Ransomware Changes the Game for IT Disaster Recovery

Rob Giffin Rob Giffin | Oct 25, 2017

Ransomware Changes the Game for IT Disaster RecoveryImagine entering your workplace and being met with a sign instructing you NOT to turn on your desktop computers or dock your laptops until further notice. No network access; no email; no dependent application. Unfortunately, this was the actual scenario that played out for one global law firm, DLA Piper, who fell victim to the Petya cyberattack in late June. For this law firm, the loss of email services is devastating; and their email was unavailable for over one week.

The June 2017 cyberattack, known as Petya, affected major organizations throughout many industries. Global shipping conglomerate, Maersk, has estimated quarterly losses of between $200M-$300M, due to experienced interruptions. Large manufacturing facilities were brought offline for many days while working to re-establish critical systems.

Prior to Petya, in May, WannaCry spread worldwide and infected over 200,000 computers. In both cases, infected computers had their data encrypted and hidden from its owners until a ransom was paid.

Petya and WannaCry are the two most recent examples of ransomware – an increasingly popular method of cyber-attack. These events have highlighted the need for Information Technology departments to not just consider attack response methods, but to also consider alternative technology that may help their business units continue operating. For example, DLA Piper found alternate email capabilities to work around the loss of their primary email service.

For IT disaster recovery professionals, this presents a problem. Many leading organizations have eliminated tape backups and moved to replicated storage between two sites to provide disaster recovery capabilities. But, what happens when a cyber-attack affects your primary site, your alternate site, and your replicated data at the same time?

Addressing this issue requires adapting the IT Disaster Recovery process from start to finish. The remainder of this article highlights the key areas on which to focus.

Business Impact Analysis (BIA) and Risk Assessment

During the BIA (a business continuity planning process used to identify and agree on business continuity requirements), business units are engaged to determine the appropriate RTO (recovery time objective) and RPO (recovery point objective or data loss tolerance) for business activities and resources, including application dependencies and for other IT services. This approach should not change when preparing for a cyber incident. However, this is an opportunity to more deeply understand the impact data corruption may have on the business. We recommend using the following question: “What is the impact if information from this system were to be falsified or corrupted?”

Additionally, when discussing potential technology workarounds and downtime procedures, the business unit should note how long they can continue operating in downtime mode and if there are ANY possible alternatives (an example being – using cloud based email if internal email is down).

To complete the understanding of the overall ransomware threat, IT DR professionals should also engage the Information Security team to understand and discuss their ability to prevent, detect, and respond to ransomware. Common capabilities include:

  • Security monitoring
  • Comprehensive patching of systems
  • Proactive testing, such as vulnerability assessments and penetration testing
  • Backup procedures and the availability of offline backups that would not be impacted by malware such as Ransomware
  • Incident response procedures and approach

The Information Security team should also have a view on the overall likelihood of cyber-attack based on your organization’s industry, market position, and visibility. This information enables prioritization of strategies that aid in mitigating cyber threats.

Recovery Strategy and Planning

As with all IT DR efforts, the first key is getting clear on priorities. In many organizations, just a handful of systems account for the vast majority of the risk. In the example above, email would be the focus for DLA Piper, and, perhaps, the ERP would be the planning focus for manufacturers. For a hospital, the HER/EMR becomes the natural focus on this type of planning, in addition to critical supporting systems, such as PACS. The BIA should deliver a good picture of business-critical systems.

Once the focus is clear, creativity is needed to build recovery scenarios that support various ‘levels’ of failure or corruption. Practically speaking, this typically involves:

  • Having offline backups for all servers supporting a critical application – even if they are already replicated, and even if the offline backup is only performed daily
  • The ability to roll the data store(s) back to a previous point in time

With these two capabilities, most ransomware events can be mitigated. In one organization we’ve worked with, they approached it this way:

  • All servers were on storage that was replicated to an alternate site AND backed up to Amazon’s S3 cloud (into an encrypted S3 bucket with restricted delete capabilities)
  • Their Microsoft SQL Server database farm had the most critical information, so data corruption capabilities were focused there. In this case, they:
    • Maintained replicated storage for the production servers in case it was needed for DR purposes. These were tied to virtual machines that were not booted.
    • Built local mirrored copies of the SQL databases and kept those databases one hour behind production using log shipping. This enabled an immediate jump back one hour, which took minutes to deploy.
    • Used warm stand-by servers at their DR site that were re-sync’d every four hours using replication. This provided an ability to jump back up to four hours.

This process, while expensive and complex, afforded the organization a high likelihood of ability to recover in the event of a data corruption event, such as ransomware. For organizations where information is the lifeblood, these types of steps are becoming common-place.

IT Disaster Recovery Planning

Assessing the adequacy of the IT disaster recovery plan should include a review of the response to a cyber-attack, which goes beyond the internal investigative response. This process includes:

  • Planning a scenario where the alternate data center is also affected (including backups)
  • Supporting the continuation of business operations:
    • Alternate technology that can be used in the short-term (such as cloud-based email and office support), including how these systems can be accessed
    • Providing replacement laptops that can be imaged
    • Identifying off-line print/copy capabilities
    • Developing a plan of action regarding the reimaging of laptops/desktops
  • Determining data reconstruction options and capabilities


Organizations, and especially Executive Management, are increasingly concerned about the threat to business operations due to a cyberattack. As a result, many are asking for exercise scenarios specifically focused on the continuity of operations immediately following a breach. This is a great opportunity to put any response and recovery issues on the table and work through them with the executive team.

Final Thoughts

Ransomware cyber threats are popular right now because they work. As long as they are effective, we can expect more attacks. While a sound cyber-security program is the best defense against these threats, IT Disaster Recovery professionals play a critical role in protecting the organization if disaster strikes via ransomware.

If you’re looking for help with building or improving your program, we can help. Please contact us today to get started. We look forward to hearing from you!


Rob Giffin
Business Continuity Consulting | Business Continuity Software