Ransomware Rescue: How to Use an Isolated Backup to Restore Data

Written by Edward Gately
August 18, 2017

This Channel Partners Evolution session features TVP Strategy's Edward Haletky.

Edward Gately

**Editor’s Note: Register now for Channel Partners Evolution, Sept. 25-28, in Austin, Texas.**

How can you protect your customers from the ravages of ransomware?

Isolated backups might be a good option to explore. During this concurrent education session titled, “Ransomware Rescue: How to Use an Isolated Backup to Restore Data,” at Channel Partners Evolution, Sept. 25-28, in Austin, Texas, Edward Haletky, principal analyst, author and entrepreneur with TVP Strategy, will walk attendees through the process of setting up isolated backups that can protect customers even when ransomware hits.

Edward Haletky

He also will discuss how various DRaaS providers protect data and show exactly how to restore systems after an attack.

In a Q&A with Channel Partners, Haletky provides a sneak peak of the information he plans to share with attendees.

Channel Partners: How can isolated backups protect customers even when ransomware hits?

Edward Haletky: Isolated backups ensure that your backup repository is also not hit by ransomware. This would make for a very bad day if it happened and currently it can happen easily. Many backup tools mount volumes to potentially infected machines, do their backup to this mount point, and then unmount. The fact that the mount happens puts backups at risk. Also, if the backup server happens to be running Windows and mounts the backup repository directly, it can also be the culprit for encrypting the repository. It is best for the backup repository to be isolated from the machines being backed up and the servers itself. So instead of using SMB protocols to communicate, you would use other non-filesystem-based protocols. This in turn isolates the repository from infected systems.

CP: What is the process for setting up isolated backups that can protect customers?

EH: The process for setting up isolated backups differs from product to product, but the most important one is to ensure that the backup repositories are not accessed as if it was a filesystem. In other words, do not use backup tools that mount repositories or target systems. There are two points to protect. One is the repository itself, and the other is the backup server in use. We need to think architecture more than individual products. We think architecture by knowing how ransomware hits today. Multiple layers of protection are always best.

CP: How best do you restore systems after an attack? It is getting easier with the right tools?

EH: To restore a system from an attack you need an agent that has not been infected, a backup server not affected and a repository not infected. The fastest way is to use what is called instant recovery. Once infection is noticed, the recovery process starts. First, it isolates and kills the ransomware process that is running, then restores the data affected. The agent could and should live on a read-only bit of system so that it is also not encrypted. If not using agents, it is possible to …