Ransomware Response: Data Protection Best Practices

October 26, 2021 | By IANS Faculty

A strong backup solution will minimize the impact of most – but not all – ransomware attacks. Unfortunately, no matter what industry you are in, backups alone are not enough protection against nation states or other sophisticated attack groups who steal and threaten the release of your sensitive data. This piece offers several best practices aimed at building a holistic data protection strategy that will help organizations avoid paying a ransom in the event of a ransomware attack.   

Ransomware Backups and System Restoration 

Defending against this new level of ransomware attack requires a new level of focus on your backup program. Best practices here include: 

  • Data-only backups: Since ransomware and other Trojan applications (such as backdoors and rootkit launchers) can be hidden within good applications, many organizations take a data-only backup approach. This eliminates the risk of inadvertently backing up and restoring weaponized content. When restoring from backups, data-only backups can be used with confidence the restoration will not reintroduce malicious content. 
  • Rapid operating system and application re-install: The data-only backup approach requires organizations to reinstall their operating systems and applications with each restoration. This should always be done from trusted media to avoid the reintroduction of malicious code. An added benefit to this approach is organizations no longer need worry about configuration drift that may be reintroduced when restoring from aging backups. 

This is a shift from a more traditional “back it all up” approach. Most organizations are discovering that with modern IT automation tools like Windows Autopilot for physical devices and Terraform or Pulumi for cloud-based systems, the re-provisioning of any system can be done easily and at scale. In the event of a mass system reset – a common occurrence in ransomware events – this process can be faster than backup-only-based restoration. 

  • Dedicated service accounts: Ransomware attacks typically use lateral movement to infect and attack as many systems as possible. Therefore, it is imperative that every effort be taken to minimize the chances of lateral movement. This includes the use of dedicated service accounts for as many tasks as practical, including separate backup creation and restoration service accounts. As an added precaution, these service accounts should be configured to not allow interactive login. Additionally, Windows Active Directory login hours should be used to prevent unauthorized use of the backup creation service account outside backup creation times. The backup restoration account (if a separate one is created) should be left disabled until it is used. 
  • Offline backups: Ransomware attacks are almost always automated and opportunistic. They will indiscriminately attack any system, including available backup systems and volumes. For decades, it has been a best practice to have offline backups. However, the risk of backups becoming encrypted has reinforced this need. 
  • Routine tests: Organizations must conduct drills to learn what their actual restoration times are. After each drill, an after-action report should be done to determine how to improve restoration times. Note that once best-case restoration times are within service-level agreements (SLAs), adverse conditions should be simulated. While not common, the backup servers themselves may be affected by the ransomware attack. The reloading and re-indexing of your backup libraries can take more time than anticipated.

Data Theft Extortion Prevention

Organizations are rethinking their data lifecycle to minimize the effects of newer data theft extortion methods. Some best practices here are:  

  • Enforce data destruction: Data that is no longer needed should be removed from all systems. Attackers cannot steal nonexistent data. 
  • Monitor for theft via multiple methods: While technologies like data loss prevention (DLP) can help, they are not strictly required. Monitoring file shares, databases and other sources of data at rest is possible with OS- and application-native auditing capabilities. Log aggregation systems or SIEMs can have alert thresholds set for unexpected sweeping access. This monitoring will also help detect internal rogue employees or contractors. 
  • Protect data in transit: Use of network microsegmentation and secure protocols can dramatically reduce the risk of attackers intercepting data while it traverses the internal network. 
  • Test your visibility: Organizations often overestimate their ability to monitor and detect malicious traffic. If practical, consider testing your ability to detect unexpected traffic with tools that can simulate attacker traffic patterns in a safe and repeatable manner. 

Ransomware Recovery Best Practices 

Good backups aren’t enough to counter the latest flavor of ransomware. To improve your chances of recovering from a ransomware attack without paying, consider the following tips: 

  • Aggressively test backups and backup restoration. It often takes longer than organizations realize. 
  • Leverage modern automation technologies to help maximize the capabilities of the security team. 
  • Monitor for data theft to avoid newer extortion threats. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 


Find additional resources from our security practitioners.


2021 CISO Compensation Benchmark Report