There has been no shortage of ransomware headlines in 2021. While these attacks can shut down critical IT systems for extended periods, Rubrik has helped numerous customers quickly recover from ransomware\u00a0events and get their businesses back up and running.\u00a0\nThis blog consists of two important sections. First, we\u2019ll detail the multiple recovery options available with Rubrik Zero Trust Data Management\u2122\ufe0f. We will then explore different variations of ransomware attacks and guide the best recovery strategies for individual incidents.\nThe Basics\nYuba County\u00a0and the\u00a0City of Durham\u00a0are two organizations that have taken advantage of Rubrik Zero Trust Data Management architecture and immutable file system, ensuring that clean, uninfected copies of their data were recovered.\u00a0\u00a0In working with global organizations on recovering from ransomware, Rubrik has developed a comprehensive\u00a0Lessons Learned\u00a0document outlining how to execute an effective ransomware remediation strategy.\nThe first step in recovering from an attack is to identify and isolate the incident, followed by determining the scope of infection.\u00a0Rubrik Radar\u00a0helps to detect data anomalies, and\u00a0Sonar\u00a0helps to identify if certain sensitive data has been affected by the attack. Once initial scoping has been determined, only then can we begin to execute the restore phase of our plan.\nRubrik provides multiple recovery options, from orchestrated mass restore with\u00a0AppFlows\u00a0to file-level recovery. Depending on the scope and type of attack, certain recovery techniques can outperform others in terms of speed and efficiency, helping you meet Recovery Time Objectives (RTOs).\u00a0\nFor instance, if the ransomware attack has only targeted certain files and left the underlying operating system unaffected, performing a file-level recovery may be less intrusive and help mitigate data loss compared to a full system restore. In contrast, if data loss is not a major issue, it may be faster to utilize\u00a0Rubrik Instant Recovery to almost instantaneously restore to a certain point-in-time. And in most cases, mixing different recovery options throughout your remediation plan may be necessary.\nWhat are the Rubrik Recovery Options?\nRubrik provides several recovery options:\n Rubrik\n\u00a0\nExport\nExport copies a point-in-time backup from the Rubrik platform to a new instance of the protected object. Rubrik operators can choose to export data back to the original environment, or export to a completely new environment.\u00a0\nIn-Place Recovery\nIn-Place Recovery is supported for VMware VMs and, similar to Export, copies point-in-time data from the Rubrik platform to the production environment. There are, however, a few key differentiators between the two recovery methods.\u00a0\nExport copies entire virtual machines or disks belonging to virtual machines and recovers these to new instances. Rather than copying entire data sets, In-Place Recovery copies only changed blocks between the production VM and the selected point-in-time and recovers data back to the original virtual machine. This allows for a more efficient recovery, especially for VMs containing larger virtual disks.\u00a0\nInstant Recovery\nRather than copying entire datasets across the network, Instant Recovery utilizes the Rubrik platform as the underlying storage for the recovery to provide\u00a0near-zero RTOs. In the case of VMs, the Rubrik platform becomes a datastore, while a new copy of the protected VM is created and mounted utilizing the desired point-in-time backup files. The original VM is marked as deprecated and powered off. No production data is deleted from the original datastore. This allows for almost instantaneous recovery and enables IT and security teams to grant access to the workloads as fast as the underlying operating system can boot. The newly recovered VM can be migrated back to the production storage platform.\nLive Mount\nLive Mount is essentially the same technology with the same processes as Instant Recovery except for one step. When Live Mounting a VM or database, the source of the data is not deprecated. This means that your production environment is completely unaffected - no VMs are powered off. Because of this, IT teams often use Live Mount as a sandbox tool, providing access to point-in-time copies of their production environment to perform various tasks, beyond simple recoveries.\nFile-Level Recovery\nRubrik File-Level Recovery (FLR) is straightforward: a point-in-time copy of single (or multiple) files is restored either back to the original, or a new location within the same environment. Rubrik provides important FLR capabilities to make the process as efficient as possible.\u00a0\nFirst, Rubrik generates metadata describing ingested backups. This metadata powers fast and predictive search to assist in locating files that need to be recovered. Second, when performing an FLR from a backup that has been archived to the cloud, this metadata allows Rubrik to only retrieve the blocks making up the actual desired file, rather than having to endure unnecessary and expensive egress charges by extracting entire images from cloud storage.\nAppFlows for Orchestrated DR\nAppFlows\u00a0is an orchestration layer that incorporates plans, or blueprints, detailing recovery execution steps. These customer-defined blueprints contain important recovery information such as the boot sequence, restart priority, and requisite resource mapping configurations. All of this intelligence allows IT teams to automate application failover and failback of production resources in the event of a ransomware attack. AppFlows takes ransomware remediation plans and automates the recovery process. This minimizes the chance of error or misconfiguration, but more importantly, reduces application downtime.