Ransomware recovery
Overview
No industry is immune to ransomware attacks. While there are different forms of ransomware, the most common one involves locking or encrypting a person or company’s data, and then demanding a ransom to restore access.
AWS Elastic Disaster Recovery (AWS DRS) can be used for ransomware recovery. AWS Elastic Disaster Recovery can launch unlocked and unencrypted versions of your servers from before the ransomware attack into your preferred AWS Region. This point-in-time recovery capability protects your data and enables you to be back up and running in minutes after a ransomware attack – without having to pay ransom.
Managing cybersecurity risk
According to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, there are five main functions around which to plan and manage cybersecurity risk, including ransomware attacks:
Identify - Learn about your environment and what needs to be protected.
Protect - Implement access control, training, and protective technologies to minimize attacks.
Detect - Implement the tools necessary to detect an attack as quickly as possible.
Respond - Develop appropriate activities to contain the impact of a detected cybersecurity incident.
Recover - Develop plans for resilience and to restore any capabilities or services that were impaired due to an attack.
AWS offers many security services you can use to implement these functions.
You can use AWS Elastic Disaster Recovery to quickly recover your environment, minimizing data loss and downtime in the case of a ransomware attack.
Using AWS Elastic Disaster Recovery for ransomware recovery
Once AWS Elastic Disaster Recovery is set up on your primary source servers, it continuously replicates your servers—including operating system, system state configuration, databases, applications, and files—to a staging area subnet in your AWS account, in the AWS Region you select. This reduces costs compared to traditional on-premises disaster recovery solutions by removing idle recovery site resources, and instead leveraging affordable AWS storage and minimal compute resources to maintain ongoing replication. Costs for your fully provisioned disaster recovery site on AWS are incurred only when needed for drills or recovery.
If you experience a ransomware attack, you can use AWS Elastic Disaster Recovery to launch recovery instances on AWS within minutes. Before you launch a recovery instance, you will be prompted to choose a recovery point. Each recovery point is a point-in-time snapshot of your source server, which you can use to recover an operational copy of your applications from an earlier point in time.
In the case of ransomware or other security incidents that involve data encryption or data corruption, select the latest recovery point before the ransomware attack or data corruption. In this way, you can “rollback” to an unencrypted or uncorrupted version of your servers.
Run your recovered applications on AWS until you’ve resolved the security incident. When the incident is resolved, you can use AWS Elastic Disaster Recovery to initiate data replication back to your primary site, and perform failback whenever you’re ready.