How Do We Build Ransomware Resilience Beyond Just Backups?

[Root] Access is an advice column for questions about IT issues, career moves, and workplace concerns.

Submit questions anonymously using this form.

Dear [Root] Access,

Our company got hit with a ransomware attack that targeted our NAS drives. Even though we had backups, restoring the data was a stressful, drawn-out ordeal. The attackers encrypted a decent chunk of our data and demanded payment for the decryption key. Fortunately, we had backups, so we didn’t have to pay the ransom. But restoring everything was slow and complicated.

While backups are non-negotiable as a safety net, they’re not enough. I want to take a more proactive approach to harden our systems and minimize the impact of future ransomware attacks. How can we make our Windows environments and storage systems more resilient without relying solely on backups?

—Striving for Ransomware Resilience

Dear Striving for Ransomware Resilience,

Recovering from a ransomware attack is no small feat, even when backups are in place. I am glad you avoided paying the ransom, but I understand that the ordeal was complex and time-consuming. Although restoring a backup is the best way to recover from a ransomware attack, many people are surprised by how tedious and time-consuming the process can be.

Related:BCDR Basics: A Quick Reference Guide for Business Continuity & Disaster Recovery

The good news is there are proactive measures you can take to harden your system and make things easier in the future. Here are some tips on making your Windows environments and storage systems more ransomware resilient.

1. Implement Ransomware Prevention Tools

Recovery is undeniably important, but preventing ransomware attacks is even better. While no solution is foolproof, implementing various security tools can make an attack far less likely.

Email security

I recommend focusing most of your efforts on endpoint protection. In my experience, most ransomware attacks begin with users doing something they shouldn’t, such as clicking on malicious links or opening infected email attachments.

Email filtering tools can reduce these risks. If your organization uses Microsoft 365, look at using its Safe Links and Safe Attachments features. These tools neutralize malicious links and block harmful email attachments.

Application whitelisting

If your users work on company-issued devices, consider implementing an application whitelisting system. These tools allow only approved code to run on devices. As a result, unauthorized programs—like ransomware—are blocked from executing and rendered harmless.

2. Strengthen User Defenses

While email filtering tools are essential, it’s unrealistic to expect them to block every malicious message. As such, another important step is educating your end users on identifying phishing emails and other suspicious content that make it through the filters.

Related:6 Essential Steps Before Setting up NAS Appliances

User education is one of those things that should be an ongoing effort, not a one-time initiative. Regular training sessions help reinforce best practices and keep security in focus.

To complement training, consider using phishing attack simulators. Several vendors offer tools that generate harmless, realistic-looking phishing messages and send them to your users. Microsoft 365 even includes a phishing simulation tool.

These tools track which users click on simulated phishing links or open attachments. Some tools also provide automated follow-ups, such as mandatory security training for those who fall for the simulations. In theory, the added accountability can motivate users to be more cautious—few people want to sit through security training again.

3. Review User Permissions

If ransomware gets in, limiting its reach can save you some headaches.

Limiting user permissions is vital because ransomware operates with the permissions of the user who triggers the attack. As such, users should only have access to the resources they need to perform their jobs—no more, no less. If a user doesn’t have access to a specific resource, the ransomware won’t be able to encrypt it.

Related:Guide To Navigating the Legal Perils After a Cyber Incident

Moreover, consider isolating high-value data on storage systems that require additional authentication. Doing so reduces exposure if ransomware spreads.  

4. Speed Up Your Recovery Plan

To hedge your bets against ransomware, you should develop a well-thought-out recovery strategy. Yes, you can restore a backup to recover from a ransomware attack, but there are steps you can take to make the restoration process faster and more efficient.

For example, you might perform parallel restorations to recover multiple systems simultaneously to reduce overall downtime. You might also use caching and staging techniques to speed up data transfer and system recovery.

If you have not already, ensure a backup is located near your primary data. For example, if your SQL Server database is hosted in your data center, restoring it from a local, disk-based backup will be a lot faster than retrieving it from a cloud backup.

In IT, resilience is largely about preparation. You will reduce the likelihood of ransomware attacks and accelerate recovery by combining the efforts I’ve listed above.

Learn more about ransomware resiliency

Click here to submit your question to [Root] Access.