\n Rubrik\n\u00a0\nIn the event of a ransomware attack, AppFlows orchestrates recovery to various sandbox environments, allowing infosec teams to investigate exact duplicates of production environments, without affecting production resources.\nWith multiple recovery options available to IT teams, it is important to understand which method to employ during a ransomware incident. To help understand and plan for recovery, let\u2019s explore some of the more popular types of ransomware attacks and apply our Rubrik recovery methods to them.\nTypes of Ransomware Attacks\nAs with most attacks, ransomware has multiple variants. Commonly, these attacks often target different areas of the network, lying dormant while gathering data. Below are some of the approaches used today.\nEncryption Ransomware\nEncryption Ransomware is\u00a0one of the most popular\u00a0attack types today. It encrypts files, folders, and NAS shares throughout the network, effectively deleting the production data once the encryption takes place.\u00a0\nRecovery involves identifying infected files and systems and then restoring them to a safe point. Depending on the scope of the attack, many Rubrik recovery options can be used to combat Encryption Ransomware. For instance, if the underlying operating system is unaffected, performing a file-level recovery back to the system would suffice. If the underlying operating system is corrupted or encrypted, performing an Instant Recovery or Live Mount to a known good copy can be the best course of action. If the attack targeted a large number of virtual machines, leveraging Rubrik AppFlows can provide highly efficient recovery.\nNAS Ransomware\nNAS Ransomware works much the same way as Encryption Ransomware but specializes in attacking Network Attached Storage (NAS) systems. By scanning the network for popular NAS-based protocols such as NFS and SMB, the attack identifies and encrypts all discovered shares. Often NAS systems hold crucial data such as user home directories, as well as VM files for major hypervisors. Simply put, NAS Ransomware can completely bring entire production systems to a halt.\u00a0\u00a0\nRecovery involves identifying all the infected files and systems and restoring both image and file-level to safe point-in-time copies. Depending on the scope of the attack, several Rubrik recovery methods may be utilized. If only a small number of files have been affected, then Rubik NAS File Level Recovery options can be used. However, if the NAS device was also hosting infected virtual machines, a combination of the Export, In-Place Recovery, Instant Recovery and Live Mount can be utilized. And, just as with Encryption Ransomware, AppFlows can be utilized to orchestrate the entire recovery process.\nLock Screen Ransomware\nLock Screen Ransomware does what one might expect it to do\u2014it locks the system's screen, demanding different forms of payment to perform an unlock. This type of ransomware rarely performs any encryption to the underlying files within the affected system and is often easily recoverable through the combination of booting into safe mode and running anti-virus recovery tools.\u00a0\nMost often recovery from Lock Screen Ransomware does not need to utilize Rubrik, however, to save time and recover faster, organizations may utilize Rubrik\u2019s various image level recovery options.\nHardware Locker\nHardware Locker ransomware affects the system by changing the underlying Master Boot Record (MBR). Instead of the MBR directing the system to load the underlying operating system, a ransom demand is displayed on the screen during the boot cycle.\u00a0\nRecovery typically involves fixing the modified MBR. If the MBR is unable to be repaired, or organizations are simply looking to decrease the amount of downtime, recovery teams may leverage image-level recovery options from Rubrik such as Bare Metal Restore for physical servers, or Export, Instant Recovery, and Live Mount for virtual machines.\nApplication\/Web Server Encryption\nApplication and Web Server Encryption encrypts files and web servers by replacing common Directory Index files such as index.php and index.html. Instead of a web or application server loading its desired content, a page containing ransom instructions is presented in its place.\u00a0\nRecovery typically involves identifying infected files and restoring them to a known good state. A variety of Rubrik recovery methods may be used to help remediate Application and Web Server encryption. While performing many of the Rubrik image-level recovery techniques such as Export and Instant Recovery will do the trick, often it is much faster to simply perform a file-level restore on the infected files themselves.\nConclusion\nAs ransomware attacks become more widespread and more sophisticated,\u00a0organizations must have a recovery plan\u00a0in place. Deploying a Zero Trust Data Management solution is a great first step to ensure your backups can serve as the last line of defense. Understanding the various recovery options, and when to use each, is crucial in the event you need to execute your ransomware remediation plan.\u00a0\nTo learn more about how you can accelerate ransomware recovery with Rubrik and avoid paying costly ransoms, visit our\u00a0Ransomware Solutions\u00a0page.