Ransomware attacks are alarmingly frequent, occurring every 11 seconds and this figure is expected to worsen, increasing to one attack every 2 seconds (Source: Cybersecurity Ventures report). Organizations must proactively prepare to respond effectively to these evolving threats.

As we consult with our customers on the ransomware trends, we often say: “When dealing with a ransomware attack, there are only two options—pay the ransom or recover your data. Without a robust strategy, neither option guarantees success.” Here are six critical considerations for a comprehensive cyber resilience strategy:

1. Immutability: Immutability is the foundation of any cyber threat strategy. Ensuring your critical (or non-critical) data resides on immutable storage is non-negotiable. Organizations often debate whether to enable immutability on:

   1. Primary Storage using immutable snapshots, which can reduce recovery time but are generally costly.
   2. Backup Target, which offers cost advantages but may lead to longer recovery times.

   Recommendation: Strike a balance between cost and Recovery Time Objective (RTO). Enabling immutability on a backup target is often the most practical solution.

2. Instant recovery capability While air-gapped tapes offer immutability, they fall short on recovery speed. As experts often say: “If you can’t recover quickly, it’s as bad as paying the ransom.” Prolonged outages can devastate businesses. Choose a strategy that ensures rapid recovery, enabling continuity even under severe circumstances.

3. Isolated Recovery Environment (IRE): For sporadic or untraceable attacks, recovery can take weeks due to forensic investigations. In such scenarios, creating an Isolated Recovery Environment (IRE) for critical applications can be a game-changer.

   Key questions:

   1. How big should your IRE be?

      The focus should not be on size but efficiency—ensure it is as small as possible while supporting critical apps.

   2. Is it worth the investment?

      Conduct a financial evaluation. If the cost of building and operating an IRE exceeds the notional or actual business loss of keeping an app down during a cyber event, an IRE may not be necessary.

4. Ransomware detection capability: Modern backup solutions often include ransomware detection features that can analyze backup data to identify anomalies. These capabilities may be offered as SaaS platforms or on-premises solutions, scanning primary or vault copies.

   Benefits:

   1. Early detection: Identify threats before they propagate.
   2. Blast radius identification: Pinpoint affected systems.
   3. Faster recovery: Locate clean backup copies, reducing guesswork and recovery time.

   Challenge: Unlike traditional recovery (e.g., restoring a single file), ransomware recovery often involves restoring hundreds of workloads from an unknown clean point-in-time (PiT). Detection tools streamline this process by identifying potentially clean copies, drastically improving RTO.

5. Automated data restoration and deployment Ransomware recovery may require restoring dozens—or even hundreds—of virtual machines. Without automated restoration workflows and runbooks, recovery timelines can increase and the risk of human error rises. Every organization should prioritize automation in their recovery strategies to ensure speed and accuracy.

   Recommendation: Organizations must invest in automated workflows and runbooks to ensure efficient and error-free recovery.

6. Clean Room vs. Recovery Environment It’s essential to differentiate between a Clean Room and a Recovery Environment:

   Clean Room	Recovery Environment
   Used to test data and perform security scans before restoring it to production or recovery servers.	Designed to run applications in full or partial capacity during recovery.
   Requires minimal infrastructure (servers, storage, networks).	Requires full or partial infrastructure, including security controls, to host applications.
   Data, once verified, is restored to production or recovery sites.	Requires connectivity to external networks.

   Consideration: A Clean Room may not be a daily necessity but can be invaluable during a cyber event. Some backup providers now offer this as a cloud service, while others leave the responsibility to customers. Assess the likelihood of needing a Clean Room and decide on investment accordingly.

   Conclusion

   With ransomware attacks on the rise, relying on legacy backups alone is no longer sufficient. A resilient recovery strategy must encompass immutability, rapid recovery, isolation capabilities, automated deployment and advanced detection tools. By balancing cost with business needs, organizations can better protect themselves and ensure continuity in the face of cyber threats.