Identifying and Recovering Files Corrupted by Ransomware Using RestoreManager

Catalogic 08/06/2020 0 Comments

You don’t have to be an IT security expert to be aware of the threat that is Ransomware. It’s almost every week that you hear of another large corporation, or government entity being the victim in a targeting ransomware attack. In fact, according to Cyber Security Ventures, a new organization will fall victim to a ransomware attack every 14 seconds! This is the reason why it’s not surprising to hear that ransomware protection and prevention is the number one concern of IT security teams.

Catalogic Software offers a variety of solutions, each designed to target that data security concern in a different way. These products improve data security by protecting against outside threats, like Ransomware, but also by providing additional data governance/access transparency, data masking for Oracle databases for data reuse, and granular role-based access control for backup and application data.

There are plenty of different techniques that are used to prevent infections or detect suspicious behavior, including email server filters, end-point protection, advanced file-access auditing, etc. The point of this article is not to tell you what works best, because it is a combination of things. If you really want my opinion, the most important thing is to protect your file shares on your storage volumes, CIFS/NFS shares.  If you have NetApp storage, CryptoSpike does an outstanding job. You can read more about CryptoSpike in some of my other posts or here.

What most people don’t think about is: What do you do if your ransomware protection processes are not successful and a malicious infection gets access to your file shares and encrypts your data? Most ransomware protection tools are just that… protection tools.  Once the ransomware gets through the protection layer, there are very few options for recovering your data.  First, all you can do is choose to roll back to an existing backup, or storage snapshot. This may sound like the obvious choice, but there is a major downside. For example, your backup, or your storage snapshot contains folders or shares that hold millions of files.

If the ransomware attack is able to encrypt a few thousand files before being isolated and contained, rolling back to an old snapshot forces you to loose recent changes on hundreds of thousands of files that were not affected during the attack. In a CIFS or NFS scenario, if a single user gets infected, reverting to an old snapshot causes data loss for all other users with files on that share. This data loss may be detrimental to an organization. Oftentimes, trying to manually recover data lost during an attack costs the company much more in time and lost data, than the actual ransom. Remember that the city of Baltimore, Maryland, lost over $18 million to avoid paying a ransom of approximately $65,000.

I am not telling you that the better option is to pay the ransom. After all, you are dealing with criminals who are not considered to be very trustworthy. In fact, though about 40% of ransomware victims decide to pay the ransom, just about 5% of those companies never received the decryption tool even after paying. Also, those that did receive the decryption tool, were only able to recover, on average, about 90% of their lost data.

So, what is the best choice? I personally believe that it varies based on each situation. However, if the infection occurs on file shares hosted on NetApp storage, RestoreManager offers a very interesting, and very effective recovery option. 

RestoreManager uses a “crawler” that uses SnapDiff to create a central, online file index of every NetApp snapshot, giving you a single catalog-based view into your files. This online file index provides the ability to search through your NetApp snapshots using multiple criteria and restore files and folders right from within RestoreManager with a single click. 

Now, how can this catalog be used to help recover from a Ransomware attack?  Using the file metadata collected during the SnapDiff crawl of the CIFS/NFS shares, RestoreManager is enables you to scan that data, identifying any files that have been manipulated to use any of about 2,100 known ransomware file extensions. Then, once those files are identified, using that same online catalog, the end user can leverage existing NetApp snapshots to perform a single file restore of that file, restoring it back to a point in time before the infection began. This is similar to the first recovery option that I mentioned earlier, except in this case, you are not creating additional data loss by reverting an entire NetApp snapshot. With RestoreManager you can isolate the files that were affected during the attack and very quickly identify the best snapshot to use to recover those individual files. 

What is most impressive, is that this recovery option can be implemented even after a ransomware attack occurs. RestoreManager does not have to be in place and running before the attack for it to be able to help you recover. You can install and run the SnapDiff crawler after suffering an infection, and it would be able to identify the infected files and recover those files to a point in time before the attack.  In fact, this is exactly what the world’s third largest financial services software provider chose to do after their file shares were infected by ransomware in late March.  After deciding to take their NetApp storage systems offline, they chose to purchase RestoreManager for this exact reason, as well as CryptoSpike to protect them from attacks in the future.

So, if your organization is ever a victim of ransomware, or perhaps it had been attacked by ransomware in the past, don’t get forced to choose between major data loss, weeks of lost productivity, or paying a ransom to criminals. Allow RestoreManager to discover the files affected by the attack and provide a simple way to recover those infected files using your NetApp snapshots.   

If you would like to learn more about RestoreManager, or it’s ransomware protection/prevention counterpart, CryptoSpike, you can request a live demo or even get a 30-day trial copy to try it for yourself. We will be happy to help you set things up.

Leave a Reply

Your email address will not be published.

Let us show you around