How to Use Disaster Recovery Technologies to Protect from Ransomware

Posted by

Continuous data protection and other disaster recovery methods can protect from ransomware

Last Friday’s global cyberattack on 200,000 computers across 150 countries appears to be the largest ransomware assault on record. Exploiting a vulnerability in Windows OS, for which Microsoft created a free patch over a month ago, hackers have encrypted vast amounts of data and are threatening to delete the files if not paid the ransom money – in Bitcoins, of course.

For many organizations and IT departments, this is their worst nightmare. No access to data. Potential total loss of data. Operations completely shut down. For public institutions such as hospitals in the UK that have been attacked, this type of shut down can literally cost lives as surgeries are delayed and patient records are unavailable.

Related: 10 Steps to Developing a Disaster Recovery Plan That Works

However, for organizations that have implemented enterprise-grade disaster recovery on their servers, ransomware does not have the same impact. No matter what security software was used (or not used) or what patch was installed (or not installed), an organization’s disaster recovery strategy can quickly be activated, restoring the entire system to its pre-attack state and returning the organization to normal operations.

In cases of ransomware, disaster recovery can restore your entire system to its pre-attack state. Click To Tweet

Disaster Recovery in the Case of Ransomware

In order for an organization’s disaster recovery strategy to be highly effective in the case of ransomware, it should support the following technologies: continuous data protection, point-in-time recovery, one-click failover, and one-click failback.

Continuous Data Protection

When an organization’s data has been corrupted for any number of reasons, including ransomware, the goal is to restore uncorrupted data in its most recent form. Continuous data protection technology ensures that a server’s replicated data that sits in a disaster recovery site/target infrastructure (such as the public cloud) is always up-to-date, up to the last second. This technology identifies any changes in the source servers in real time, and immediately replicates the changes in the target site. Continuous data protection is what ensures near-zero Recovery Point Objectives (RPOs), even in cases of ransomware.

Unfortunately, many organizations are still using older backup methods such as periodic snapshots or daily backups based on tapes. In the 2017 Disaster Recovery Survey Report, which includes data collected from 270 IT professionals, only 20% of respondents reported using continuous data protection. This means most organizations are vulnerable to losing hours or days of data in the case of ransomware or other unexpected disasters.

Point-in-Time Recovery

Continuous data replication is a baseline requirement to protect against data loss. However, in cases of cyberattacks and ransomware, point-in-time recovery is equally critical. If an organization has been infected with a virus, as was the case in the WannaCry ransomware attack last weekend, it needs to restore a healthy, pre-virus version of its servers.

Point-in-time recovery enables failover to earlier versions of replicated servers, with granular restoration points over time. This means that if a ransomware message appears on a machine at 4:05 pm, the system can be recovered to a 4:04 pm version. Or, if it is known that a virus was harboring in a machine for several days or weeks, the organization can recover to an even earlier point in time.

One-Click Failover

To return to normal operations as quickly as possible after a ransomware attack, organizations should use a disaster recovery solution that includes one-click, automated failover to the target site. While it is possible to manually activate a target site and direct traffic to this target site, the manual process can take days, depending on the number of machines and size of the IT department, and is vulnerable to human errors.

One-click failover is made possible by technology that automates machine conversion and application stack orchestration. Automated conversion natively boots physical, virtual, and cloud-based machines to the target infrastructure. Automated application stack orchestration prepares the entire system, including firewalls and network configurations, for activation in the target infrastructure. This technology is what enables organizations to achieve near-zero Recovery Time Objectives (RTOs), no matter what the reason for the failover.

Related: 2017 Disaster Recovery Survey Report

Being able to quickly spin up clean versions of servers to a target site is especially important in cyberattacks because once there is a working version in the target site, it’s possible to fix the security vulnerability that enabled the virus to penetrate the system.

The WannaCry ransomware attack penetrated IT systems that had not yet updated their Windows OS or had not installed the free patch that Windows had distributed to fix a security vulnerability. What every IT department no doubt wanted to do after discovering this was to go back in time and install that patch on all their servers.

Disaster recovery solutions that enable point-in-time recovery and one-click failover give organizations the chance to do this. How does it work? First, the organization spins up a healthy, pre-attack version of its servers to a target site. Next, the organization configures the settings of the disaster recovery solution so that traffic is temporarily not directed to the target site in order to prevent another cyberattack. Then, once the servers are operating in the target site, the IT department can make the necessary fixes (i.e. in this case, install the Windows security patch). Finally, now that the servers are protected from the ransomware virus, traffic can be directed to the target site and operations can continue as usual.

Point-in-time recovery enables companies to 'go back in time' and fix security vulnerabilities. Click To Tweet

One-Click Failback

Once an organization has resumed normal operations in a target site, it’s time to resume operations back in their own data center/source infrastructure. Unlike a power outage or fire, in the case of ransomware, there is no waiting until the disaster is over. The disaster is over once an earlier version of source servers has been spun up in the target site and any vulnerabilities have been fixed.

One-click failback makes returning operations to the primary data center/source infrastructure as easy as the original failover. All changes made during the disaster are replicated back into the source. Everything is automated, which eliminates the risk of downtime and data loss.

Beating Ransomware Step by Step

Let’s look at how an organization with an advanced disaster recovery solution such as CloudEndure could respond to the WannaCry ransomware attack without paying the ransom, losing data, or suffering extended downtime. Here are the steps they should take:

  1. Use a private computer (i.e. not one connected to the organization under attack) to log into CloudEndure account.
  2. Configure settings so that traffic will not automatically be directed to target site (so that vulnerability can be fixed).
  3. Select an earlier point in time for recovery to ensure that the replicated servers that are spun up in target site are a pre-virus, pre-attack version.
  4. Activate “failover” to target cloud.
  5. Install Microsoft patch on servers in target site to protect them from ransomware virus.
  6. Direct user traffic to target site – normal operations resume in “disaster recovery” mode.
  7. Activate “failback,” reversing replication back to source machines, including patch and any changes that took place during disaster – normal operations resume.


To find out more about how CloudEndure can help you protect your organization from ransomware, contact us today.

2017 Disaster Recovery Survey Report