• Brad Linch

Recover Quickly in a Ransomware Attack

Ransomware attacks needs to be viewed under the same category as power outages and natural disasters. The requirement to recover quickly is a necessity. Recently, I'm seeing many vendors in the data protection industry advertise immutability and ransomware detection features. Both of which should absolutely be part of a company's ransomware strategy, but an immutable copy coming from spinning disk or tape can result in too much downtime for the business. It's an easy decision for a CEO or CFO if an attacker's ransom is $100,000, and the cost of downtime for a day is $500,000. The only question at that point becomes how do we make a Coinbase account to transfer Bitcoin?

In addition, companies most likely already have ransomware detection and prevention tools. Realistically, if your backup software is what's detecting ransomware from a backup taken days or even weeks ago the cost of data loss might be too great to restore anyway. It's not that immutability and detection capabilities aren't great features to have. Veeam takes those features seriously, but the top priority to the business should be the ability to recover quickly in the event of a ransomware disaster.

Without further ado, below are Veeam recovery capabilities that can provide fast RTOs to give companies a realistic chance at avoiding paying ransoms.

  • Replica from Backup - Replicated VMs from backups which keeps load off production

  • Recovery from Storage Snapshot - Quick file or VM restores off storage snapshots

  • Recovery from fast performing repository - Backup to fast performing media

  • Failover/failback capabilities - Traditional DR capabilities in the same UI and license

Replica from Backup

Replica from backup is one of the most underrated features Veeam offers. The beauty of replica from backup is it creates a VM in the DR site off the backup repository that is ready to be failed over to in the event of a disaster. Meaning, it creates a replica without putting any load on the production VM. RPOs will most likely be ~24 hours coming from a backup source, but it significantly increases your RTOs, since the VMs in DR really just need to be turned on for the most part! As a side note, you can also do this off the backup copy job!

To dig into the how-to of this a little more just be sure to select "source" when choosing your virtual machines for the replication job. As you can see below, you have the option to replicate from backup instead of the production storage.

Lastly, you can see how this achieves insanely fast RTOs as the VM is already built and ready to go. All you have to do is failover in the event of a disaster and the VM will power on.

Recovery from Storage Array Snapshot

Another undervalued feature Veeam offers is recovery from storage array (Pure, NetApp, EMC, HPE and many more) snapshots whether Veeam orchestrated them or not. Something that continually wows customers when I show them this feature is how Veeam can act as a catalogue for snapshots it didn't even take and provide a tree view into the Array > LUN > Snapshot > VMs as shown below.

In the case of an instant VM Recovery you can see how it clones the snapshot and mounts it to the ESXi host, so it's ready for immediate use.

Lastly, just in case there are any doubters that think these are mockups below is the restored VM in vSphere ready to be logged into.

Recover from a Fast Performing Backup Repository

One of the greatest advantages of Veeam is that it is software only. There is no vendor lock-in or mandatory hardware platform that needs to be used. Now, I wouldn't expect a company to backup all of their workloads to a flash based repository, but it is not uncommon to protect Level 0 or Level 1 workloads (5-10%) of the environment to a repository that can achieve fast RTOs via an Instant VM Recovery. In my experience, I see Veeam users that apply this strategy and backup to EMC Unity, Pure Flash Array C, HPE Nimble and many other similar offerings in the marketplace. As a side note, you can also instantly restore physical machines to VMware providing a great alternative to bare metal recovery.

Failover and Failback with Snapshot Based Replication or CDP

The more commonly known capability Veeam is famous for is traditional snapshot based replication or Continuous Data Protection (CDP) for SLAs that demand second type RPOs. There is already so much great content out there on this topic, so there is no need for me to recreate the wheel. The goal here is to highlight that for those workloads that don't just require fast RTOs but also low RPOs, CDP and snapshot based replication are offered in the same UI and license. There is no additional cost or management overhead.

In summary, the elephant in the room when strategizing with companies on an effective ransomware recovery plan is that it's not cheap. It needs to be viewed in the same light as a datacenter power outage or natural disaster. Restoring from tape or spinning disk might not be worth the downtime compared to just paying the ransom in the eyes of the people making the big bucks up top. If an effective ransomware strategy means a little more compute to replicate to or some more fast performing storage to backup to that might not be so bad compared to paying a ransom or dealing with branding/reputation issues post-attack.


Recent Posts

See All