshots), while with Zerto and its continuous replication capability, it’s a question of having a long enough journal. The longer the journal just means that you will need more cloud storage, and this will also be dependent on the daily change rate of your data being protected.

One of the benefits of DRaaS is that you can recover entire VMs that make up an application and have them available for use by both internal and external customers, in as long as it takes to boot them all up.

The short videos below show how iland deploys both Veeam and Zerto DRaaS solutions.

Zerto for DRaaS

Veeam Replication for DRaaS

Categories: DRaaS, Veeam, ZertoBy iland June 2, 2017

Tags: Disaster Recovery

Keep IT healthy.

What's next in finance?